Explainer: As cybercrime evolves, how can companies keep up with their cybersecurity?

The COVID-19 pandemic has accelerated technological adoption but has simultaneously exposed cyber security vulnerabilities and unpreparedness.

As global interconnectivity advances in the Fourth Industrial Revolution (4IR), security threats are undermining trust. The World Economic Forum’s Global Risks Report 2021 notes that cyber risks continue to rank high on the world’s list of threats.

In 2020, businesses around the world saw a spike in cyberattacks as more people moved to virtual environments to remain connected.

So, how are cyberattacks becoming more sophisticated, and how are companies changing their cyber security strategies to stay ahead of the cybercriminals?

The 2021 Microsoft Digital Defense Report (MDDR) covering more than 8,500 security experts and spanning 77 countries highlights “big game ransomware” which is human-operated and involves criminals searching for large targets for pay-outs through criminal syndicates and affiliates.

Once a network is compromised, the aim is to steal confidential information, documents, and policies before demanding a ransom for its return. Typically, payment is demanded through cryptocurrency wallets, which allow criminals to remain anonymous.

The MDDR recommends that companies prepare for the worst to ensure they make it harder for attackers to access systems in the first place and to make it easier for victims to recover.

Steven Weisman, a lawyer and college professor at Bentley University, told Digital Guardian: “The best defense against ransomware is to back up all of your data each day. In fact, my rule is to have three back-up copies using two different formats with one off-site.”

Malware is an intrusive software that aims to take over a company’s server to damage or destroy computer systems. In an article for Forbes, Will Foret, President at IT support firm Spot Migration, said malware “can be a variety of malicious software. It is a catch-all term when talking about cyberthreats. It could be ransomware, spyware, worms or a virus”.

When navigating the tricky world of malware, Foret suggests: “Don’t hesitate to ask your IT department when you are unsure about something, and always go to a website by typing the URL in a new window before logging into anything.”

Phishing is the most common type of malicious email, and according to Microsoft’s observations of the emails that passed through its platform this year, the number of phishing emails being sent remains steady.

The MDDR states: “In 2020, the industry saw a surge of phishing campaigns that has remained steady throughout 2021. Internally at Microsoft, we saw an increase in an overall number of phishing emails, a downward trend in emails containing malware, and a rise in voice phishing (or vishing).”

A concept called ‘spear phishing’ has also developed more recently, which occurs when hackers target employees through emails that appear to be from other colleagues. This allows the attacker to easily steal personal information from victims.

Microsoft’s MDDR recommends that companies educate their employees about the context of the emails they receive to ensure they can spot any behavioural changes from their colleagues.

A blog by security technology expert Kaspersky highlights "mindset" and user "behaviour" as two factors for strong cyber security and protection.

According to the blog about phishing emails and scams, it can be difficult to detect a phishing attack even for cautious users: “These attacks become more sophisticated over time, and hackers find ways to tailor their scams and give very convincing messages, which can easily trip people up.”

Kaspersky suggests a few basic measures that employees should take to protect themselves, including using common sense before handing over sensitive information, not opening attachments, keeping software up-to-date and not clicking on embedded links.

Companies struggling with cybersecurity breaches are also dealing with a skills gap. According to a report from the Information Systems Security Association (ISSA) and analyst Enterprise Strategy Group ESG, 95% of respondents believe the gap has not improved in recent years.

IT security specialist Edward Humphreys notes in an ISO interview that education is a company’s best weapon against cybercrime and that, without the right skills, companies are left open to threats.

“The worldwide shortage of skilled cyber personnel has a direct and significant impact on organizations and their ability to protect themselves,” he says.

More than half of enterprise executives plan to increase their cybersecurity budgets this year, according to a report from PwC. Furthermore, 51% said they would be adding more full-time cyber staff in 2021.

To address global cyber security challenges and improve digital trust, the World Economic Forum created the Centre for Cybersecurity. This independent global platform aims to foster international dialogues and collaboration across private and public sectors to reinforce the importance of cyber security.

The community has identified three key priorities as part of their work: building cyber resilience, strengthening global cooperation, and understanding future networks and technology.