Security
Your Company Could Face These 16 IT Security Threats
You don’t need anyone to tell you a data breach could put you out of business.
According to a recent IBM report on the material impact of commercial data breaches, the average cost of a single violation approaches $4 million. In the United States, the average price comes to $9 million – an artifact of a strong U.S. dollar and the relative value of U.S.-based records. The most expensive industry for data breaches in healthcare, at nearly $7 million worldwide – again, reflecting the relative importance of compromised healthcare records.
The extent of the standard data breach is vast; according to IBM, the average breach involves nearly 26,000 records; this is a far cry from the millions of records caught up in the violations that make national or international headlines, to be sure, but still unimaginably disruptive for small and midsize enterprises without the resources to mount effective internal responses.
What’s a corporate decision-maker to do when the stakes are this high?
For starters, invest in basic precautions, like a comprehensive cloud backup solution and a commercial-grade anti-malware suite with multi-point threat detection. Such investments prevent unsophisticated breaches and may mitigate the damage associated with others.
Unfortunately, there’s no way to guarantee protection against every IT security threat. The threat landscape rapidly evolves, forcing “white hat” security professionals to adjust near-continuously. This is an arms race with no clear winner, a real problem for non-technical organizations caught in the middle.
Knowledge is ultimately the best protection against the confounding matrix of IT threats. Without achieving total safety, it’s at least possible to recognize and parry the vast majority of common hazards.
Expect these 16 to be among the most vexing you’ll face in the coming year.
1. Out-of-Date Software That’s Fundamentally Un-patchable
Take the IT security precautions described above, invest in cloud backup, and keep your anti-malware suite current. Also, take the following action to outsmart opportunistic hackers, up-version all enterprise software regularly, preferably in line with the publisher’s recommended upgrade schedule.
Wait too long to update software, and you risk outlasting the publisher’s allotted lifecycle. Software publishers stop releasing patches and updates for older versions at a certain point, leaving their products vulnerable to compromise. These days, most patches are applied automatically, but that do you no good when you fail to adhere to basic version control standards.
2. AI-Aided Ransomware Attacks
Ransomware is a pervasive, growing threat, so preventing ransomware attacks is difficult. It is made more, too, with the deftness of new strains of ransomware that use AI to undermine victims’ defenses (or compel victims to download malicious code). In this case, as in so many others, mitigation is the best defense: with full, recent backups, you’re less likely to lose mission-critical data to ransomware attacks.
3. Fast-Moving Worms
In recent years, some of the most devastating malware attacks have been aided by fast-moving worms built to undermine a slew of cyber defenses. The WannaCry ransomware attack, which experts believe originated with North Korean intelligence, spread on the back of a sophisticated worm that (figuratively) tunneled its way through the global Internet in record time.
The collateral damage was vast, though individual victims’ experience of WannaCry depended on their degree of preparation for ransomware attacks – another point in favor of frequent backups. You won’t find many IT security experts willing to bet that WannaCry will be the last globe-spanning, worm-aided ransomware attack.
4. Security Vulnerable BYODs
Bring Your Own Device (BYOD) has pros and cons. On balance, most employers accept the inherent risk of personal device use in the workplace; the convenience, efficiency, and cost-effectiveness outweigh the downsides.
But those downsides are not trifling. If you plan to switch to BYOD in the coming year or grapple with a standardized security framework for your entire BYOD ecosystem, you’ve got some work to do. The risk posed by each BYOD endpoint will only grow as IT security threats multiply and complexity.
5. Committed Insiders
An unfortunate IT security adage goes like this: If they want badly enough to hurt you, they will.
Upon hearing this, most minds go directly to sophisticated nation-stake attackers with unlimited resources. And well, they should. We’ll treat the dangers of nation-state attacks in a moment.
But the typical small or midsize business should devote just as much bandwidth, if not more, to a closer adversary: the malicious insider.
Malicious insiders’ motivations are beyond the scope of this article; for those interested to learn more, ObserveIT has a good treatise here. Suffice it to say that malicious insiders often believe they’re acting either in their best interests or in the service of something greater than themselves. Either way, they’re highly motivated to cause harm; more importantly, they believe the damage they aim to generate is justified.
Despite their persistence, malicious insiders can be countered. The key is to subject everyone inside your organization to Panopticon-like surveillance. Done correctly, this all-encompassing surveillance creates a situation where none of your employees, vendors, and others with access to your internal systems knows they’re not being watched at any given time.
6. Nation-State Attackers
WannaCry is just one marcher in an endless parade of sophisticated nation-state attacks that have laid entire industries low.
Beyond their origins, characterizing nation-state attacks is a fool’s errand. Some, like WannaCry, seem only to want to watch the world burn (so to speak). In contrast, others have an explicit purpose, including the infamous Sony Pictures hack of 2014, which was widely believed to be the work of North Korean hackers taking revenge for the studio’s pending release of The Interview, a satirical film mocking the Kim regime.
One thing is true of all nation-state attacks. They are difficult to anticipate and more difficult still to parry. Mitigation is the best medicine here.
7. Sophisticated Spearphishing Campaigns
You’ve heard of phishing, wherein dashed-off and usually poorly written emails attempt to entice recipients to click malicious links or reply with valuable information, like login credentials or bank account numbers. Your email program’s spam filter probably catches most phishing attempts. That’s not to dismiss phishing outright; less sophisticated users frequently fall victim to phishing attacks.
Spearphishing, by contrast, is a universal threat that’s only gaining in importance. Its endless iterations all have one objective: enticing recipients to part with sensitive data or credentials. Said recipients are often targeted for their professional station; bank CFOs and corporate controllers are apparent targets as keepers of the keys to their organizations’ financial kingdoms.
The best defense against spearphishing combines education with rigid protocols. Spearphishing attackers may be able to compromise critical stakeholders’ accounts with little trouble. Still, when they’re up against tightly defined and closely-held protocols, they’re not likely to know how to ask for what they’re after without arousing suspicion.
8. Mobile App Fraud
Mobile app use is exploding. Unfortunately, from a security standpoint, space might as well be the Wild West. If you barely have a handle on your BYOD ecosystem, to begin with, and you know for a fact that your employees are bringing poorly secured devices to work, you’re guaranteed to face persistent mobile app threats. You must institute strict policies around app use on work-approved devices as soon as possible.
9. