Increases in B2B fraud, cyber insurance complacency, and governance gaps in the work-from-anywhere model are among the top cybersecurity threats faced by businesses in 2022, according to a report released Tuesday by Forrester.
On the B2B fraud front, the company noted that fraudsters are increasingly not just impersonating people, but creating shell organizations and firms to defraud financial institutions, insurers, e-commerce retailers, car manufacturers, healthcare providers, and others.
These shell organizations then “employ” fraudsters who defraud primarily victim financial institutions, it continued. This scheme is not only relevant in fraud but also in money laundering, making the lives of investigators and compliance departments even more difficult.
“While these schemes have been around for at least a decade,” it explained, “we see fraudsters transitioning to B2B modes of operation at a much larger scale than before, as firms improve their B2C fraud protections.”
“The move from impersonating individuals to creating fake organizations is an evolutionary step in this type of fraud,” Tim Erlin, vice president of product management and strategy at Tripwire, a cybersecurity threat detection and prevention company, in Portland, Ore., told TechNewsWorld. “It will require evolutionary changes in security controls to mitigate the threat as well.”
Increases in B2B fraud are related to how businesses do business with each other, added Bojan Simic, CEO of Hypr, a passwordless solution company in New York City. “Traditionally,” he told TechNewsWorld, “there hasn’t been that much emphasis, in terms of cybersecurity, between companies to make sure that the businesses that they’re dealing with have proper controls in place.”
No Substitute for Security Controls
In the insurance domain, Forrester explained that growth in ransomware attacks starting in 2019 and a train of supply chain incidents in 2021 led companies to purchase or increase their cybersecurity coverage.
As losses mounted from the policies, carriers scrambled to tighten up their underwriting policies, as well as bumping up premiums by an average of 25% and, in some cases, removing coverages for certain kinds of attacks. That led to an awakening in boardrooms.
“What security leaders have long known but senior executives and boards are just now learning is that, without a risk mitigation strategy and investment in security program maturity, relying on cyber insurance alone is a threat to the organization,” Forrester noted.
“Cyber insurance is a protection tool, but organizations often feel it is their get-of- jail-free card,” observed James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Being involved in a cyberattack that leads to a breach or leak of data can damage an organization’s brand and reputation, leading to loss of profits and eventually someone losing their job,” he told TechNewsWorld.
Chris Hills, chief security strategist for BeyondTrust, a maker of privileged account management and vulnerability management solutions, said there was a time prior to Covid that cyber insurance was being used as a stop-gap for lack of proper security controls. But today, with the adoption of the Ransomware Supplemental Addendum/Application (RSA), brokers are holding businesses accountable for their security controls.
“If companies cannot provide and prove positive responses in the nine categories outlined in the RSA, brokers won’t even respond with a quote,” he told TechNewsWorld. “Businesses are now having to prove more so today than two years ago what they are doing in terms of security controls to even keep their current cyber insurance or obtain new coverage.”
Era Drawing to Close
Garret Grajek, CEO of YouAttest, an identity auditing company, in Irvine, Calif. agreed that cyber insurance is not an alternative to proper IT security practices.
“In fact,” he told TechNewsWorld, “insurance is moving in the direction of an enforcer of improved practices and procedures around identity and network security. Enterprises either have to improve their governance on their IT resources and data or expect to be walking solo when a hack occurs. The days of cyber insurance covering poorly managed IT security practices are quickly drawing to a close.”
“Insurers are taking a much more active role in finding out how good a cyber risk a potential client actually is,” added Shawn Melito, chief revenue officer with BreachQuest, an incidence response company in Augusta, Ga.
“Those without MFA, segmented backups, employee training, IRP’s, endpoint monitoring or a number of other cybersecurity controls will find it very difficult to secure coverage,” he continued, “and that’s if you haven’t had a claim.”
“I have been hearing that organizations that have had issues in a previous year are finding renewal very difficult, which is unfortunate as most are in a better cyber-risk position post-incident,” he said.
Forrester also called out the work-from-anywhere trend as a major threat in 2022. It explained that an anywhere-work model presents an opportunity to create new kinds of sensitive data. This includes data that employees create and store in cloud services and applications that are both corporate sanctioned and unsanctioned.
It includes data in different formats, from files to communications over collaboration and messaging applications, the report continued. These digital conversations encompass chats, video, and audio calls. They’re also not necessarily ephemeral. It has never been easier for employees to record a virtual meeting, transcribe its contents and access messages that contain regulated data or sensitive corporate information.
“Organizations usually struggle to keep track of their data, and this is made worse in a work-from-home environment where corporate data could spread across the home network, making it very difficult to assess the risk of data leakage,” explained Snehal Antani, co-founder and CEO of Horizon3, an SaaS autonomous penetration testing company, in San Francisco.
“In addition,” he told TechNewsWorld, “threat actors are targeting not only the corporate VPN, but poorly secured home networking equipment and the social engineering of family members to gain initial access.”
“There is also an increased probability that home network credentials are reused across their Netflix or gaming accounts, leading to a much higher likelihood of credential attacks,” he added.
In its report, Forrester advised security pros that the days of using a breach or cybersecurity threat to get executive and board attention are over. If anything, security teams are getting distracted focusing on the latest news. It recommended that CISOs consider the greatest cybersecurity threats to their organizations based on key strategy, infrastructure, and business decisions.