By Stephen De Vries, CEO, IriusRisk 

We began 2021 with Microsoft president Brad Smith describing the previous year’s SolarWinds hack as the “most sophisticated attack the world has ever seen”. Cyber criminals don’t rest on their laurels, of course, so there’s every reason to believe attacks will only become advanced as we enter 2022.

It’s vital, therefore, that companies – especially those in “under threat” industries, such as financial services – take steps to enhance their security posture.

Built-in security 

Companies should consider taking a “shift left” approach to cyber security, in which security is built into the design of software and applications, rather than being added as an afterthought.  One benefit of embedding security into existing developer workflows in this way is the time and cost savings it delivers; identifying potential security risks early in the design process can speed up time to deployment.

More importantly, though, this approach ensures that software isn’t launched with high-risk design flaws that would need to be fixed in post-development or, worse, that potentially couldn’t be identified at all through application security scanning. Either way, the software would be left vulnerable to exploitation – something that could be avoided with the early visibility that shifting left offers.

Managing insurance premiums

In addition to the threats that cyber attacks represent to a company’s network and the sensitive data it contains, there are also more practical, financial considerations to take into account. Largely due to the growing number of ransomware attacks – and the massive financial pay-outs these have led to – cyber insurers are increasingly looking for ways in which to increase their customers’ premiums.

One way in which companies can potentially bring these costs down is to employ threat modelling, enabling them to see how different scenarios play out. By understanding risks they face, and just where those risks are, these companies will be better able to mitigate against them. Indeed, in an increasingly sophisticated threat landscape, the ability to demonstrate this awareness is likely to become ever more important to cyber insurers in 2022 and beyond.

Identifying and remediating threats

It’s important for businesses, especially those that are at a particularly high risk of attack, to engage with threat modelling as early as possible, in order to understand potential risks before they become incidents.

By combining it with the shift left approach mentioned earlier, organisations can begin threat modelling from day one of development. This will enable them to gain quick wins by quickly identifying and remediating potential vulnerabilities, and speeding up time to deployment, all while ensuring the highest level of security in their products.

Automation will improve the process further. By relieving the burden of security workloads for both security architects and engineers, it means that companies are better able to keep pace with the cadence of software rollouts, suggesting the appropriate security mitigations to take as the software evolves. In addition, it can remove the bottleneck commonly created by security testing. By gathering security requirements prior to development, any risks can be mitigated before a single line of code is even written.

Industries at risk 

As a result of the financial and personal information they hold, businesses in the financial services industry are the most targeted by cyber criminals, with ransomware a particularly popular attack vector. The banking industry experienced an incredible 1,318 percent year-on-year increase in ransomware attacks in the first six months of 2021. The number of business email compromise (BEC) incidents grew too, with senior executives targeted in phishing attacks designed to trick them into transferring funds or revealing sensitive information.

Unfortunately, a perfect storm of unsecured communications, undetected software vulnerabilities, and a lack of two-factor authentication and general security hygiene among employees, means these attacks will only continue to grow if they’re not identified and dealt with early on. The same is true of government software and applications. According to Microsoft’s Digital Defence Report, nearly 80 percent of nation-state attacks in 2021 were targeted at government-related organisations in attempts to steal or compromise highly sensitive data.

Time for action 

It’s clear that organisations across a range of industries are facing a serious – and growing – risk of cyber-attack. Speed and visibility are key to identifying and mitigating these risks, to prevent data breaches or businesses being held to ransom, not to mention higher insurance premiums. Threat modelling, built into an organisation’s software from the start, can offer this speed and visibility

Threats are likely to become even more sophisticated over the coming months. It’s time that businesses everywhere take steps to ensure their security posture is up to the job.