Julia O’Toole, founder and CEO of MyCena Security Solutions,urges businesses to bolster their cybersecurity to avoid getting caught in the cyber crossfire of the Russia-Ukraine conflict.
Russia’s invasion of Ukraine has provoked a massive rally of hackers to join both sides of the conflict and take up arms in the cyber-war. As has been the case in cyberattacks of recent years, the consequences of this will affect organisations way beyond the initial intended target. For example, in June 2017 French company Saint-Gobain was forced to halt its operations as a result of the NotPetya attack, a Russian cyberattack targeting Ukraine that resulted in over €80 million of losses in company revenue.
As a result of a sharp increase of cyber-attacks since the beginning of the conflict, from DDoS, new data wipers, phishing campaigns and malware, organisations worldwide should take immediate action to improve their cyber-resilience and limit the damages that any spillover could have on their business.
The influx of inexperienced cybercriminals creates a new sense of vulnerability for both businesses and citizens. With IT and OT/ICS highly connected to critical infrastructure, the impacts of a cyberwar will be wide reaching and potentially devastating.
In the last 18 months, we have seen water plants and oil pipeline systems breached, luckily without mass poisoning or infrastructure explosions. But where nation-state hackers may show restraint, “freelancing hackers” may not. With heightened cyber-risks, there is an urgent need for organisations to become cyber-resilient. And this needs to start with recognising why cybersecurity has not worked in the past.
Common cybersecurity weakness
The primary reason why it is so easy for criminals to take command and control over a network is because there are inherent weaknesses in the traditional approach to network security.
In a physical environment, organisations distribute keys to the employees, not the other way around. But in their digital environment, organisations let employees create their own keys, blindly transferring power of control to their employees. Employees can share, lose, reuse their passwords without organisations knowing if and when that happens. Nine times out of ten, criminals don’t need to hack in, instead they log in, after using tactics like phishing, social engineering, credentials stuffing, password spraying… In fact, password phishing was responsible for 83 per cent of all cyberattacks in 2021. And having employees regularly changing their passwords from DomSmith123! to Dom$mith1234 or any other variation after a cyberattack will not stop a malicious actor from logging in again.
Organisations are not only losing the battle for command and control. They have also made it easy for criminals to maximize the impact of any breach by centralising access behind a single door. After escalating privileges to a local or domain admin, criminals can take control of the whole network. Once inside a network, they can ‘stay and spy’, install data wipers, lock files, halt operations, and launch a ransomware attack.
Current cybersecurity strategies that only prioritise network perimeter security with investments focused on detection, response, patching and crisis management, have also been ineffective by design. In the same way that you can’t spot a new COVID variant before it is circulating, it is mechanically impossible to fix vulnerabilities before they are discovered, meaning it is impossible to prevent cyberattacks or zero-days.
Ransomware attacks also work to prolong the conflict through funding further cybercrime. According to a report by Chainanalysis, nearly three-quarters of traceable ransomware revenue in 2021 (around $400 million worth of cryptocurrency) was laundered through Russia. After removing selected Russian banks from the SWIFT system and freezing their central bank assets, cryptocurrency gained through ransomware could offset the financial sanctions and help sustain Russia’s army for longer.
Protect network access and ensure cyber-resilience
Organisations urgently need to regain command and control over their networks and enhance their cyber-resilience. This requires an overhaul of the approach to security.
The fundamental change required is to apply physical access security rules to their network. Firstly, don’t let employees make and share their own passwords. Secondly, don’t aggregate all systems behind a single door with one key that can open everything, instead segment system access. That way, if one password is stolen while others remain out of reach, a breach is contained by default. And finally, ensure all passwords stay encrypted from end-to-end, during creation, distribution, storage and use, so that no one can see, share, or phish them. Using a zero-trust, credentials-based system means that only a legitimate user can access their credentials through multiple levels of security.
It is not too late to make digital infrastructure cyber-resilient with access segmentation and security. Organisations must now take responsibility for the security of their own networks, or risk getting caught in the cyber crossfire.
Proofpoint’s annual report on phishing revealed that the UK is by far the worst culprit for disciplining employees that fail cybersecurity tests
Business leaders need to stop blaming their employees for their own cybersecurity failures and take control of the digital keys to their business. This is according to MyCena, the market leader in segmented access management and encrypted password distribution.
In recent years, companies have increasingly put pressure on their employees to maintain strong password hygiene, using strong unique passwords for every account and not falling victim of phishing attacks. By placing the onus on employees, organisations are setting themselves up for failure.
