How enterprises can stay ahead of risks, threats and potential attacks [Q&A]

How enterprises can stay ahead of risks, threats and potential attacks [Q&A]

Risk dial

Businesses are engaged in a constant cat-and-mouse game with hackers, attackers, and bad actors in order to stay secure.

Dominic Lombardi, VP of security and trust at Kandji believes that in order to stay ahead it’s necessary to master basic IT and security hygiene, update and communicate your risk register, and work steadily toward a zero-trust security model. We spoke to him to discover more.

BN: It’s been said the human element is the next organization versus hacker battleground, why is this and what comes next?

DL: Malicious threat actors always look for the weakest link, the chink in the armor. Last year, we saw more unique attacks focused on bypassing the weakest link within standardized security controls. The weakest link? The human element. Many of these security incidents were related to multi-factor authentication (MFA) spamming, in which MFA requests were repeatedly sent to people until a link was clicked or exploiting a misconfiguration on publicly accessible resources. Meanwhile, cybercriminals have unleashed social engineering attacks aimed to disrupt organizations across different verticals and markets. During these attacks, an individual impersonates a customer and calls the company’s support desk. In the process, the attacker obtains valid account access. The organization’s lack of organizational-level security controls served as the attacker’s entry point, allowing them to gain a foothold in these environments.

In 2023, attackers will get more creative in their pursuits. Many of the security controls we put in place earlier are at risk of being bypassed due to human error. How do we ensure our security controls are fault tolerant? This starts with basic hygiene at a people, process, and procedural level. Work to build a proactive cybersecurity culture in which you document all ongoing processes — basically, all the validation steps that ensure you properly identify and authenticate a person’s identity, information, and account ownership.

BN: Risk register has come up a lot lately as a critical tool to maintaining a secure environment, how should organizations handle this in 2023?

DL: Your organization’s risk register should serve as a ‘what if’ manual that outlines current and potential security risks and how they could impact the organization. Organizations are facing constraints at all levels — budgets, personnel, and time — in 2023. Your risk register must catalog the various risk scenarios that face your business and provide visibility for your leadership teams to make more risk informed treatment plans.

Maturing organizations will double down on best practices, perform threat analysis, and continue to populate their risk register. The more visibility (and fewer cracks) you have, the less probability of unexpected negative outcomes. This involves maintaining a running asset inventory across your organization and mapping this inventory against security controls. Meanwhile, build out project plans to have a continuous rollout to fulfill some of the gaps. Think patch management, standardized configurations across servers, and a rigorous process for building, deploying, and maintaining new software. Remember that basic IT hygiene is 99 percent of the game.

BN: What is next for the CISO role? How important has this role become for enterprises?

DL: When it comes to cybersecurity, executive-level engagement is a must. That means the CISOs must take a seat at the C-level table (if they haven’t already) and stay there. Recently, with the Joseph Sullivan/Uber case, we saw the first criminal conviction of a CISO/CSO for failure to effectively disclose a breach. To prevent miscommunication and promote total transparency, any CISO who does not report directly into the CEO should demand that they do — immediately. To set themselves up for success, they should also ensure that the general counsel at their organization is in their ‘peer set’.

At the C-level table, the CISO can also (continuously) champion the risk register to ensure they receive needed resources to remediate and reduce risk on an ongoing basis. Not to mention executive buy-in for the appropriate resources to resolve high-priority items. Keep in mind that new threats, risks, and updates will always populate your risk register. It is critical to actively work to remediate against this list; this prevents risks from escalating and becoming more complicated.

BN: IT and InfoSec continue to move following their own agendas, can security become more of a ‘team sport’?

DL: Traditionally, IT and InfoSec teams within an organization pursued their own agendas. InfoSec secured the company and its users, while IT enabled people within the organization to work efficiently and effectively. InfoSec and IT teams must work more collaboratively to reduce the gap between identifying and addressing issues.

In many organizations, IT admins are joining the security team, as today’s global, decentralized workplace has broadened IT’s responsibilities within the enterprise. IT admins have become a key part of the security organization, with 34 percent of Fortune 500 companies rolling the IT department into the CISO’s purview in 2021. This percentage was close to 80 percent in startups and emerging technology companies. As more enterprise companies follow the lead of modern SaaS and technology organizations, the next task will be creating (and using) the best tooling to bridge the gap between these two core competencies. How do you adjust for the overlap and enable bidirectional communication and collaboration?

BN: Zero trust seems to be a priority, especially as it pertains to the hybrid office, how should security organizations employ zero trust methods in the coming year?

