Understanding today’s cyber threat landscape

What kind of cyber threats are impacting organizations today, and how should business leaders respond? In recognition of Security Awareness Month, I’m pleased to share an interview with Ryan Johnson, PwC’s Chief Information Security Officer for Americas region & Global Cyber Security Lead, where we discuss the cyber threat landscape today.

James Shira (JS): What are you seeing in the cyber threat landscape today?

Ryan Johnson (RJ): The cyber threat landscape really is more complex today than we've ever seen. Our current analysis shows four primary threat categories: ransomware, payment redirection fraud (business email compromise), state-sponsored threats, and cyber criminals. Those threats are targeted against three major aspects of our infrastructure: identity management, cloud infrastructure, and security vulnerabilities. 

Because of this landscape, we are driving a security programme with a Zero Trust approach, which requires security policies built on these three core principles: 

• Explicit verification - Are we sure you are who you say you are, and operating from a secure device?
• Least privilege and contextual access - Are we sure you should have access to this? 
• Assumption of breach - If your account or device is compromised, how do we confirm that compromise is contained?

(JS): We’re seeing more instances of cloud breaches, as well as buzz around ‘unmanaged environments.’ What does this mean and what can people do about it?

RJ: Many breaches (public and non-public) have resulted from ‘shadow IT’ or unmanaged environments that don’t have the same controls and response capabilities as centrally-managed and secured computing resources at the organization. Basically, we can’t protect what we can’t see - which includes cloud environments that are not managed or protected by companies. 

Environments are managed when they have managed patching, incident response, logging, etc. Companies should work to find these environments and either manage them, or decommission them if they’re not needed anymore. 

(JS): As companies develop products both internally and for clients, what do people need to know about the risks facing applications?

RJ: Applications represent a big area where attackers can focus their attention. External apps especially get a lot of attention from attackers. According to the 2022 Verizon Data Breach Investigations Report: “There were a total of 23,896 incidents, 5,212 confirmed breaches, and of those 1,083 were attacks through web applications (20.7%). That ranks web application attacks #2 for both incidents and breaches.” 

People should be very careful about the data that they use. They should make sure that they have the rights to use the data in the first place, and that they protect the data as appropriate. 

(JS) What are we doing to advise C-suite executives?

(RJ): Cyber is the No. 1 business risk, with 40% of all respondents listing more frequent and/or broader cyber attacks as a serious risk (and another 38% calling it a moderate risk). Cyber threats are no longer solely the domain of the CISO, according to the latest PwC Pulse Survey. We’re not only offering technology and tools to support stronger cyber readiness, but we also work to be strategic business advisers with our C-suite. Like us, our clients care about protecting their customer data. Through our own investments in cybersecurity, we develop insights to help clients address many of the challenges we are tackling. 

(JS): Regardless of whether someone works in cybersecurity or not, what are steps people can take today to help protect their organization, employee and client data?

RJ: Increase your internal level of suspicion in relation to the things that come to your email. Choose strong passwords and do not use the same passwords for different sites. You can use password managers to help with this. If Anywhere Multi Factor Authentication (MFA) is available, use it - at home and at work. And lastly, protect your home network and computers (e.g., make sure you have antivirus installed and updated), and that you exercise the same care at home that you do at work.

(JS): In terms of prevalent threats, we know that people are receiving requests on LinkedIn from people who claim to work at their organization, but some of them are fake accounts. What is the risk here and how can people avoid it?

RJ: The risk to companies when it comes to fake social media accounts of any type is that they may present an opportunity for criminals to elicit confidential information, or may be used as a way to introduce malicious software into that organization. While the motives of the individuals behind these fake accounts are often unknown, we believe they are often used to harvest data on individuals for data brokers to sell to marketing firms or to cyber criminals as target lists.

Typically, these accounts are pretty harmless if you do not interact with them or connect to them in your professional network. If you spot what you believe to be a fake profile, report it directly to the networking service and block the account.