Proofpoint’s 2022 State of the Phish report revealed that in the UK, 42% of employers inflict monetary penalties on staff that engage with real or simulated phishing attacks and 29% even lay off staff. These figures are both far higher than the global averages at just 26% and 18%.
Unsurprisingly, the report also highlighted an increase in the number of attacks year on year. In the UK, 91% of respondents revealed that they had faced phishing attack and 84% reported seeing at least one email-based ransomware attack.
Julia O’Toole, MyCena founder and CEO said:
“The data from this year’s report reflects a misunderstanding on the part of organisational leaders. It is easy to blame other people, but it is the C-suite members who need to realise the risk they take when they relinquish the company’s command and control to their employees.
“The thinking around passwords needs a complete overhaul. Imagine an employer allowing each employee to create their own personal keys to access company buildings, elevators, floors, doors and data rooms. That’s exactly what’s happening when an employee uses their personal password to access your network and the critical parts of your business that cybercriminals are targeting.
“In the physical world, when an employee starts a new job, the company hands him or her the keys, fobs and cards required to access the different parts of the building. When the employee leaves, the company takes back the keys, fobs and cards, ensuring the employee no longer has access to the company assets. Throughout their time working for the company, management has full responsibility and control of who can access what.
“By asking employees to create their own digital keys to enter the different parts of their digital network, companies set themselves up to lose control of their digital infrastructure, from the moment their employees were handed the responsibility of their access keys.
“Phishing attacks are getting more sophisticated and harder to spot than ever before. Being able to perceive cyber threats is a challenge for even the most experienced and cyber-aware users. Your employees won’t all become cybersecurity experts, nor should they be expected to be. The current situation has put an untenable pressure and stress on the employees for no good reason.
“We know that over 80% of data breaches start with a legitimate password, placing the onus on the employee rather than the organisation is counterproductive and financial punishments won’t ensure that it doesn’t happen again.
“Instead of forcing employees to remember dozens of complex passwords for various access points, adapt your technology to support employees in only using strong unique and encrypted passwords that can’t be phished. Not only do you take back the control of your own access points and cybersecurity, but you also relieve your employees from an immense mental pressure. Information like passwords doesn’t need to be kept in people’s head.
“Strong unique encrypted passwords can be controlled by the company and used by employees without them ever having to think of them, typing them in or remember them. Make your digital access security reflect your physical access security,” O’Toole concluded.
- Ends -
FOR MORE MEDIA INFORMATION
Adam Hartley/ Nathan Patel/ Alex Henderson
T +44 (0)20 7388 9988
mycena@spreckley.co.uk
About MyCena Security Solutions
Founded in 2016, MyCena is the market leader in segmented access management and safe password distribution. MyCena’s patented security system allows companies to adopt a cyber-resilient strategy from conception using access segmentation, distribution and protection. With its ground-breaking technology, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain attacks success. The company offers enterprise security solutions and applications to end users. To learn more visit:https://mycena.co/
Julia O’Toole, founder and CEO of MyCena Security Solutions, comments on how historic cyberattacks have given the Russian government critical advantages in the build-up to the Russia-Ukraine conflict. In anticipation of escalating cyberattacks, organisations should take immediate action to secure cyber-resilience.
The invasion of Ukraine is the culmination of years of careful preparation from the Russian state. Strategic cyber-advantages were gained in several areas, convincing them of their own cyber-supremacy.
Cyber-advantage one: Cyberwar practice runs
The Russian military has been testing and perfecting cyberwar techniques for years, not least against their Ukrainian neighbour, of which the most devastating was the NotPetya cyber-attack. This was directed against Ukraine’s financial, energy and government institutions in June 2017 but also indirectly affected many other businesses, causing hundreds of millions of pounds in losses.1
This attack highlighted the risk associated with having their own country’s digital infrastructure connected to the world. Consequently, Russia created its own internet network that can be disconnected from the rest of the world when needed. This was tested in June and July 2021 and again in January 2022, a few days after a dozen Ukrainian government websites were hit by a data wiper attack disguised as ransomware.2
Cyber-advantage two: Financial gains through ransomware
According to a report by Chainanalysis, nearly three-quarters of traceable ransomware revenue in 2021 (around $400 million worth of cryptocurrency) was laundered through Russia. Meaning that cyber-insurers could well have unknowingly propped up Russian military coffers.3
Cyber-advantage three: Deep penetration into western governments’ digital infrastructure
A recent string of high profile cyberattacks and vulnerabilities, including the SolarWinds attack and the log4j vulnerabilities, has enabled Russian cybercriminals to scan, steal and crucially stay inside organisations. According to O’Toole, “the SolarWinds attack reportedly gave Russia access to data from about 100 U.S. government agencies, critical infrastructure entities, and private sector organizations4.”
