Board members play a critical role in shaping an organisation’s cybersecurity strategy, ensuring it aligns with broader business objectives while fostering a culture of security and resilience. As cyber threat actors continue to pose substantial risks to all organisations, boards and leadership teams are under unprecedented scrutiny. Board members must seize this opportunity to ensure that their organisations are responding effectively to today’s rapidly evolving digital landscape.
Addressing Credential Theft: A Global Threat
Credential theft is a pervasive global problem. Many significant security breaches occur when attackers steal usernames and passwords, referred to as credentials. According to a report published in July by IBM, the average cost of a breach is $4.88 million. However, the impact of security incidents goes beyond financial loss, with potential reputational damage and psychological toll on affected organisations, customers, and partners.
Recent Threat Activities Involving Credential Theft:
- Targeting Snowflake: In April, Google Cloud’s Mandiant identified attackers compromising Snowflake customer instances using stolen credentials. These attackers attempted to extort victims and sell the data on cybercrime forums. The investigation revealed that the stolen credentials lacked proper protection. Learn more about the Snowflake incident and share our threat hunting guide with your security teams.
- Targeting Brazil: Credential phishing is a prevalent threat in Brazil. Google disrupted phishing activity hosted on Google Cloud targeting the region. North Korean actors were found using fake PDFs to steal credentials, and stolen credentials were advertised on Brazilian Portuguese-language underground marketplaces. Read more about cyber threats targeting Brazil.
Deploy Multi-Factor Authentication (MFA)
MFA is a critical defense against credential theft. MFA requires more than a password to access accounts, similar to using both a bank card and a PIN at an ATM. For IT resources, MFA can involve an authenticator app on your phone or a hardware key that you plug into your device. This approach adds layers of security, requiring something you know (a PIN or password), something you have (the phone or hardware key), and possibly even something you are (biometric data like a face scan). With MFA in place, a stolen password is no longer a single point of compromise.
Many organisations, including Google, have already deployed MFA—or are in the process of doing so. The Department of Homeland Security (DHS) and other agencies strongly recommend it as a de facto standard for defending against credential theft.
To significantly reduce the risk of credential theft and account takeover, boards need to ask their CISOs, CIOs, and CTOs how quickly their organisations can deploy MFA. A good starting point is requiring MFA for users with privileges that could be valuable to an attacker, including access to sensitive data.
These investigations highlight the urgent need for credential monitoring, universal enforcement of MFA, secure authentication, alerting on unusual access attempts, and limiting access to sensitive data. Additional best practices include using strong, unique passwords that are difficult for machines to guess and periodically reviewing who has access to ensure that it is still necessary.
Navigating the Quantum Leap: Preparing for Future Cybersecurity Risks
Quantum computing is a rapidly advancing technology that, while still in development, poses significant future risks to current cryptographic systems. If powerful enough, quantum computers could potentially crack the encryption that protects online communication and sensitive data. This could have profound consequences, jeopardising online privacy and the security of the digital world.
Fortunately, there are alternative cryptographic systems, known collectively as post-quantum cryptography (PQC), that offer a secure path forward. The National Institute of Standards and Technology (NIST) has just finalised standards to guide the development of “quantum-safe” cryptographic systems that run on today’s conventional computers.
Board members must understand these risks, empower their CISOs to develop mitigation plans, and stay alert despite the unpredictable timeline for quantum breakthroughs.
Why Act Now?
- Business Impact of Cryptography Failing: Cryptography uses mathematical techniques to transform data, preventing unauthorised access or tampering. Quantum attacks could potentially break the cryptography deployed across systems, compromising the data critical to delivering essential business services.
- Migrating Cryptography Takes Time: Upgrading cryptographic systems is a complex, resource-intensive process that can take years to complete. Although quantum-safe algorithms are available and can be implemented on existing hardware, transitioning to new algorithms and protocols requires significant time and effort.
- Harvest Now, Decrypt Later: Malicious actors are stockpiling encrypted data, such as intellectual property, trade secrets, and sensitive communications, with plans to decrypt it once quantum computing advances. This poses a serious threat to organizations across all industries, making it essential to address quantum risks now.
- Standardization and Upcoming Regulations: Well-recognized standards bodies, including NIST, have just released post-quantum cryptography standards. The White House is also developing directives urging federal agencies to prepare for quantum advancements. New regulations across various industries are anticipated, and Google is actively participating in working groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the PQC Alliance to address these developments.
Preparing for PQC doesn’t need to be managed as a “big bang.” Board members should engage their CISOs, CIOs, and CTOs to develop a post-quantum cryptography strategy. This should include planning for the integration of quantum-resistant algorithms into existing systems, balancing efficiency, scalability, cost, risk, and usability.
Defining Borders in the Digital Age
For organisations operating across multiple jurisdictions, particularly in the public sector and regulated industries, concerns about data privacy and unauthorised third-party data access have led to a wave of new regulations. Boards should be aware that these changes may impact the cost of and access to cloud services.
In recent years, governments worldwide have taken steps to exercise tighter control over data and digital infrastructure—a trend commonly known as digital sovereignty. By 2025, 10% of global businesses will operate more than one discrete business unit bound to a specific sovereign data strategy. Boards should be aware of new regulations that, in some cases, require technology providers to localize data storage and processing within specific territorial boundaries. In other cases, regulations may restrict foreign technology providers from serving customers in critical sectors.
These measures have pushed technology companies, including cloud service providers, to make significant investments in new controls and partnerships with trusted local providers to meet customers where they are. Increased geopolitical instability highlights the risk of service disruptions due to foreign interference or industrial accidents, driving demand for solutions that offer survivability and continuity of operations in crisis scenarios.
Empowering Boards to Strengthen Cybersecurity
Board members have a unique responsibility to influence their organisations’ cybersecurity strategy and foster a culture of security and enablement. They should actively collaborate with CIOs, CTOs, and CISOs, fostering continuous dialogue to adapt to evolving threats and ensure that security practices are robust, scalable, and integrated across the organisation.
By driving the enforcement of cybersecurity best practices, board members can significantly reduce the risk of costly breaches and prepare their teams for future threats. This includes resourcing mitigation plans in preparation for quantum breakthroughs and investing in sovereignty efforts to protect against risks while ensuring compliance.
To combat today’s cybersecurity challenges, organisations must think and act big—and they need board support to do so. Google Cloud remains committed to advancing security by consistently delivering innovative solutions that address the evolving threat landscape. We urge organizations to proactively engage with trusted partners like us to secure their future in an increasingly complex digital world.
Comments
Post a Comment