You don’t need anyone to tell you that a single data breach could put you out of business.
According to a recent IBM report on the material impact of commercial data breaches, the average cost of a single breach approaches $4 million. In the United States, the average cost approaches $9 million – an artefact of a strong U.S. dollar and the relative value of U.S.-based records. The most expensive industry for data breaches in healthcare, at nearly $7 million worldwide – again, reflecting the relative value of compromised healthcare records.
The extent of the standard data breach is vast; according to IBM, the average breach involves nearly 26,000 records, this is a far cry from the millions of records caught up in the violations that make national or international headlines, to be sure, but still unimaginably disruptive for small and midsize enterprises without the resources to mount effective internal responses.
When the stakes are this high, what’s a corporate decision-maker to do?
For starters, invest in basic precautions, like a comprehensive cloud backup solution and a commercial-grade anti-malware suite with multi-point threat detection. Such investments prevent unsophisticated breaches and may mitigate the damage associated with others.
Unfortunately, there’s no way to guarantee protection against every IT security threat out there. The threat landscape is rapidly evolving, forcing “white hat” security professionals to adjust on a near-continuous basis. This is an arms race with no clear winner, which is a real problem for non-technical organizations caught in the middle.
Ultimately, the best protection against the confounding matrix of IT threats is knowledge. If there’s no way to achieve total protection, it’s at least possible to recognize and parry the vast majority of common threats.
Expect these 16 to be among the most vexing you’ll face in the coming year.
1. Out-of-Date Software That’s Fundamentally Un-patchable
Take the IT security precautions described above, as well as investing in cloud backup and keeping your anti-malware suite up to date. Also take this next action to outsmart opportunistic hackers, up-version all enterprise software regularly, preferably in line with the publisher’s recommended upgrade schedule.
Wait too long to update software, and you risk outlasting the publisher’s allotted lifecycle. At a certain point, software publishers simply stop releasing patches and updates for older versions, leaving their products vulnerable to compromise. These days, most patches are applied automatically, but that does you no good when you fail to hew to basic version control standards.
2. AI-Aided Ransomware Attacks
Ransomware is a pervasive, growing threat, so completely preventing ransomware attacks is difficult. It is made more, too, with the deftness of new strains of ransomware that use AI to undermine victims’ defences (or compel victims to download malicious code). In this case, as in so many others, mitigation is the best defense: with full, recent backups, you’re less likely to lose mission-critical data to ransomware attacks.
3. Fast-Moving Worms
In recent years, some of the most devastating malware attacks have been aided by fast-moving worms built to undermine a slew of cyber defenses. The WannaCry ransomware attack, which experts believe originated with North Korean intelligence, spread on the back of a sophisticated worm that (figuratively) tunneled its way through the global Internet in record time.
The collateral damage was vast, though individual victims’ experience of WannaCry depended on their degree of preparation for ransomware attacks – another point in favor of frequent backups. You won’t find many IT security experts willing to bet that WannaCry will be the last globe-spanning, worm-aided ransomware attack.
4. Insecure BYODs
Bring Your Own Device (BYOD) has pros and cons. On balance, most employers accept the inherent risk of personal device use in the workplace; the convenience, efficiency, and cost-effectiveness outweigh the downsides.
But those downsides are not trifling. If you plan to switch over to BYOD in the coming year, or you’re grappling with a standardized security framework for your entire BYOD ecosystem, you’ve got some work to do. The risk posed by each BYOD endpoint will only grow as IT security threats multiply and complexify.
5. Committed Insiders
An unfortunate IT security adage goes something like this: If they want badly enough to hurt you, they will.
Upon hearing this, most minds go directly to sophisticated nation-stake attackers with virtually unlimited resources. And well, they should. We’ll treat the dangers of nation-state attacks in a moment.
But the typical small or midsize business should devote just as much bandwidth, if not more, to a closer adversary: the malicious insider.
Malicious insiders’ motivations are beyond the scope of this article; for those interested to learn more, ObserveIT has a good treatise here. Suffice to say that malicious insiders often believe that they’re acting either in their own best interests or in the service of something greater than themselves. Either way, they’re extremely motivated to cause harm; more importantly, they believe the harm they aim to cause is justified.
Despite their persistence, malicious insiders can be countered. The key is to subject everyone inside your organization to Panopticon-like surveillance. Done properly, this sort of all-encompassing surveillance creates a situation in which none of your employees, vendors, and others with access to your internal systems knows for sure that they’re not being watched at any given time.
6. Nation-State Attackers
WannaCry is just one marcher in an endless parade of sophisticated nation-state attacks that have laid entire industries low.
Beyond their origins, characterizing nation-state attacks is a fool’s errand. Some, like WannaCry, seem only to want to watch the world burn (so to speak). In contrast, others have an explicit purpose, including the infamous Sony Pictures hack of 2014 which was widely believed to be the work of North Korean hackers taking revenge for the studio’s pending release of The Interview; a satirical film mocking the Kim regime.
One thing is true of all nation-state attacks. They are difficult to anticipate and more difficult still to parry. Mitigation is the best medicine here.
7. Sophisticated Spearphishing Campaigns
You’ve heard of phishing, wherein dashed-off and usually poorly written emails attempt to entice recipients to click malicious links or reply with valuable information, like login credentials or bank account numbers. Your email program’s spam filter probably catches most phishing attempts. That’s not to dismiss phishing outright; less sophisticated users frequently fall victim to phishing attacks.
