As CISOs work to mitigate cyber risks posed to their businesses, pursuing the shift from detection and recovery to prevention has never been more important. Adenike Cosgrove, VP Cybersecurity Strategy EMEA at Proofpoint tells Intelligent CISO about ransomware, data loss prevention and why today’s top cybersecurity threats are people-centric.
Proofpoint’s 2023 State of the Phish Report highlights the ever-present danger ransomware now presents. How are CISOs currently addressing the ransomware pandemic and are their methods productive?
Ransomware is nothing new. It has been a significant threat to organisations around the world for some time now – and it continues to grow in volume. The statistics from Proofpoint’s State of the Phish report – the 2023 issue having just been published – show that 82% of UK organisations experienced an attempted ransomware attack in 2022, with 62% suffering a successful infection; yet only 33% regained access to their data after making the initial ransomware payment
However, what was once a relatively straightforward threat is fast becoming increasingly complex. Traditionally, cybercriminals would force their way through perimeter defences, drop their malicious payload and demand a ransom to ‘fix’ the situation. This brute force method of attack was usually remedied by detection, containment and recovery. Essentially, systems would be shut down and backups restored.
Today, however, ransomware is much more sophisticated, targeted and further reaching. Rather than forcing their way in, cybercriminals will target users looking to compromise their credentials, trick them into making a mistake or convince them to launch a malicious attack against their employer.
To defend against this, cyber teams must shift left – earlier in the attack chain. Moving away from detection and recovery and focusing on prevention – and people. The detection and response approach to ransomware was understandable in the past. However, cybercriminals have changed tact and modern ransomware now often carries an extra sting in the tail, be that corporate espionage or data theft, making it very much a data loss prevention (DLP) issue.
What are the key priorities for IT security decision-makers when creating a holistic approach to data loss prevention?
There is no silver bullet for data loss prevention. However, one key focus area for CISOs today should be identity theft, which is a growing threat in today’s digital landscape. In fact, Proofpoint’s 2023 State of the Phish Report revealed that 43% of UK organisations reported credential theft and account compromise in 2022.
Threat actors now realise it’s more effective, faster and cheaper to steal credentials and log in than trying to hack through technical controls. Once they have siphoned access details from just one employee, they move laterally, stealing even more credentials, escalating privilege, compromising servers and endpoints, and downloading sensitive organisational data – it’s now far too easy for an attacker to turn one compromised identity into an organisation-wide ransomware incident or data breach.
The first step is to stop the initial compromise. This is where a robust email security strategy is crucial. From Business Email Compromise (BEC) attacks, cloud account takeover or cybercriminals using trusted third parties to compromise the organisation through their supplier, an initial email can lead to compromise. After initial compromise, they have access to your domain, giving them access to email accounts and the ability to commit fraud.
At this point, organisations need to implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) will help organisations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.
What are the drawbacks of trying to use legacy threat and data loss prevention solutions with today’s threat scenarios?
The challenge we face with legacy DLP solutions are that they are data centric. They may understand the type of data, where it resides and how it moves but this misses an important part of the puzzle – insights into behaviour and threat context. This leaves organisations struggling to formulate an adequate response to a compromised user or identity.
A modern DLP solution overcomes this issue by adapting its detection, prevention and response to a user’s risk level and to the sensitivity of that data that’s being accessed. This tailored approach is particularly important for insider threats, the cost of which has increased by 34% between 2020 and 2022, now standing at $15.38 million.
Legacy DLP may spot suspicious activity, but it provides no behavioural awareness before, during or after risky data movement. In other words, legacy tools can’t help you answer the full context of ‘who, what, where, when and why’ behind an alert – while they may identify the ‘who’, the alerts may be misleading and make it appear that it is a legit employee, whereas it could in fact be an external attacker who has gained control. The result is security teams overburdened with alerts, decisions made without factoring in risk and minimal insight into the complete picture.
Why are today’s top cybersecurity risks people-centric and can you give some examples of these types of attacks?
Cybercriminals have been targeting people for some time now. People are the key to access; threat actors know this and leverage them accordingly.
Let’s take ransomware as an example. Ransomware attacks frequently start with an email that includes an attachment or a link that downloads a malicious file. Cybercriminals want to get inside your organisation to collect data and understand the infrastructure before they launch their ransomware attacks – and they can do this by simply targeting your employees.
Another example is Business Email Compromise (BEC) attacks, which include phishing, email fraud and social engineering tactics. Cybercriminals are spoofing identities of trusted individuals and suppliers. They are sending simple emails without malicious links and focusing on social engineering to trick your people into wiring money or sending sensitive data. In fact, 86% of UK organisations reported an attempted BEC attack last year.
With email remaining the number one threat vector to organisations today, what can CISOs do to mitigate this risk?
Criminals are continually targeting humans to expose confidential data, compromise networks and even wire money – and email remains their vector of choice. Protecting against threats targeting employees’ inboxes requires a combination of people, process and technology.
The first critical step is to try to remove guesswork from employees and minimise the opportunity for mistakes. It’s imperative that all organisations place a priority on securing inboxes with advanced filtering and threat detection. Through a technical combination of email gateway rules, advanced threat analysis, email authentication and visibility into cloud applications, we can block the majority of targeted attacks before they reach employees.
But we can’t rely solely on technical controls because as we’ve seen, this is a people problem.
Security teams must adopt a people-centric approach, i.e. putting their people in the centre of their security operation. Similar to how they are already in the centre of the cybercriminal’s activity. Employees should undergo regular and comprehensive cybersecurity awareness training that enables them to identify malicious emails and flag them to their security teams.
How can organisations build a reliable security culture that drives behavioural change?
People risk is an increasing concern. According to Proofpoint’s 2023 Voice of the CISO report, tthere is an increase in the number of UK CISOs who view human error as their organisation’s biggest cyber vulnerability—78% in this year’s survey vs. 65% in 2022.
To educate their users, and with the best intentions, many organisations provide one or two hours of security awareness training annually. But this limited approach lacks staying power. It doesn’t promote lasting changes in behaviour. And it doesn’t instil the kind of security mindset that can transform your biggest attack surface into a critical layer of defence.
When an organisation has a sustainable security culture, employees feel that they and their co-workers are responsible for acting to prevent security incidents. They understand why cybersecurity is important. And importantly, they feel empowered to act—and comfortable reaching out to the security team when they see something suspicious or make a misstep.
Adenike Cosgrove -Bio
Adenike Cosgrove is VP Cybersecurity Strategy EMEA at Proofpoint. Prior to joining Proofpoint, Ms. Cosgrove was global product marketing lead for Email Fraud Protection at Return Path, a division acquired by Proofpoint in the summer of 2016. Earlier in her career, Ms. Cosgrove worked as a lead EMEA advisor to security and risk professionals for Forrester Research and Canalys, where she developed a deep understanding of CISO challenges, and helped clients with their cybersecurity strategies.
Ms. Cosgrove is a regular speaker at key conferences including the Gartner Security & Risk Management Summit in the US and Japan, the Fortune Brainstorm conferences, the Evanta CIO Executive Summit, it-sa Germany, ISMS Spain and Hacking Human Nature live. Ms. Cosgrove’s subject matter expertise has also been featured in The BBC, Business Reporter, Computer Business Review, Computing, Forbes, Intelligent CISO, SC Magazine UK, The Telegraph, GovInfo, and iTWire. Recently recognised as one of the UK’s Most Inspiring Women in Cyber 2020, Ms. Cosgrove was also named a finalist at the Computing Security Excellence Awards 2020 in the Security Woman of the Year category.Click below to share this article