Outside The Perimeter: The New Digital Risk Landscape
I recently sat down with Alastair Paterson, CEO of Digital Shadows (our portfolio company), to discuss the challenges his company is solving.
Check out the recording here or read below for Alastair’s insights:
Ryan Floyd: Against the current background of digitalization and the rapid uptake of SaaS, the opportunity for hackers has continued to grow. That’s why today, I’d like to address the top cybersecurity threats outside the network perimeter. Can you tell us about your founding story, Alastair?
Alastair Paterson: That’s exactly why we set up Digital Shadows. We were worried about companies’ expanding digital footprints outside the perimeter, particularly as they’re adopting the cloud, mobile and social media as part of their digital transformation. We monitor their digital footprints and identify risks to their business. Are they leaking data online? Are fraudsters impersonating their brand online? Do they face threats on the dark web, criminal marketplaces, or discussion forums?
Ryan Floyd: How much of the current risk is down to the individual employee or the company?
Alastair Paterson. I think the employees are part of the attack surface in many ways now.However, we’re looking at these threats from a corporate perspective.That does includeVIPs across the business, but employee-led risk constitutes just one part of their overall exposure.
On the question of how to prevent data leakage, it’s important to remember that much of it is accidental. Sometimes employees post things online that shouldn’t be there, for example engineers sometimes hard-code passwords into their commits into coding sites like Github, leaving them accessible to attackers. VIPs are targeted and employees are having their credentials breached and leaked online. We closely monitor all of these risks.
Ryan Floyd: After the pandemic, we’re all working remotely, and the attack vector is more serious than it was before. I have lots of individuals at home on my own network, and I worry about the exposure this creates. What trends have you noticed recently?
Alastair Paterson: I think the pandemic has accelerated forces that were in play already. Yes, there is more remote working. Today, everybody is outside of the perimeter. They have been for the last couple of years. There has been a clear trend of VIP exposure. People accustomed to working from corporate networks, with robust IT security around them, were suddenly stuck at home figuring out how to make VPNs work.
More than ever, companies need to understand their attack surface. We’ve seen a definite increase in phishing attacks against VIPs, as well as accidental exposure to businesses.
Ryan Floyd: Not long ago, you could simply walk down the hallway to assign tasks to a colleague or employee face-to-face. Now, everything is happening online or by email. The potential has grown tremendously for bad things to happen.
Alastair Paterson: Yes, and I think that’s particularly true for legacy companies that were forced to adopt the cloud very quickly, sometimes overnight. They don’t have cloud IT expertise on hand when they need it now, just at a time when security issues for cloud computing and the mobile digital platform are more critical than ever.
It’s a different world, with a different set of risks. The current ransomware epidemic has brought the dark web to public attention, but I would urge people to avoid scary hype and keep that threat in proportion. The most active criminal sites are still on the open Internet.
Ryan Floyd: People forget that security impacts sales and engineering, too. It’s an issue that hits every part of the organization.
Alastair Paterson: Yes, and that’s partly why, if you’re attempting to sell to the biggest companies in the world today, you’re sure to be faced with security assurance questionnaire. An answer like, “I don’t have one of those” simply won’t cut it! The big guys are worried about third-party risk. You’re part of their supply chain, and they’re sharing sensitive information with you. How do they know you can be trusted with their data?
To make the sale today, you need some kind of security program in place. The better it is, and the more accreditation you have around it, the quicker you can move through the sales cycle.
Ryan Floyd: Most people think of phishing attacks as largely unsophisticated and easily identifiable. But today, they are very cleverly directed at VIPs and other high-value targets. We know the consequences of phishing attacks can be very severe. How should companies tackle that threat?
Alastair Paterson: With phishing, the level of sophistication has increased significantly. But you’d be surprised at the effectiveness of even the more unsophisticated phishing attacks when they’re carried out at scale. The digital footprints left by companies online can be used against them.
We know there have been a lot of data breaches. In fact, we have a store of 25 billion credentials. Criminals with access to the right information can build that into automated tools and scripts that are readily available online, launching attacks against their target using the credentials released in other data breaches.
VIPs are often targeted with a so-called spearfishing or whaling attack. For example, if criminals know the CEO is on vacation, they could email one of her employees pretending to be the CEO and ask them to transfer some money. If the CEO has intermittent access to their inbox or cell phone outside of the office and is hard to reach, employees may be unable to double-check with them before complying. Attackers re good at making it seem urgent and will research them in advance to make the comms more plausible, even find their favorite sports team or other pastimes to reference in their emails. There are many different ways to build a more convincing case by exploiting the information freely given online.
We’ve seen some interesting examples. An Italian football club was persuaded to send the transfer fee for a new player to cybercriminals rather than the receiving club. The attacker knew the established format for transfer documents, so they sent a copy with their own bank details.
In another attack on a construction company, criminals approached some low-level accounting people for a list of overdue invoices. The attackers then wrote to all of those creditors, impersonating the debtor but forwarding their own account details, warning them that they were overdue. The targets were rushed and didn’t check. In this way, the bad guys made a ton of money without having to cross the bar of getting the CFO to sign off on a big transaction directly.
Ryan Floyd: I understand that finance is your number one vertical, with tech second. Why is the tech sector so attractive to attackers?
Alastair Paterson: Anybody holding sensitive data is a target. Above all, you need an incident response program in place and to understand your attack surface, your assets, and your infrastructure. You must plan ahead for all eventualities and know what you will do when a breach occurs.
This post originally appeared on Digital Shadows’ blog. The interview is based on the #AskAVC channel’s video.