As we near the halfway point of 2022, enterprises around the world are preoccupied with cybercrime. Its spectre trumps concerns over the pandemic, war, climate change and even supply chain upheaval, according to the Allianz Risk Barometer.
Source: Allianz Risk Barometer 2022
The upheaval of the past two years and the mass migration of businesses online and to the cloud have created abundant new opportunities for technologically skilled criminals. Last year, the rate of weekly cyberattacks on firms increased 50%, and close to half of the global enterprises suffered ransomware attacks, from which recovery cost an average of US$1.85 million. Meanwhile, according to a Crowdstrike survey in APAC, over a quarter of the respondents say their organisations don’t have a cybersecurity emergency response plan or aren’t aware if one exists, and 70% of survey respondents are more concerned now about cyberattacks than before the pandemic.
The threat is ever-present and evolving, and traditional cybersecurity measures are struggling to keep up. Businesses have rightly made staff more aware of the risk and of their role in preventing attacks and have introduced mechanisms to make it easier to report suspicious activity such as phishing. But such measures are just the start of making an organisation more secure. Many enterprises focus on single attack methods such as ransomware or viruses which, while widespread, are just facets of a much bigger problem caused by hackers.
At its core are increasingly sophisticated collectives of hackers who are experienced, advanced, well-informed, and can tailor attack methods to breach defences as needed.
Enterprises are like sitting ducks: they recognise the threat and are worried about it but are essentially waiting for it to strike them. Over the years, we found that even top-tier private and public sector organisations have shown that gaps or vulnerabilities remain after heavy investment in cybersecurity systems that check the boxes.
Shift cybersecurity mindset
A good starting point for an organisation is to conduct an audit of its information and where it sits. If even part of an enterprise’s external system is exposed to the internet, sensitive information may be at risk. It could also be a way for cyber attackers to gain control of core systems, which could suspend operations and services.
Organisations need to develop their cybersecurity strategy from the attackers’ perspective. As cybersecurity becomes a part of geopolitics and military-level concerns, businesses need to proactively detect risks to deflect attacks.
Any defence system that claims to be impenetrable will inevitably become penetrable — it is just a matter of time. A much better approach to building defence is to challenge an enterprise head-on to identify its weaknesses.
Offensive cybersecurity simulates the hacker mindset to carry out attacks in multiple intrusion scenarios, highlighting vulnerabilities and necessary fortification measures, and puts an enterprise on guard for when a real attack happens.
Offensive cybersecurity is on the rise
The adoption of offensive security services is on the rise around the world. The global penetration testing market is set to grow from US$1.6 billion in 2021 to US$3 billion by 2026. Between 2020 and 2021, Taiwanese enterprises that deployed the Red Team Assessment increased from 3.5% to 6.4%, a survey from iThome indicated.
These assessments can help identify zero-day vulnerabilities (previously unknown cracks in a piece of software) and test the resilience of employee passwords, physical hosts, virtual hosts and servers. Even stringent cybersecurity defensive measures can leave room for threat actors to breach; a pre-emptive stress test can put control back in an enterprise’s hands.
Organisations need to see the deployment of a defensive system as a starting measure, not a solution that they can leave to their own devices. It is critical for enterprises to utilise offensive cybersecurity measures to test their defences and put resources where they are most necessary. Only by thinking like hackers can we be successful in defeating them.