The impact of cyberattacks in other countries
There has been an escalation of cyberattacks on the Russian and Ukrainian sides, raising fears of repercussions on organizations in other countries. This, for example, happened to Saint-Gobain which in June 2017 had to stop operations following the NotPetya cyberattack, resulting in a loss of revenue of €80 million5.
The French Interior Ministry's cyber defense center went into "heightened vigilance" last week. In the UK, Lindy Cameron, Chief Executive of GCHQ's National Cybersecurity Centre, said: "In a world that relies so heavily on digital assets, cyber resilience is more important than ever... The UK is closer to the crisis in Ukraine than you think... If the situation continues to worsen, we could see cyberattacks that have international consequences, whether intentional or not.”
“Lindy Cameron is correct to urge businesses and organisations to take steps to improve their cyber resilience,” says O’Toole. “The question is how?”
“Hackers don’t need to hack in, they log in.”
“Russia has gained its cyber-advantages fundamentally through the inherently weak digital access models deployed by organisations today. We know that nine out of ten attacks involve legitimate passwords, with password phishing responsible for 83 per cent of all cyberattacks in 2021.”
“People changing their passwords from DomSmith123! to Dom$mith1234 after a cyberattack will not stop a malicious actor from logging in again!”
Protect network access and ensure cyber-resilience
But it is not too late to protect your network access and secure cyber-resilience. According to O’Toole, organisations can quickly organise themselves to take back command and control of their digital network, stop passwords phishing and prevent ransomware attacks. Starting with applying physical security rules to their cybersecurity:
From protecting networks to deceptive intelligence
O’Toole continues, “Intelligence has always been a key advantage in war. So has deceptive intelligence. By breaking the ENIGMA code, Alan Turing and the team at Bletchley Park helped the allies intercept the Nazis’ encrypted communications, create false information to then be intercepted by their opponents, and consequently shortened the war. Imagine today if organisations leveraged the rise in phishing attacks to deceive criminals with false information about their intentions and positions. Simultaneously, access from legitimate users would be protected with end-to-end encrypted passwords that can’t be seen, shared or phished. These organisations would be immune to passwords attacks, ensuring the integrity of their network and confusing their opponents in the process.”
Stop ransomware and stop funding the war
“From a financial standpoint, removing selected Russian banks from the SWIFT system and freezing their central bank assets will have a massive impact on Russia’s ability to sustain its aggression. Through preventing ransomware attacks, organisations could also prevent cryptocurrency theft from offsetting the financial sanctions and shorten the war,” O’Toole concludes.
-ENDS-
For more information on Julia O’Toole - https://www.linkedin.com/in/juliaotoole
For more information on MyCena - https://mycena.co/
FOR MORE MEDIA INFORMATION
mycena@spreckley.co.uk
T +44 (0)20 7388 9988
About MyCena Security Solutions
Founded in 2016, MyCena is the market leader in segmented access management and safe password distribution. MyCena’s patented security system allows companies to adopt a cyber-resilient strategy from conception using access segmentation, distribution and protection. With its ground-breaking technology, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain attacks success. The company offers enterprise security solutions and applications to end users. To learn more visit: https://mycena.co/
2 https://www.reuters.com/technology/russia-disconnected-global-internet-tests-rbc-daily-2021-07-22/
5 https://votre-solution-generali.fr/images/pdf/Lettres/Cyberattaque notPetuya chez St Gobain.pdf
With nine out of ten breaches related to passwords, MyCena’s segmentation and cyber-resilience model ends password phishing, stops supply chain attacks, and prevents ransomware
LONDON, February 23, 2022 – MyCena, the market leader in access segmentation and encrypted password distribution, today announces the launch of a new mobile device add-on to complete its enterprise segmented digital access security solution. MyCena’s mission is to eliminate password phishing, stop supply chain attacks and prevent ransomware in today’s hybrid workplace. MyCena’s approach to securing digital access solves three major cybersecurity problems: password creation and distribution; risk aggregation; and committing passwords to memory.
Digitalisation has increased rapidly during the Covid-19 pandemic, with the global use of services such as video-conferencing having grown ten-fold. As a result, ransomware attacks have increased in frequency and sophistication and are the biggest concern for today’s businesses. Phished passwords are the number one threat vector, responsible for 83 per cent of all cyberattacks last year. In the UK, businesses are subject to an average of 2,000 cyberattacks per business per day, an average of one attack every 43 seconds. And the average total cost of a ransomware breach is £3.66 million per incident.
