In late October 2021, the European Union Agency for cyber security (ENISA) published its Threat Landscape Report. Now, in its ninth edition, this report should be considered the primary source material for IT professionals serious about addressing cyber threats and mitigating cyber risk.
This is true irrespective of whether you have a technical or corporate risk background. It’s a subject that could easily fill a book, but let’s focus instead on three issues raised by the report. Ignore them at your peril.
Email-related threats (that fool humans)
The report distinguishes between email-related threats that exploit weaknesses in the human psyche and our everyday habits, versus technical vulnerabilities in information systems. It’s fair to say that familiarity with awareness and training programmes was heightened in 2021 as unsavoury phishing training practices hit the headlines on both sides of the Atlantic.
In the UK, West Midlands Trains suffered significant public backlash for entrapping its staff with an email containing a lure that promised a bonus to staff for their loyalty and commitment throughout COVID-19. Change the location to the US, and the business involved to the Tribune Publishing Company and you can take a good guess at the headline in the New York Times.
The damaging headlines don’t end there, though. In other news, related to education and training, ProofPoint finally agreed to transfer a series of disputed web domains to Facebook. ProofPoints’ phishing-awareness training platform ThreatSim had used facbook-login.com, facbook-login.net as well as other lookalike domains related to Instagram. The decision to transfer domains back to Facebook was sensible, given it had all the hallmarks of trademark infringement, but it does raise the question: if a training course can’t use lookalikes because of trademark infringement, then what purpose do such courses serve?
The answer to that question might well be contained in the insights shared by Professors Angela Sasse and Melanie Volkammer. Their work could save firms significant resources, both in time and money. They concluded that although phishing training had limited efficacy, the benefits evaporated within days.
This is particularly interesting in light of the fact that this insight is echoed in the latest ENISA report: “Despite the many awareness and education campaigns against these types of attacks, the threat persists to a notable degree”. In other words, phishing training isn’t materially benefitting businesses by providing long-term defensive measures.
Prime threats: only the names have changed
The second issue, which struck me as I was reading the report, was that while the names of cyber threats have changed over the years, the underlying problems remain the same.
To sense check this proposition, I reviewed the reports dating back to 2012. In the 2020 report, ENISA identified nine prime threats, with the top two being ransomware and malware. From 2019 back to 2015, ransomware and malware were again reported as prime threats. So no change there then.
In 2014, the two prime threats were ransomware and malicious code. Reading deeper, by malicious code it meant Trojans and worms, or what we today call malware. 2013? There were differences but they were again slight. ENISA warned about ransomware and included the terms “rogueware” and “scareware” and “malicious code: worms and Trojans”.
The previous year, 2012, the word ransomware wasn’t yet part of the lexicon of cyber threats; it was simply referred to as rogueware or scareware. Malware was simply worms and Trojans.
To put it simply, the story since 2012 remains the same. Only the names have changed.
This should give firms comfort: despite the widespread reports of novel threats or zero-day attacks, the prime threats to businesses continue to be the same as we’ve seen for the best part of the last decade.
Moreover, and perhaps most importantly, the key trends identified in the report place compromise through phishing emails and brute-forcing on remote desktop protocols (RDP) as the two most common ransomware infection vectors.
This shouldn’t be a shock. Oxford University professor of government, Ciaran Martin, formerly the founding executive of the UK’s National Cyber Security Centre and its first CEO, has frequently been quoted as saying; “the problems we face are chronic and not catastrophic”.
Lessons to learn
So why is it important to establish that the threats are not novel but remain the same? There are two reasons at the very least. Firstly, directors have a duty to exercise reasonable care, skill and diligence.
This legal obligation can be found in the Companies Act in both the UK and Ireland, and it can also be found throughout the common law world contained in domestic legislation from Canada, Australia and New Zealand. The obligation exists in the US, but isn’t yet codified.
Civil law countries have a similar requirement. The Germans adopted this duty of care into the AKTG, which is the set of laws that governs companies noted at the stock exchange. It reads: “In managing the affairs of the company, the members of the management board are to exercise the due care of a prudent manager faithfully complying with his duties.”
The question that businesses, their board, shareholders and other stakeholders should ask is: are directors meeting their obligations to the company if they do not address the most significant known threats to their business?
Threats that, let’s be clear, businesses have been warned about year after year from trusted, independent experts. Threats that are more than reasonably identifiable; these threats are *easily* identifiable.
This brings me to the second reason why it’s important to establish that the threats aren’t novel but remain the same year on year. In the event of a cyber attack where business operations are disrupted, a company’s reputation is damaged due to leaks, or the share price suffers a shock on the news, a solid defence available for firms and their directors is that the threat was not reasonably identifiable.
The courts don’t expect directors to see around corners, but they do expect them to read the writing on the wall. This is all the more pressing when that writing has been on the wall since 2012. So, when a threat is reasonably identifiable the next question firms should ask is whether that threat is avoidable, perhaps by transferring or managing the risk?
Cyber insurance provided something of a safety net up until recently. The insurance sector, however, is reeling from losses and reacting to the explosion of ransomware attacks by requiring clients to implement minimum cyber security standards to address known cyber threats. This move is how insurance companies have historically managed other risks.
Essentially, to limit losses, insurance companies are requiring the insured to take reasonable steps to protect themselves and build in digital resilience. Helpfully, they are specifically calling out certain measures. Going forward, the insured will need to have implemented standards that include such measures as multi-factor authentication (MFA), encryption, DMARC and end-point protection.
Insurance companies operating in the cyber insurance space are now turning away businesses whose cyber security posture is so weak that it bears all the hallmarks of an easy target. So, if you can’t transfer the risk to the insurance company how else can you deal with these known threats? One answer is to make sure you have sensible responses to the same questions that the courts will ask:
- Is the threat well known and understood?
- Is the solution known and understood?
- Is it reasonable, proportionate and affordable (this will depend on the type of business that you are managing)?
- Finally, would a reasonable director implement it?
Answering yes to all and taking no action means that your business has limited the defences available to it. Not only in the face of a cyber attack but in the aftermath, which could include compliance issues, regulatory fines and class actions.
To end, and to put it simply, if a threat is reasonably foreseeable and avoidable, it is incumbent on the managers of the firm to manage it. This brings us neatly to the third issue: what can businesses do?
Specific mitigation actions
This third and final issue relates to email-related threats and ENISA’s point that associated training appeared to have no material impact.
That said, contained in the recommendations at 6.2, on page 58, the authors also wrote: “Provide regular user training on how to identify suspicious links and attachments and how to report them.” This seems unusual if the conclusion is that, despite training, the threat persists to a notable degree.
Comfortingly, however, the recommendations do include solutions that are known to work, including the recommendation to put “security controls into place on the email gateway to reduce the frequency or possibility of the lures arriving to your employees’ inboxes” and to implement one of the standards for reducing spam emails, specifically calling out DMARC. Reassuring, as the DMARC protocol will turn ten years old in 2022!