By Julia O’Toole, CEO, MyCena Security Solutions
The year 2020 will be remembered as the year in which the world suffered one of the worst viral pandemics and one of the worst cyber pandemics in history, simultaneously. As COVID-19 spread rapidly throughout the global population, a breach on IT firm SolarWinds started a supply-chain attack of an unprecedented magnitude, affecting thousands of organizations, including the Pentagon; the White House; the US Army; the US Departments of Treasury, Commerce, and Energy; IT giants like Microsoft, Cisco, Deloitte, Intel; and others.
Today, in 2022, UK businesses continue to be subject to an average of 2,000 cyberattacks per business per day, an average of one attack every 43 seconds.[1] And the average total cost of a ransomware breach is £3.66 million per incident.[2]
How did we arrive here? It’s instructive to draw parallels between the responses to the outbreak of COVID-19 and our responses to today’s accelerating cyber pandemic, and to ask ourselves: what can cybersecurity learn from microbiology?
How cyber pandemics resemble viral pandemics
In countries such as New Zealand, for example, where strict lockdown rules were enforced very early on in the pandemic, there was a very clear and successful decline in COVID-19 cases. Keeping infected people separated from each other halted the spread of the virus. In other countries where the government didn’t require self-isolation, the virus spread rapidly through the population. Simply put, allowing people to mix freely helps viruses such as COVID-19 spread faster throughout the wider population.
Both biological and computer viruses spread through hosts: a biological virus from person-to-person hosts and a computer virus from system-to-system hosts. To stop either type of virus from spreading, the most effective way is to isolate it from other hosts. In this way, we can apply what we know from microbiology to stop the spread of cyber pandemics.
Password breaches allow supply-chain attacks
Over the last decade, the vast majority of data breaches have started with weak, reused, and stolen passwords. As the human brain can’t create and remember strong, unique passwords, many people use the same easy-to-remember passwords. Those passwords are also easy to crack using social engineering, brute force, credential stuffing, dictionary attacks, or password spraying. Today’s hackers don’t “hack in” – they log-in, with nine out of ten cybersecurity breaches related to passwords and especially phished passwords as the number one threat vector.
To attempt to solve this problem, a first generation of solutions centralized passwords behind a single access point, so people only needed to remember one password to access all their accounts. While this is extremely convenient for users, it also creates a perfect access path for hackers. From one breach, they can escalate privilege to take over command and control of the entire infrastructure within hours or days.From there, they can go and infect other companies through their supply chain.
How to mitigate cyber pandemics
Monitoring can only help to mitigate known cases. As new variants and zero-days keep emerging, detection and remediation are always playing catch-up, making reliance on a detection-only strategy unreliable. Just as there are asymptomatic COVID-19 cases that can spread the virus, many cyber breaches go undetected for months, unknowingly infecting more and more organizations. The SolarWinds attack is a good example of a huge cyber-espionage operation that went on for almost nine months without anyone seeing it.
Just as isolating people can limit the spread of COVID-19, the only way to stop cyber pandemics from spreading is by segmenting and isolating access to each system, with each door locked by one strong and unique access key. That way, if one system gets infected, it won’t spread to other systems. This is the complete opposite of aggregating all systems behind a single access point, whereby if you lose that access, you lose everything.
Make digital security reflect physical security
To succeed in access segmentation and take back control of their own access, companies can use the rules they already apply in their physical environment to their digital access:
- Don’t let employees make and share their own passwords. Instead, generate and distribute strong, unique passwords as if they were keys to access a factory, office, or storage.
- Don’t aggregate all systems behind a single door with one key that can open everything. Instead, have “one door, one key,” so if one key is stolen, the others are safe. This automatically reduces the quantity of data that can be stolen at once, preventing companies from being subject to ransomware attacks over large swathes of data.
- Don’t distribute passwords in clear text. Instead, ensure all passwords stay encrypted from end-to-end, during creation, distribution, storage, and use, so that no one can see, share, or phish them. By applying this whole zero-trust-by-default credential-based system, companies can ensure that only the legitimate user can access their own credentials through multiple levels of security.
This approach not only simplifies employees’ lives (as there are no more passwords to know, so no more password resets), but it also eliminates all the security risks and costs attached to human behaviour and the huge problems associated with stolen, phished, or shared passwords (especially when people work from home). It prevents the loss of command and control over a company’s network and, ultimately, protects organizations from ransomware attacks and furthering the cyber pandemic. Plus, since passwords are encrypted, nothing stops companies from using billion-character-long passwords that can resist future quantum attacks.
Fortunately, modern technology solutions make implementing the approach outlined above easier and more cost-effective. Plus, such technologies can be deployed without changing your current digital infrastructure. Using the available solutions, companies can deploy digital “vaccines” against cyber pandemics.
By taking immediate action to segment access and retake control of their access credentials, organizations can quickly and decisively reclaim command and control over their network and increase their cyber-resilience.
Bio
Julia O’Toole is the founder and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute, and secure digital access. An inventor and author of several patents, Julia uses math, neuroscience, and technology to research and design simple, yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration, and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.
[1] https://www.beaming.co.uk/cyber-reports/q1-2021-cyber-threat-report/