DL: Security teams have been talking about the zero-trust cybersecurity approach for a few years. It used to be ‘trust but verify’. The new zero trust — in a workplace filled with multiple teams, multiple devices, and multiple locations — is ‘check, check again, then trust in order to verify’. Basically, organizations must validate every single device, every single transaction, every single time — always.

Only six percent of enterprise organizations have fully implemented zero trust, according to a 2022 Forrester Research study. The complex and disparate workplace environments that are so common now make it difficult to adopt zero trust — at least all at once. This does not mean organizations are not slowly rolling out zero trust across their environments and assets.

It would be easy when a company only has a limited number of environments. However, if you are using AWS, Azure, and GCP with an on-premises instance along with a private cloud where you are running virtualization through VMware — that will take some time to uniformly roll everything out. Yes, companies are working towards zero trust, but it will take a bit longer than people like. As we all continue to embark on the zero-trust journey, we will see new solutions for complex problems companies are experiencing on premise and in public and private clouds.

Photo Credit: Olivier Le Moal / Shutterstock

US and UK are the countries most attacked by ransomware

US and UK are the countries most attacked by ransomware


In the 12 months from April 2022 to March 2023 the US and UK were the countries that suffered the most ransomware attacks.

However, the latest Malwarebytes ransomware report shows that the USA suffered a little over seven times more attacks in the last twelve months than the UK. It’s perhaps not a coincidence that the USA’s economic output, measured by gross domestic product (GDP), is also about seven times larger than the UK’s.

Indeed if you look at the number of attacks per $1 trillion of GDP both countries are almost identical at around 50 attacks per $1T. Measured on this basis Canada tops the list at 66 attacks per $1T followed by Spain on 55.

If you look at attacks per capita the USA tops the list, followed by Canada, Australia and the UK. All English-speaking nations, which suggests ransomware in other languages offers less reward.

The UK has seen the education sector become a particular target in the last year. Education was the target in 16 percent of known attacks in the UK, but only four percent in France and Germany, and seven percent in the USA. One of the main reasons for this is Vice Society, a dangerous ransomware group with a particular appetite for the education sector.

“Within the UK, the education sector was disproportionately affected,” concludes the Malwarebytes Threat Intelligence Team. “It suffered far more known attacks than education in France or Germany, and accounted for a much higher proportion of known attacks than education did in the USA. The vulnerability of the education sector was exposed by Vice Society, a ruthless ransomware gang with an outsized appetite for education targets. In the last 12 months, Vice Society was as active in the UK as it was in the USA. While LockBit remains the most dangerous ransomware in the world for almost all sectors in almost all countries, in the cash-strapped UK education sector Vice Society is the most dangerous predator.”

You can read more on the Malwarebytes blog.

Image credit: Niyazz / Shutterstock

Attacks on healthcare organizations increase 90 percent

Attacks on healthcare organizations increase 90 percent

There has been a 90 percent increase in the number of healthcare organizations targeted by cyber-attacks, in comparison with the first quarter of 2022.

The latest cyber threat Landscape report from Kroll finds that while phishing continues to be the vector used for initial access, there has been a vast increase in external remote services (such as VPNs and RDP environments) being compromised, up 700 percent.

“It is concerning to see healthcare rise so dramatically up the most targeted industry list, at a time when services are undoubtedly still under pressure as they recover from the strained environment caused by COVID-19,” says Laurie Iacono, associate managing director for cyber risk at Kroll. “Ransomware is always disruptive, but its ability to grind company operations to a halt, becomes more significant in an environment where business continuity means saving lives. The legacy of the pandemic can perhaps also be seen in the vulnerability of external remote services. In Q2, we saw many ransomware groups take advantage of remote environments by using security gaps in those tools to compromise networks. All organizations — and especially those in healthcare — would do well to test the resilience of their external remote services and preparedness for ransomware in light of this latest report.”

Specific threats noted include, in April, Emotet’s binaries switching from a 32-bit to a 64-bit architecture, and developers experimenting with password protected email delivery methods with embedded ZIP files.

Healthcare has overtaken professional services as the top targeted sector in Q2, accounting for 21 percent of all Kroll cases, compared to only 11 percent in Q1 of this year. Common threat incident types impacting the healthcare sector include ransomware (33 percent), unauthorized access (28 percent) and email compromise (28 percent).

There’s also been a rise in the use of double extortion tactics, where actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations.

You can read more on the Kroll site.

Image credit: scanrail/