February 2023 Newsletter – Remote and Hybrid Working

Welcome to the February edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to make you a better-informed consultant.

In This Edition:

  • Client Insight
  • 2023 Security Predictions
  • Can’t Pay, Won’t Pay
  • Double Trouble For Gadget Makers
  • Breach Report Rules Tightened
  • Best Of The Rest

Client Insight

Each month we ask our clients what’s on their minds and what it means for candidates.

This month we’ve heard a lot of chatter about remote and hybrid working. By this point many people assumed office working would be back in full force, but it appears the genie is out of the bottle. Employers and employees alike know the argument that remote working simply doesn’t work has been exposed.

The pattern brings a new front in the battle against cybercrime, with any flaws in access management or cloud configuration both presenting targets. It wouldn’t be surprising to see remote and hybrid computing become a specialism for cybersecurity experts, with technical knowledge not the only requirement. Professionals will also need to understand the unique human challenges of protecting people working from home or on the move.

2023 Security Predictions

As usual, tech experts have been dusting off their crystal balls to predict what 2023 will bring the world of cybersecurity. These are the most common themes:

  • High-tech solutions to supply chain problems will create new cybersecurity risks.
  • Scammers will do a better job of making bogus social media accounts credible, making social engineering easier.
  • Biometrics will become the norm for financial account logins.
  • Cyber Insurance policies will have tougher terms and conditions.
  • Russia and China will orchestrate even more state-sponsored attacks, particularly if Russia’s military continues to struggle.
  • Data privacy laws, including rules on securing data, will be on the table in state and national legislatures.

But a few brave souls have put their necks out to make some more outlandish predictions:

  • Deepfake videos could be used for scams with victims tricked by fake videos of their bosses. (Vulcan Cyber’s Mike Parkin.)
  • The “metaverse” will become a new target for cybercrime. (Forbes) 
  • A successful attack will “wipe out Internet access for entire continents.” (Ivanti’s Daniel Spicer.)

Can’t Pay, Won’t Pay

Ransomware victims are increasingly likely to refuse to pay attackers to recover their files, a new study says. But it may lead to a change in tactics rather than attackers quitting the “industry”.

Researchers at Chainanalysis put together an annual estimate of how often and how much victims pay in ransoms. They produce the figures by monitoring blockchain addresses known or suspected to be used by ransomware scammers. They say that 41% of victims paid in 2022, down from 50 percent in 2021 and a whopping 76 percent as recently as 2019.

It seems there are three possible explanations for the fall:

  • More and more organizations come under legal bans on paying ransomware attackers.
  • Insurers – who often stump up the cash for payouts – are tightening their conditions, for example by refusing to pay out on policies when businesses haven’t met security requirements.
  • Businesses may be doing a better job of disaster planning, not only making adequate backups but knowing exactly how they will restore data quickly enough to minimize disruption.

Unfortunately ransomware may not be disappearing as quickly as hoped. The drop in payment rates may simply drive the trend towards threatening to expose the victim’s data online, causing reputational and regulatory damage.

Double Trouble For Gadget Makers

Smart device manufacturers have come under attack on two fronts, with security questioned both immediately and in the long term.

The Washington Post took a worrying look at security and privacy issues at CES 2023 (previously known as the Consumer Electronics Show.) It quoted pressure groups condemning the data-handling practices and security protection with many of the high-tech devices on show. While such groups might not have the most objective view, it’s certainly true that the combination of storing excessive personal data and failing to secure it can have devastating results for a company’s reputation and bottom line.

Meanwhile Which? (roughly the UK equivalent of Consumer Reports) checked out security update timetables for smart home devices and found worrying news. Less than half of manufacturers were willing to even make promises for how long they’ll issue updates. Of those that did, many guaranteed update cycles were years short of the expected useful lifespan of the products. The group said it risks customers having to choose between disposing of working products too early (with financial and environmental consequences) or risking security with unpatched software.

Breach Report Rules Tightened

More firms operating in Europe will need to report security breaches and the requirements will be tougher under new rules. It could mean a bigger demand for cybersecurity experts, particularly those who specialise in real-time monitoring.

The changes are known as the NIS2 Directive and the CER Directive, both of which replace previous rules. For readers not familiar with the workings of European Union lawmaking, directives don’t have immediate legal effect. Instead each EU country must create and pass its own national law to introduce the new rules, meaning it may be a confusing picture for some time.

That said, the key changes are clear. The scope of who’s covered has expanded so it’s no longer a question of whether an organization itself is an “essential entity.” Instead the threshold is now “operators of essential services.” Some countries may define this very broadly, for example covering transport and handling of pharmaceuticals.

Affected firms must now make an “early warning” within 24 hours of a security incident, telling national authorities whether or not they suspect malicious action or if the effects could spread across national borders. They must then deliver an update within 24 hours and a full report within one month.

Best Of The Rest

Here’s our round-up of some of the other stories you need to know about: