2023 draws to a close with a booming cybercrime industry and a pressing need to change tack

When the British Library suffered a major cyber incident at the tail end of October, only for the information reputedly stolen to appear for sale on the dark web, there was the usual wide media coverage of the incident, and a wide array of reactions from reporters and experts. Surprise, however, was not apparent among them. The targeting and extortion of public institutions is, after all, nothing new to anyone that keeps an eye on the news. With global tensions remaining critical, high-profile targets such as public infrastructure, landmarks, and services are under near-constant attack from bad actors – and these frequent news stories indicate just how often such attacks are successful.

While the frequency of attacks may not be new, what does continue to change is the increasingly codified space that cybercrime occupies. Also in October, the International Committee of the Red Cross put forward ‘8 rules for “civilian hackers” during war’, in an attempt to draw boundaries within what has until now been an undefined grey area – a recognition that such attacks are an unavoidable part of modern conflict that have been left largely unregulated. At the same time, groups focused on orchestrating less politically-motivated attacks are acting more and more like the very businesses they target, with Ransomware as a Service, Phishing as a Service, and pre-built cyber tools made available to any third party that might want to use them.

With the advent of cybercrime as an industry, the difficulty of perpetrating the average cyber-attack is unlikely to ever increase again – it will only become easier, simpler, and cheaper. Roadblocks like technical knowhow and financial means have been progressively eroded over the past decade, in much the same way that they have been in areas such as app and video game development – through the software and services required becoming increasingly affordable to purchase and accessible to use.

In earlier times, many organisations managed to make do by flying under the radar and hoping that they didn’t present a big enough target for anyone with the time and resources to take notice of their lacklustre defences. Now, however, such low-hanging fruit will be plucked as a matter of course. With tools that can automate many of the traditionally manual, time-consuming steps of a cyber-attack, it no longer matters if any individual organisation has much to offer a bad actor – the time and effort required to mount such attacks have reduced to such a point that the poor security posture is reason enough.

To make matters worse, it’s highly likely that at least a portion of an organisation’s data isn’t technically held by that organisation at all any more. Cloud and hybrid environments are now the norm across public and private sectors, and just this year we saw a substantial breach on the part of one of the biggest cloud service providers – Microsoft – that led to a hacker group gaining access to email accounts from more than 25 different high-profile organisations.

So, one would be forgiven for going into 2024 feeling dispirited about the state of cybersecurity – but the outlook isn’t entirely hopeless. While we may be looking at an era of increasingly prevalent, increasingly successful cyber-attacks, there are still steps to be taken to ensure your organisation is in the best possible position to deter, manage, and recover from such an attack. As ever, staff training and strong fundamentals will help to ensure that your organisation isn’t among the most vulnerable that can be compromised by the lowest-effort phishing approaches, but no organisation in this day and age should be operating with complete confidence that they are impervious to attack.

Instead, organisations need to be thinking just as much about mitigating damage done by successful attack as they are about preventing the attack in the first place. There’s a good reason that network segmentation and zero trust are far and away some of the most popular topics in cybersecurity at the moment; by focusing on ideas like least-privileged access, organisations can effectively limit the information and lateral movement available to a bad actor that has breached their initial defences.

At the same time, developing strong business continuity and recovery plans are vital for an organisation to continue to function and deliver services during any disruptive event, but doubly so for a cyber-attack where the aim of the event is likely that same disruption. Having staff and leadership with a clear understanding of their roles and responsibilities in such an event can have a staggering impact on both the initial attack disruption and the recovery period after the fact.

By working together with experts and focusing on areas that will make a real difference, there’s every hope that, while 2024 may not see an overall reduction in cybercrime, we may be able to reduce the effects felt by the attacks, both by the public and by the organisations themselves. To talk to us further about your own organisation’s preparedness, network segmentation, business continuity, or anything else, you can get in touch at hello@itgl.com.