Many analyses of cybersecurity include consideration of the field’s constant state of flux and change. As the battlefield of the internet evolves, typically, so do the attack strategies, weapons, defense mechanisms and actors. However, according to ISACA’s 2018 State of Cybersecurity research, two elements that remain relatively constant are the types of attackers and the type of attack leveraged.
Specifically, based upon the input of respondents, the report noted that while attacks are increasing, outside of certain niche variants, the types of attacks have remained constant, with monetary theft as the main aim of most attackers. These trends identify that while certain cybersecurity considerations change, proven attackers, victims and attack processes will never go out of style.
Deeper examination of the report provides a greater understanding of the static trend of attack types by malicious actors. Survey respondents indicate that the three main attack mechanisms leveraged against their organizations are phishing, malware and social engineering. When compared to the 2017 report, this trend remains mostly static, with minimal variation. Additionally, the cybercriminal attacker profile remained steady as the attacker type.
While the main attack vectors and actors remain primarily static, the number of attacks are increasing dramatically, with the majority of respondents indicating that the number of attacks they are experiencing are increasing year over year. This trend could be due to multiple considerations. For example, as artificial intelligence (AI) enables business processes, malicious agents can also leverage AI to streamline attacks. This increase in efficiency allows an attacker to conduct more attacks with less infrastructure. Additionally, greater accessibility to the growing dark web allows attackers to work together more easily than in the past.
Though attackers might leverage certain tools to increase their operational efficiency, and thus their attack capability, others have found themselves largely relegated to the dustbin. Specifically, the report identified a substantive decrease, nearly 20%, in ransomware attacks. This might seem shocking considering high-profile ransomware incidents such as the one that recently hit the city of Atlanta in the United States, wherein many city operations remained crippled for more than a week. However, deeper analysis identifies that most organizations now have a response plan inclusive of a potential ransomware attack and are less willing to pay the ransom requested by attackers.
The decrease in ransomware attacks, coupled with the steady state of phishing, malware and social engineering, hint at one of the basic truisms of cybersecurity – the greatest weakness in organizations is often its individuals. When considering ransomware response, it’s easy to identify that proper backup policies and procedures can render an organization relatively ransomware-proof. If an attack occurs, cybersecurity response teams can commence mitigation by rolling out the most recent proven backup image to the impacted machines while hardening them from subsequent attack. This action is relatively independent of individual sentiment and discernment. However, phishing and social engineering are still reliant, primarily, upon the discernment of an individual expected to implement proper cybersecurity hygiene in his or her daily activities.
Although attacks are on the rise, it is important to remember that efforts to combat them are increasing as well. Indeed, based upon analysis of the report, the defense mechanisms and policies established by organizations can act as indicators as to why ransomware attacks are declining. Yet, while certain niche attacks might change over time, proven attack tools, such as phishing, social engineering, and malware, are here for the long-haul. As long as individuals do not practice appropriate cybersecurity hygiene, they will remain the main attack methods for malicious actors who are attempting to defraud organizations.
Frank Downs, Director and SME, Cyber Security Practice, ISACA
[ISACA Now Blog]