The Cyber Security Podcast from PwC UK: Cyber threat imperatives for 2021

Subscribe to our cyber security podcast series

The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.

Subscribe to our podcast on:

Transcript

Introduction by our host, Abigail Wilson: Hi, I’m Abigail Wilson, your host for the Cyber Security Podcast from PwC UK. And working in PwC’s Threat Intelligence team, I’m very excited to bring you the latest episode, looking at the cyber threat imperatives for 2021. Every year we conduct a review of the trends we’ve seen over the previous 12 months, and explore their wider impact on organisations, business, and society.

So we thought this provided an excellent opportunity to review both what we’ve seen and also look forward to the threats that should be on your radar this year. In this episode we’ll be asking questions like which cyber threats had the most impact last year? And which ones are set to continue this year? To help answer these questions, I’m joined today in our virtual studio by Kris McConkey, our Global Lead for Threat Intelligence and Incident Response; and Krystle Reid, a Threat Intelligence manager from our UK team.

Kris, Krystle thank you for joining us today.

Kris McConkey: Hi Abi, thanks.

Krystle Reid: Hi Abi.

As we all know, last year COVID-19 took hold and spread across the globe, and threat actors, of course, were quick to capitalise on the situation. Kris, what would you say are the key trends you’ve seen emerge since?

Kris: Good start question. We did a podcast fairly early in the pandemic in 2020, and the things back then, or quite few of them at least, definitely remain valid now. We’ll start with a really obvious one, and get that out of the way first, which is ransomware. You’ll hear us talk about this a lot, probably, it’s really the highest priority threat for pretty much every organisation at the minute, and some of the ransom demands are now regularly exceeding high 7 figures, and often into 8 figures. And many of those incidents were genuinely posing existential risk for the victims.

The second one is obviously to do with virtual working. Organisations in 2020 obviously had pretty significant changes forced on them in terms of working environments, and there was a lot of VPN exploitation and other exploitation of things like firewalls and other security products through 2020 as well. That’s not really a surprise. If we look at most of the high-profile incidents that have been in the public domain, whether that is supply chain attacks, or whether its file transfer solutions being targeted and those sorts of things. Bad actors are really just targeting areas of concentration risk, and so effectively collective exposure to a single thing, whether that is a piece of software or a managed services provider, or something else. That’s genuinely not going to stop any time soon.

As an industry we have to figure out how to deal with that a bit better. It’s also not new. Things like software supply chain attacks have actually been around since at least as early as 2011 from our research. Obviously, cybercrime as well was a big topic through 2020, and that really follows the news. Right from January last year, we saw cybercrime actors tailor a lot of their content, for example, phishing emails, aligned to the global narrative around COVID-19, and it basically followed that narrative the whole year. So in early 2020, it was about the COVID-19 virus itself, later in the year it then turned into things like vaccine, and furlough schemes, that sort of stuff as well.

Switching from cybercrime into espionage, we also saw a shift in espionage following the COVID-19 news throughout the year as well, initially towards vaccine research, and then more recently towards aspects of how vaccines have been distributed and rolled out, and quite a lot of the logistics and mechanics behind that as well.

So really interesting to see a lot of the trends change throughout the year, but a lot of them really evolving in exactly the way you would predict with 2020 hindsight in terms of a pandemic like this.

Thanks Kris, of course some of those threats do look familiar from our work last year. Now Krystle, you’ve been working on our research, looking at the top threat trends of the past year. What trends have you identified that you found the most interesting?

Krystle: The top threat has to be ransomware. As Kris alluded to, ransomware has been the main threat facing organisations over the last year. One of the reasons for this has been a shift in the tactics used by ransomware operators, namely the advent of leak sites. Many threat actors will now look to exfiltrate data from their victims before launching the encryption and threaten to publish that data if the ransom isn’t met. So there’s a lot more pressure and scrutiny on victims and how they respond, as the fact that they’ve been compromised is now in the public domain. And that’s something that’s very different to how ransomware attacks were previously conducted.

Another trend we saw continuing throughout the last year is intelligence gathering and collection activity. We’ve seen a lot of threat actors continuing to conduct espionage activity in spite of the pandemic, often in support of nation state strategies and also in response to geopolitical events around the world.

And lastly, supply chain compromise. This continues to be a much-abused attack vector. It's definitely nothing new. Threat actors have been using the supply chain and targeting it for many years. There have been a number of high-profile attacks over the last year, which have really brought home the scale and impact these can have.

To pick up on ransomware, it feels like every week last year there was news of another attack. With threat actors getting more organised, it looks like the threat posed by ransomware will only continue to rise. Krystle, do you think organisations are taking this threat seriously enough?

Krystle: When you consider how rapidly threat actors have shifted their tactics and the sheer growth in their operations over the last year, there’s undoubtedly some organisations that will have been taken by surprise. The reality is that there isn’t really a sector that’s immune from ransomware attacks, or a geography, and the trend shows no signs of slowing down. These types of operations have attracted new players to the market, and many established crime groups have also added ransomware to their portfolios. So it’s a threat really that all organisations, regardless of their size, need to take seriously, and it’s definitely something that we’ve seen increasingly part of CEO and board-level conversations.

So Kris, I’m sure you’ve got a bit more to add on that given the work you do with boards during breaches.

