How COVID and Web3 have changed cybersecurity

Where there’s money and opportunity, you’ll find cyberattackers. And with the nature of the web and the world at large shifting quickly, hackers are finding lots of opportunity lately.

A few macro trends are colliding, from a reshifting of the architecture of the Web to the fact that for manufacturers who make COVID vaccines and personal protective equipment (PPE), there’s zero tolerance for downtime. At a recent event on hybrid cloud sponsored by Fast Company and IBM, cybersecurity experts convened for a virtual panel titled “Privacy Anywhere, Security Everywhere.” Here are four takeaways from their discussion:

1. Hackers follow the money, and right now, that’s in manufacturing.

Financial services have topped the list of the most-targeted industries for as long as veteran expert Mary O’Brien, general manager of security at IBM, has been in the business. But that has changed. “For the first time in my tenure, manufacturing was the most targeted industry in 2021,” she says. “That’s because bad actors are following the money. And there was such an intolerance to downtime, to being offline, [because we needed to be] able to produce vaccines, PPEs, and all the things required the last couple of years.”

That is, attackers knew those items were desperately needed—and suspected manufacturers could be more likely to pay up if their systems were held for ransom. And, according to O’Brien, ransomware was indeed the “predominant attack type” in 2021.

2. Web3 is brand new, but it’s already a target.

Although manufacturing usurped financial services as the most targeted last year, O’Brien says the typical high number of attacks on financial firms “remained steady.” Syed Ali, partner and co-head of the Global Cybersecurity Advisory at Bain Capital, added that a specific subset of this industry is under particular attack. “There’s been a lot more interest [from hackers] in going after Web3 companies, particularly those participating in crypto exchanges or doing decentralized finance,” Ali says.

As he explained, the current decade-old iteration of the internet—called Web 2.0—is built on accessing content that is located on one or a few central servers. The next version, called Web3, is focused on decentralizing content: spreading data across a wide, distributed network of machines. Blockchain technology and cryptocurrency are notable examples of this newer architecture.

“In 2021 there were a lot of successful attacks in going after decentralized finance organizations, crypto wallets and exchanges, as well as large banks,” Ali says. “We saw a number of attacks that successfully either exfiltrated customer-controlled data…or actually stole cryptocurrency.”

3. Humans remain the weak link, so security must be an imperative for every employee—not just the IT folks.

While some cyberattacks are highly sophisticated or exploit vulnerabilities in software, O’Brien says a huge percentage still happen through two human-related vectors: compromised credentials and phishing emails. Ali says that Bain has also witnessed a spike in malware downloaded through fraudulent mobile apps and so-called social engineering tactics that convince employees to hand over access or passwords.

He added that companies should also follow a data-hygiene policy of sharing assets only with the employees who truly need it—and only when they need it. “There’s been a lot of focus in terms of making sure that all the foundational best practices around endpoint security, network security, et cetera, are being followed,” Ali says. “But we also [need to be] very cognizant of what data we have access to, who has access to it, for how long, and ultimately, where it’s stored.”

For Anil Bhatt, global chief information officer at healthcare company Anthem, Inc., these persistent truths in the cybersecurity world highlight that security cannot be just the purview of the CISO in the corner office. “The way we look at it is that cybersecurity…is not one person’s responsibility,” he says. “It’s a collective responsibility for all of us.”

Anthem makes clear to all its employees that security is a top business imperative for everyone. “Security is a clear responsibility for every associate,” Bhatt adds. “We empower our associates to take an active role in our company’s security commitments.… It begins with educating our internal employees, partners, and members about how relevant the risks are and how we need to react to those on a day-to-day basis.”

4. “Good” security often means staying a step ahead of regulatory compliance.

Attackers move far faster than the wheels of the legislative branch, all three panelists agreed, so while staying compliant is important, it’s also not enough. “Compliance mandates give good guardrails and they keep us honest, but from my point of view, they’re retrospective and they’re not fast enough,” O’Brien says. “You need to be ahead of the threat, with good threat intelligence and artificial intelligence…to really pinpoint the threat that’s going to cause most damage. You need to really understand where your critical assets are, how they’re protected, [and] monitor and track any access to [them].”

Bhatt agrees that regulatory policy establishes a baseline, but that most companies need to build on that foundation. “Our approach, frankly, is to evolve with the landscape and the threat landscape in general,” he says. “Regulations will never cover every scenario…so we need to make sure we are continuously educating our stakeholders. We cannot regulate ourselves into security.”