Spearphishing, by contrast, is a universal threat that’s only gaining in importance. Its endless iterations all have one objective in common: enticing recipients to part with sensitive data or credentials. Said recipients are often targeted for their professional station; bank CFOs and corporate controllers are apparent targets as keepers of the keys to their organizations’ financial kingdoms.
The best defense against spearphishing combines education with rigid protocols. Spearphishing attackers may be able to compromise key stakeholders’ accounts with little trouble. Still, when they’re up against tightly defined and closely-held protocols, they’re not likely to know how to ask for what they’re after without arousing suspicion.
8. Mobile App Fraud
Mobile app use is exploding. Unfortunately, from a security standpoint, space might as well be the Wild West. If you barely have a handle on your BYOD ecosystem, to begin with, and you know for a fact that your employees are bringing poorly secured devices to work, you’re guaranteed to face persistent mobile app threats. As soon as possible, it’s on you to institute strict policies around app use on work-approved devices.
9. Insecure Mobile Browsers
Mobile browsing is another weak spot for BYOD, to say the least. If nothing else, require that your employees install up-to-date anti-malware suites on their mobile devices. Encourage employees to use virtual private networks (VPNs) however,, be aware that it is not a fix-all because DDoS attackers often use VPNs to mask the source of their traffic).
10. Insecure Third-Party Vendors
Some of history’s most sensational data breaches originated with insecure third-party vendors. One memorable example: the 2013 hack that compromised millions of Target shopper accounts and wiped billions off the retail giant’s valuation was traced to a regional HVAC vendor’s poorly secured IT system. The vendor was probably an afterthought for Target’s IT security team; it cost the company dearly.
The only solution here is to hold your vendors to the same high standards to which you hold yourself. Depending on your size, you’ll have real leverage here, earning the privilege to (in effect) tell vendors to accept your terms or forget your contract.
11. Insufficient “Eyes on the Street”
The IT talent gap is certain to bite corporate IT departments in 2020 and beyond if it hasn’t already. The world needs more qualified IT security professionals; many techies opt for sexier careers with greater upside despite generous compensation and benefits.
How you address this issue at your own organization depends on the extent to which you’re able to throw resources at the problem. You may have no choice but to rely on outside security partners to a greater extent than you’d like.
12. Domain Spoofing
Back at ground level: Domain spoofing is a lower-profile phishing threat that’s just effective enough to fool otherwise careful users. Domain spoofers use various low-tech tactics to mimic authentic domains, such as slightly altering a URL or replicating a logo, to make the sender of an email appear legitimate. The threat of domain spoofing should be enough to scare you away from clicking links in emails that you’re not expecting.
13. Malicious Miners
Cryptocurrency mining is a big business that requires vast amounts of computing power. Well-funded miners typically have the luxury of setting up their own server farms with dedicated power sources, but budget operations often take shortcuts of questionable legality. One tactic is hijacking hundreds or thousands of personal computers and combining their processing power to create ad hoc mining networks to compete with blue-chip miners.
14. Social Media Phishing
Social media phishing is just as it sounds: old-fashioned phishing with a modern vector. Treat unsolicited messages from second-and third-degree connections with the appropriate degree of suspicion, and never click on links in whose provenance you lack absolute trust. While you’re at it, turn up the privacy settings on your personal social media accounts and encourage your employees to do the same, especially in a BYOD environment.
Formjacking is one of those creative threats that, were it not so destructive, you’d almost have to respect. Formjackers hijack eCommerce platforms’ payment systems, quietly stealing customers’ credit card and bank account information without their knowledge. Needless to say, customers don’t appreciate that; if you accept payments online, form-jacking represents an existential threat to your business and deserves a disproportionate share of your IT security resources.
16. Man-in-the-Middle Attacks
Of all the IT security threats discussed thus far, the man-in-the-middle attack (MITM) may have the most room to run in the years to come.
Instances range from relatively rudimentary (traffic intermediaries on unsecured networks) to sophisticated and resource-intensive (Stingray devices built to capture cellular and LTE data in urban environments). MITM protection is a matter of vigilance and mitigation. If you suspect that your organization has been victimized, you’ll need to identify and neutralize the source of the attack while simultaneously assessing your loss and implementing your recovery plan.
Are You Ready for the New Normal in IT Security?
Even in an IT security landscape that feels permanently in flux, change is sometimes difficult to spot as it happens. It may seem as if not much changes from week to week or even month to month for those not living on the very front lines. That’s enough to lull otherwise attentive decision-makers into a false complacency.
Some perspective is in order. Amid the seeming constancy of cybersecurity day-to-day, it’s worth remembering that today’s threat landscape would be wholly unrecognizable to someone parachuted into the present day from, say, 2009.
The effect is equal opportunity. Both white hats and black hats have powerful new tools at their disposal: AI-powered cybersecurity protection for the former, AI-enabled ransomware and ever more creative malware vectors for the latter, for example. Both sides live in a new normal that has simultaneously crept up and happened all at once.
As we reflect on the decade that was and look ahead to the decade that will be, we must expect that the IT threat landscape will change to a similar or higher degree in the 10 years to come. Our long-term strategic plans must anticipate new realities of which we can scarcely conceive at present.
In the meantime, we must all prepare for the new normal in IT security. The black hats certainly are.