Ten years ago, you could kind of get away with not paying much attention to security. This worked if you were not in certain sectors or didn’t have a certain profile, and if you were lucky. Until a few years ago.
For everyone, the impact of potential security incidents has increased. Worse: their likelihood has also increased. What are the changes that caused this? In our view, they roughly fall into three buckets. Changes in regulations, on the defenders’ side and on the attackers’ side. We’ll discuss these changes below.
Changes in the regulatory landscape
Regulation of cybersecurity activities in the private sector has increased in the past decade with the following notable examples.
-
In 2016, The Dutch National Bank introduced TIBER, the CBEST inspired testing framework for financial institutions, which was later adopted at EU level and also inspired spin-offs such as the Zorro framework for the healthcare sector, which is in early stages right now.
-
2016 also saw the introduction of the NIS directive, the scope of which included operators of essential services and digital service providers.
-
In 2019, the GDPR was implemented in the Netherlands. The privacy regulation also includes a few articles that also relate to security, as well as potentially hefty fines in case of non-compliance and/or incidents.
-
Most recently, in 2022, the Digital Operations Resilience Act (DORA) was adopted, which will apply to the financial services industry and will come into effect in 2025 in the Netherlands.
-
And soon, NIS will be superseded by NIS2, with a wider scope and stricter rules.
Regulations function as sticks: they increase the pain of incidents or non-compliance. The effect of the changes described above is that organisations under oversight will see increasingly strict rules, and many organisations that previously operated without oversight, now do. For most organisations this will mean an increased focus on governance and preventive measures.
Changes in attack surface
Our collective attack surface has also changed over the years. The most notable change is that slowly, but steadily, organisations have been moving parts of their operation to the cloud. From early and easily adopted SaaS-solutions (email, CRMs etc) to more complex situations where whole infrastructures have been moved into the cloud.
Often “moving to the cloud” has a positive effect on your attack surface: compare having to manage your own Exchange servers to a Microsoft 365 subscription. From a security point of view most organisations don’t have a lot of reason to choose the former. But also on the Iaas and Paas side, moving to the cloud is often a net positive. In general, cloud providers are more on top of things than most of their customers.
Another net positive is the adoption of no code and low code build environments. These have resulted in less vulnerable applications. Of course, they are not absolutely hands off, and there are still configurations to take care of and business logic to get right. But overall, these represent a positive change.
Other developments have been a net negative.
-
More organisations produce more code that changes more often. This is great for business but introduces security risks even with a rock solid SDLC in place.
-
Infrastructure changes are easier when done in the cloud (as compared to bare metal), which means infrastructures tend to be a more fluid now than they used to be.
-
Increased automation and integration mean more APIs. Added up: an attack surface that increases and changes more often. And this means an increased likelihood of incidents.
Changes in threats
The most impactful changes happened on the side of financially motivated threat actors. Ten years ago, many attackers either targeted banks’ customers and stole their money using banking trojans or attacked organizations and aimed for credit card information or PII. The emergence of ransomware around 2012 was a game changer in the field. It allowed for relatively good return on investment and with the use of virtual currencies such as bitcoin, they moved their transactions out of the financial system. Ransomware was successful and exploded in the criminal scene.
On top of this came the pivot in 2017 and 2018 to extorting organisations rather than individuals at home. Gone were the days of a criminal carrying out an attack for 400 dollars. Extorting an organisation could net you a few hundred K (the early days) to a few million (right now). Serious return on investment. Since then, criminals have added the threat of exposing confidential information as a second method of extortion. And most recently as a third method, extorting their victim’s clients or customers with the threat of exposing sensitive information that pertains to them.
The impact on the world can hardly be overstated. Ransomware changed from a consumer-grade threat to one that could affect any organisation, anywhere, anytime. Now, in 2023, ransomware is still the number 1 threat for most organisations. A threat with devastating consequences once it materializes.