The meaning of “cybersecurity awareness” changed in some pretty meaningful ways in 2021.
Comprehensive employee security awareness training helps organizations to reduce risky behaviors, build a security-first internal culture and prevent cyberattacks. But what does “security awareness” mean? There were some significant ways in which cybersecurity awareness changed in 2021.
Cyberattacks Impacted Everyday Life
Cyberattacks are no longer an esoteric concept that Americans heard about but rarely experienced firsthand. In September, the Pearson Institute and the Associated Press-NORC Center for Public Affairs Research conducted a survey that found nine in 10 Americans were at least somewhat concerned about cyberattacks and about two-thirds stated they were “very” or “extremely” concerned. Significantly, these concerns cross political party lines.
From the ransomware attack on the Colonial Pipeline that disrupted fuel deliveries in 12 states for several days to a similar attack on meat supplier JBS that caused grocery bills to spike, consumers were made starkly aware of the domino effect of cyberattacks on the companies they do business with.
Critical Infrastructure Security = National Security
Early in the year, an employee for the city of Oldsmar, Florida, reported a watering-hole attack which planted malware on the employee’s computer. This opened the door for a threat actor to compromise a water treatment plant’s network and attempt to poison the city’s water with lye. Thankfully, the intrusion was discovered in time to stop it, but the threat of similar attacks remains. In October, the U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert to water and wastewater utilities, warning of ongoing attempts by malicious actors to compromise both their IT and operational technology (OT) networks, systems and devices.
Water utilities aren’t the only critical infrastructure at risk. The year 2021 saw a spate of ransomware attacks against hospitals, state and local governments and municipal emergency services. These attacks don’t just cost organizations money; they put human health and lives at risk.
Mistakes Can be Just as Catastrophic as Malicious Attacks
Throughout 2021, cybercriminals, thwarted by improved technical security tools, increasingly turned to zero-day exploits and other vulnerabilities like mistakes made by end users or IT personnel.
In August, dozens of organizations using Microsoft Power Apps, including multinational corporations and government agencies, inadvertently exposed 38 million records. Many of these records included personally identifiable information (PII) such as COVID-19 contact tracing data and job applicants’ Social Security numbers. The problem was with the Power Apps API, which, until quite recently, had been configured to “expose records for display” by default—unless IT personnel disabled it.
More recently, a server misconfiguration combined with a lack of network segmentation enabled cybercriminals to compromise streaming platform Twitch and leak 125GB of company data.
Supply Chain Attacks Put Everyone at Risk
Another method by which cybercriminals get around rigorous security controls at large organizations is to compromise a softer target further down the supply chain, then use this access as a backdoor into their ultimate target. This is an unfortunate side effect of modern, highly distributed data environments where even mid-sized companies typically have hundreds, sometimes thousands of third-party applications, systems and hardware in their IT ecosystems.
Recently, the FBI issued an official warning to U.S. food and agricultural businesses about ransomware attacks within their supply chains, and Microsoft notified over 600 resellers and partners of its Azure cloud service to be on the lookout for “highly targeted attacks” by the same cybercrime group responsible for last year’s SolarWinds breach.
Considering that managed service providers, SaaS developers and other IT service providers have the same distributed data environments as their customers, supply chain attacks have a potentially massive scope.
Businesses Have as Much to Lose as Their Customers
Customer and employee PII aren’t the only digital assets cybercriminals are interested in compromising. Digital intellectual property (IP) and other confidential business information is just as valuable as Social Security numbers—and in many cases, even more so.
While creators’ login credentials and financial information weren’t exposed in the Twitch breach, their earnings on the platform dating back to 2019 were. However, Twitch arguably suffered far greater harm than its creators. Cybercriminals got away with a treasure trove of digital intellectual property including the entirety of Twitch’s source code with full commit history, internal red-teaming tools, proprietary SDKs and AWS services and more.
While some aspects of security awareness are evergreen—such as the dangers of clicking on links in unsolicited email—the threat environment is continually in flux, as is employees’ perception of cybersecurity issues. Security awareness training must be an ongoing process to remain effective.
