Cybersecurity in 2023: User Management Can Make the Difference

If you thought that the recession is the only problem that B2B businesses are facing in 2023, think again. Cybersecurity has become even more challenging with the recent spike in attacks on a wide range of European and North American entities.

Let’s check out the main ones and understand how good user management can make the difference. 

The attacks are multiplying

Cybercrime has been a part of the SaaS world for decades. As per a recent Cybersecurity Ventures report, the total cost of cybercrime crossed the $7 trillion mark in 2022. The worrying issue is that the complex geopolitical issues are triggering a spike in attacks on European and US-based businesses. Major compromises are being discovered almost on a weekly basis since January.

Here are just a few examples of cyber attacks from recent weeks.

• Zendesk – The popular SaaS company started notifying affected customers in January after many of its employees were manipulated with sneaky SMS phishing attacks. No official announcement has been made so far.
• KLM and Air France – Flying Blue customers coming back from the holidays learned that their personal information was exposed and their accounts were locked for safety reasons after hackers gained access to sensitive databases. 
• The Royal Mail – Just a week into the new year (2023), The British Royal Mail admitted that its online services were hacked. Ransomware gang Rockbit gained illegal access and encrypted vital information. 
• MailChimp – A few days later, this SaaS company fell prey to a cyberattack, where workers’ personal accounts were compromised. Hackers used social engineering to gain illegal access to the company’s database.
• Multiple US Hospitals – January concluded with news about 14 US-based hospitals being successfully targeted by a series of DDoS attacks. The motive is believed to be geopolitical and no medical records were leaked.

These are not isolated incidents. Data breaches have been reported by organizations like The Guardian, PayPal, T-Mobile, Ticketmaster, NortonLifeLock, Puma, and a chain of Toronto-based hospitals over the last couple of months.

The traditional AppSec toolbox is flawed

I don’t think that any business underestimates the cybersecurity side of things. More often than not, traditional safeguards and best practices are in place. The problem is that none of these are silver bullets, nor are they deterring the bad guys anymore. 

Here are some AppSec toolkit essentials that are being used today:

• Web Application Firewalls (WAFs) – The WAF has been around for decades and is still seen as an effective deterrent in many cybersecurity circles. But the bitter truth is that WAFs can be bypassed pretty easily. Check out this POC by ethical hacker Rafay Baloach to understand how he can easily bypass any modern WAF’s XSS filters with minimal effort. 

• Third-Party Application Security – The SolarWinds, Ticketmaster, and British Airways hacking incidents brought supply-chain attacks to the forefront. These attacks happen when a vulnerable third-party app is hacked and used to gain access to connected ecosystems. The problem is that securing the perimeter is hard because third-parties are isolated and not in your control.
  
• Penetration (Pen) Testing and Manual Audits – Pen testing is a proven and tested method to detect loopholes. Unfortunately, it’s also very expensive to do on a regular basis and the results are directly connected to the amount of time you are investing in it. In many cases, the penetration tester simply isn’t skilled or experienced enough to produce satisfactory results.

All in all, having a traditional AppSec toolkit is a good start, but will not make you immune to cybercrime. There are simply too many exploitable weak human links, coding vulnerabilities, and third-party blind spots out there today.

So what can be done to elevate cybersecurity standards?

Cybersecurity and user management go hand in hand

Traditional AppSec is only skin deep because it doesn’t address the most exploited weak link – the human one. Social engineering, clickbaiting, and other email hacking techniques are often the culprit when it comes to cybercrime. This is exactly what SaaS businesses need to understand before creating a foolproof security strategy. So what are the best ways to protect user privacy and data security today? 

• Multi-Factor Authentication (MFA) – MFA is being seen as a SaaS essential as of late and this is completely understandable. Not only does this allow better access control, it helps with the aforementioned third-party security. It also allows a lot of flexibility with the user experience – you can use it with biometric methods and also Single Sign-On (SSO) flows.
  
  Even Microsoft has confirmed that Multi-Factor Authentication can help contain over 99% of automated attacks. This involves phishing, credential stuffing, brute force attacks, MiTM attacks, and the use of keyloggers.
  
• Passwordless Flows – While these flows are essentially MFA subsets, the difference is that there are no passwords involved. With two-thirds of Americans using the same password across multiple accounts, that alone reduces a lot of risk. Magic links (email and/or mobile) and unique authentications like the one Google offers are your best bets.
  
• Granular Role and Permission Management – Techniques like Role-Based Access Control (RBAC), especially when done in a granular manner, are helping control who is accessing your systems and databases. By doing so via a self-served user management platform, you can also revoke or modify permissions on-the-go to maintain optimal security standards.

It’s also important to encrypt data, as required by all top privacy laws that are in effect today – GDPR, HIPAA, CCPA, and others. This includes data in motion, at-rest, and in storage. You should also try not to store sensitive data after it’s processed. 

So let’s wrap this up…

I wish to clarify that MFA is no silver bullet, because no such thing exists in cybersecurity. But it’s definitely an effective and useful component to have in your AppSec toolkit today. With the implementation being relatively easy and quick, while also being quite inexpensive, you must not think twice about having a MFA flow in your application or service. So let’s make life tough for the hackers shall we?

Only a proactive approach will help you survive in 2023 and beyond. Stay safe!