Kris: Yeah, and there’s absolutely no doubt that the pandemic was a real shock to the system for some boards whenever it comes to security, in part, because of some of the stuff you’ve been talking about Krystle, like the impact of the incidents themselves. So things like the human-operated ransomware campaigns, whenever they completely knock out an organisation’s ability to operate, not only is that a board-level crisis, but it's actually the board, and quite often the CEOs that are front and centre in terms of the public face of their response and what they say. In light of those types of threats, one absolute priority has to be around how organisations protect and then recover from backups, and a lot of boards are now realising actually security quite often has this accountability for defending the network, but no authority or responsibility over things like the back up processes, because that sits with IT.

So we’re seeing a really desperate need for IT and security to be joining forces on some of those absolutely critical things that quite often get overlooked, and sort of fall between the gaps, and things like business continuity planning, and then some of the security aspects of it.

Our very own Richard Horne actually put out a really good article this February on balancing complexity and simplicity, which is really relevant for boards. Most organisations are hugely complex, and business strategy and business models often overlook how decisions are influencing the complexity of business processes, and the systems and associated risk. There’s another bit of that, that talks about external partners, and the fact that most organisations over time have developed really chaotic sets of supplier arrangements, for everything from handling marketing data through to IT administration. The complexity and volume of those relationships genuinely makes them a bit of a nightmare for security. So there’s definitely something to be said for taking a fresh look at how to simplify those external ecosystems and supply chains with a view to making it easier to get some sort of transparency and trust in them.

And thirdly, there’s a big, big issue for a lot of organisations around technical debt, which causes so many of the breaches that we get called in to investigate. But technical debt is actually usually to support some sort of process debt, that are really archaic, complex business processes that themselves could be simplified, and that actually makes a massive difference to an organisation’s ability to recover quickly from attacks. Boards are definitely getting pretty engaged in this topic now.

Those are some really great points for our audience to consider, especially around the wider technical debt challenge. Looking at the year ahead of us, there’s obviously some big challenges for organisations. Krystle, which of these trends do you see as remaining prominent this year, what do you think organisations should be focusing their attention on in addition to the points that Kris raised?

Krystle: So while we can’t predict what will happen in the next year, there’s definitely some trends that we can expect to continue. So ransomware is the obvious one. It doesn’t show any signs of slowing down and we expect this to be a top threat to all organisations for the time being. It will be interesting to see if there are measures put in place to discourage victims or prevent them from paying ransoms and how ransomware operators will adapt to those in kind. Other trends we expect to continue are the use of tried and tested techniques. The threat actors are continuously adapting and improving their tools and tactics in these areas. So that includes things like supply chain compromise, but also things like the use of social engineering. So we expect threat actors to adapt to the way that we are adapting in the way we interact with those services and exploit those connections.

And also phishing, which continues to align to current affairs.

Abigail: Definitely, it’s actually worth highlighting that we’ve seen a vast amount of malicious activity last year that was really a continuation of what we’ve seen in previous years, almost business as usual for threat actors. As was the case in 2020, we expect that major geopolitical events will continue to drive activity across the globe. This next year and beyond of course, especially for espionage or intelligence gathering. We regularly see targeting aligned to shifting political alliances, trade wars, and especially which was high profile last year, national elections.

Speaking from our ongoing research on threats in the Middle East in particular, we’re monitoring how the new US administration will respond to the threat of a nuclear Iran for example, and how that will impact the region, and we anticipate that this will have a knock on effect of many sectors and organisations being targeted as a result.

I hope that this discussion has given our listeners a lot to think about, keeping up to date with this expansive threat landscape can be very intimidating, but to wrap things up on a more positive note. Kris, what are some initiatives to combat these cyber threats you hope to see more of in 2021?

Kris: I think there’s actually quite a lot that we can take as positives from 2020 into 2021. There’s actually a really interesting dynamic around the hybrid working model that we’re obviously going to be stuck with, but which is actually probably quite a good thing for many people in 2021. And actually, the fact that we have such a remote and mobile workforce, actually gives us some opportunities to rethink how we do bits of security and particularly monitoring. There is definitely going to be a really significant focus on the endpoint. Again, obviously most endpoints are now outside of the normal corporate boundaries, and actually the ability to monitor what’s happening on those when you don’t have some of the network visibility that people were used to whenever they were inside the corporate boundaries, is going to force a really significant uptake of things like modern endpoint detection and response (EDR) solutions, where a lot of organisations, particularly in Europe, still don’t have those.

There’s also a slight risk, which is that, whenever we come out of the current lockdown routines that we are in, we need to avoid the temptation to default back to the way things were before. This is a really good opportunity to leapfrog quite a lot of technical debt, focus on how we simplify things, take the opportunities to simplify our act of directory hygienes, and actually make our environments more defendable. Then there’s a really interesting bit, which I hope we see more of in 2021, around really good collaboration between public and private sectors on things like threat attribution and disrupting some of the really significant threats to most organisations. We saw some great examples of that in 2020, and I’m hopeful we’ll see a lot more in 2021.

Outro by our host, Abigail Wilson: Thinking about how you approach the hybrid model, especially, will be important. For organisations, who are exploring flexible working solutions, I think these will be increasingly important and very popular options as we reemerge from the pandemic.

Thank you both for this great discussion on the cyber threat trends that organisations will really need to think about. For more information on how you can defend against cyber threats, please visit our website at pwc.co.uk/cybersecurity. Don’t forget to subscribe to receive future episodes of our podcast. See you next time.