“Following a huge surge in cybercrime and ransomware attacks over the past two years, businesses are under siege,” says Julia O’Toole, founder and CEO of MyCena Security Solutions. “The vast majority of cybersecurity breaches today involve the use of legitimate passwords. Today’s hackers don’t ‘hack in’, they log-in, repeatedly looking for an easy lock to pick through password phishing, social engineering, brute force attacks and credential stuffing. It’s also important to remember that beyond the ransomware headlines and financial costs, there are substantial risks of operational stoppages, supply-chain risks, IP loss, commercial espionage, industrial sabotage, and loss of data integrity, ultimately threatening jobs and human lives.
“How did we get here? The explanation is rather simple. As the workplace moved from a physical to a digital environment, the security rules used in the physical world have not been transferred to the digital world. The first mistake was to have employees create their own passwords: the equivalent of asking people to bring their own keys, fobs and passes to enter the company building, office or server room. The second mistake was to aggregate more and more systems behind a single point of access, whether a master password or biometric, using tools such as Single Sign-on (SSO), Identity Access Management (IAM), Privileged Access Management (PAM): the equivalent of people having a single key for their house, their car, their office, and their bank account. The third mistake was to require people to remember and type their passwords: the equivalent of asking people to cut a key every time they need to open a door. The result of these mistakes is hackers only needed to find one password (for example, through phishing or social engineering) to log in. Once in, with repeated success, they can quickly escalate privilege to take over command and control of the whole infrastructure within hours or days.
“MyCena is based upon a very simple idea: digital access must reflect physical access. The first step to take in cybersecurity is to apply your company’s physical security rules to your digital environment. Don’t let employees make and share their own passwords. Don’t aggregate all systems behind a single door with one key that can open everything. And ensure all passwords stay encrypted from end-to-end, during creation, distribution, storage and use, so that no one can see, share, or phish them.”
MyCena’s patented Segmented Access Management solutions enables businesses to strengthen their digital access security by generating and distributing encrypted access credentials to the right users: ensuring only the legitimate user can access his or her credentials fortress through multiple levels of security. MyCena also allows the company to easily distribute, remove or expire access keys to any system in real time, creating a watertight access command and control security system.
MyCena offers a credentials-based segmentation and cyber-resilience strategy that is zero-trust by default andscalable to withstand future quantum computers’ attacks. By closing all access security gaps and simplifying people’s lives, MyCena helps companies to eliminate the security risks, as well as the costs and productivity losses associated with password resets, as people have no more passwords to know. Cost-effective and easy-to-implement across OT, IT and IoT without any infrastructure change, MyCena’s security model eliminates the huge problems associated with stolen, phished, or shared passwords, especially when people work from home. Using MyCena prevents the loss of command and control over a company’s network and, ultimately, protects organisations from ransomware attacks and furthering the cyberpandemic.
- Ends -
FOR MORE MEDIA INFORMATION
T +44 (0)20 7388 9988
About MyCena Security Solutions
Founded in 2016, MyCena is the market leader in segmented access management and safe password distribution. MyCena’s patented security system allows companies to adopt a cyber-resilient strategy from conception using access segmentation, distribution and protection. With its ground-breaking technology, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain attacks success. The company offers enterprise security solutions and applications to end users. To learn more visit: https://mycena.co/
Vodafone Portugal has suffered a massive cyberattack which has crippled vital services around the country. Reports began on February 7 when customers noticed the network appeared to be down. Vodafone’s Chief Executive later confirmed that the company had been the target of a “criminal act” which had left almost seven million people without phone signal. The attack caused downtime in the 4G and 5G, television services, voice calling and SMS capabilities of the network. It also caused many vital services that run over the network to stop, including some national ambulance and fire brigade services. Early security work aimed to restore 3G services to critical infrastructure and safeguard customer data.
Critical infrastructure is on red alert across the world as the severity of attacks increases. A panel of cybersecurity experts described how the past two years have changed the cybersecurity landscape forever, making protecting critical infrastructure the number one goal for governments. Attacks referenced included the SolarWinds attack in early 2020, which demonstrated how an attack on one system could go on to affect thousands of systems down the chain. Another was the Colonial Pipeline attack in May 2021, the first major attack that directly affected normal people’s lives through increased prices and panic to find critical fuel. The panel warned that these attacks proved that IT disruptions now directly affect operational technology and industrial control systems – and that critical infrastructure everywhere should be ready to protect itself.
