European Cyber Security Month shines a spotlight on the ways that organisations can bolster their data protection practices. The campaign – which is coordinated by ENISA (the EU Agency for Cyber Security) and the European Commission, and supported by national governments and private organisations – offers experts and beginners alike various tools and initiatives to learn more about cyber security.
Insights for European Cyber Security Month 2023
Each year, European Cyber Security Month focuses on a specific theme based on current industry trends. For 2023, the campaign has taken a slightly different approach, vowing to deliver cyber security guidance throughout the year, although October will remain its “highlight month”.
But what trends are worth highlighting this year? In this article, we bring you five insights that can help your businesses tackle the threat of cyber crime.
1. Phishing remains a top priority
It’s a perennial subject of European Cyber Security Month, and for good reason. Phishing emails are among the biggest cyber security risks that organisations face, with Verizon’s 2023 Data Breach Investigations Report estimating that they were responsible for 36% of all data breaches.
The techniques that scammers use are constantly evolving, so it’s essential that you stay up to date with the latest trends. Cyber criminals sometimes exploit newly discovered technical weaknesses, while others find success by adjusting their pretexts.
For example, researchers have discovered an alarming rise in QR code fraud, also known as ‘quishing’. These attacks work in much the same way as traditional phishing, with scammers tricking people into handing over sensitive information or downloading malware. But quishing exploits the growing popularity of QR codes to access web pages or downloads. From adverts and commercial tracking to restaurant menus and augmented reality systems, QR codes can be found in all sorts of businesses.
Elsewhere, an IRONSCALES report has highlighted the continued effects that the pandemic has on cyber security, with scammers exploiting the communication channels that organisations have deployed to support remote workers. For instance, 44% of respondents said that its video conferencing software has been exploited, while 40% said their workplace messaging platforms were compromised.
2. Artificial intelligence will be key to effective cyber security
Over the past year, artificial intelligence has taken the business world by storm. Following the release of ChatGPT in October 2022, a platform capable of producing content and code in seconds, organisations across the globe have looked to leverage the technology.
Various tools have emerged, from chatbots to highly specialised AI applications. Among the most robust offerings are automated solutions designed to enhance organisations’ cyber security capabilities. At the RSA Conference 2023, Google announced its Cloud Security AI Workbench, which combines a range of new AI-powered tools to find, summarise, and respond to security threats. The same week, Microsoft unveiled Security Copilot, a machine learning assistant that will support its Office apps.
Meanwhile, cyber security researchers have identified other potential uses for AI. This includes aggregating data from past security breaches to identify patterns in attackers’ methods and suggesting measures to counteract these threats.
3. Cyber criminals are also leveraging artificial intelligence
It’s not just organisations that are using AI, though. Scammers have also embraced the technology, as it helps them create convincing text for phishing emails. Researchers at Check Point were among the first to discover this, and in a proof of concept, they demonstrated ChatGPT’s potential uses for cyber crime.
Although the tool is programmed not to publish harmful content, it failed to detect the malicious intent in the researchers’ request for code that will download an executable that “would run the moment the Excel file is opened”. Check Point’s researchers noted that the initial code was flawed, but further instructions produced “working malicious code”.
Since that report was published, ChatGPT has undergone several tweaks, and the team that oversees the language model is continually looking to minimise its ability to produce harmful content or advice. However, cyber criminals are equally adept at outfoxing defensive measures, and ChatGPT will no doubt remain a weapon in their arsenal.
4. The way we use multi-factor authentication is changing
Earlier this year, Twitter removed SMS-based MFA (multi-factor authentication) for non-paying members of its platform. The login mechanism is designed to protect users from scammers, as it means that a password breach alone isn’t enough to compromise their accounts. Attackers also need the second authentication factor, such as the user’s fingerprint or a one-time password sent to their phone.
But when Twitter announced that it was all but scrapping SMS as an authentication method, it pointed to the threat of SIM-swapping attacks, where scammers fraudulently transfer a victim’s mobile phone number to a new SIM card.
This technique has been widely reported on, but many people remain confident that the benefits of MFA outweigh the security risks. Research from the IT service management company Okta found that MFA use has nearly doubled since 2020, while 87% of accounts now use the system.
Criticism of one-time SMS passwords has helped people consider alternative methods. Okta’s report found that greater numbers of people are using alternatives – with push notifications being the most popular by far.
5. Passwordless security could be the future
You needn’t look further than Microsoft for an even more extreme alternative to SMS-based login mechanisms. The tech giant shocked the information security industry when, several years ago, it said it was ditching passwords. “Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks,” it said on its website.
In their place, it introduced ‘passwordless security’, which is essentially MFA but without the initial password factor. Users log in via a push notification, a one-time password or by entering their biometric data. Microsoft said the system was just as secure as traditional MFA, but it didn’t have the inconvenience of having to remember login credentials.
At the time, experts insisted that this wouldn’t be viable, but Microsoft was ultimately proven correct. TechTarget proclaimed that “2023 is the year of passwordless security”, after it commissioned a report that found that 54% of organisations have started a transition to passwordless authentication.
Of those, more than half said they had improved their risk reduction and user experience, while two-thirds said their IT and security tools increased their efficiency.
Cyber security support with Certification Europe
European Cyber Security Month does an excellent job raising the public’s awareness of data protection, but as the event has demonstrated with its shift to a year-long campaign, it’s not something that you can master in one month.
Effective threat prevention is a continual effort, and organisations that want to commit to better practices should consider ISO 27001. It’s the international standard that describes best practices for information security, and it provides a framework that can help you manage a full range of issues – from phishing scams and password management to the implementation of emerging technologies.
Find out how we can help you achieve ISO 27001 certification.
Another way to bolster your security practices is with Cyber Essentials. The security framework that contains five basic controls that can protect organisations against 80% of common cyber attacks.
The scheme guidance covers:
Firewalls and router protection
Software updates
Malware protection
Access controls
Secure configuration
For more comprehensive coverage, you can certify to Cyber Essentials Plus. This advanced version of the framework includes a technical audit, an external vulnerability assessment and additional tests to ensure that the organisation’s systems are fully secure.
Learn more about Cyber Essentials certification.
