Emerging Cyber Risks in the US & UK

Organizations like the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) regularly publish reviews about the general state of preparedness of businesses in regards to cyber attacks in the US and UK. Their goal isn’t to be alarmist but rather to educate business leaders and teams about the emerging cyber risks they face and the practical steps they can put in place to mitigate them. Typically, this guidance echoes the advice offered by information security teams within the organizations, and it helps validate many business cases for investing more heavily in cyber security projects and cyber risk management initiatives.

CISA’s Cyber Risk & Vulnerability Assessments Review

CISA recently reviewed its FY2021 Risk and Vulnerability Assessments, which covered risk and vulnerability assessments (RVAs) for 112 organizations in the US Federal Government and the private sector. This RVA review highlighted some of the models that malicious actors use to attack and exploit networks, including, initial entry, attack execution, persistence, privilege escalation, and exfiltration. It also highlights the impact on businesses and provides practical steps for each aspect that companies can take to address the issues.

In the FY2021 review, the critical risks that CISA flagged included phishing attacks and the widespread use of default security credentials. The analysis stressed the need for regular education about phishing attacks and the use of strong passwords, which are regularly changed. The report also highlighted the need to review intrusion techniques regularly so that when incidents occur using new techniques, organizations can respond swiftly. Other issues highlighted the need to change default passwords, update and patch software regularly, as well as find and fix open ports.

UK NCSC’s Cyber Security Threats Report

These sentiments were echoed in a recent UK NCSC Report, highlighting the particular risks involving enterprise connected devices (ECDs). ECD devices include laptops, smartphones, and enterprise Internet of Things (IoT) devices that are physical devices – think fridges, smoke detectors, cameras, and presence detectors, for example – which contain network connectivity capabilities that allow them to be controlled remotely. ECDs are popular as they offer management flexibility and efficiency savings to many working environments.

However, while popular, ECDs can pose a significant security risk, given the lack of understanding amongst most employees of the security risks involved, and the lack of visibility of these devices across an office estate. The NCSC report highlighted many of the threats ECDs offer. Hackers use them as a starting point to access other, more secure, systems. The lack of visibility of IoT devices and the use of default security settings means they are suitable for lateral attacks into other systems that can lead to data theft or ransomware attacks, for example. The use of these devices in a company’s supply chain also represents a threat, where even if a company has tight ECD policies and controls itself, it can be the case that its suppliers do not.

This situation highlights the problem businesses face regarding how best to respond to cyber risks, impacting both the organization and third-parties, when resources and costs remain constrained.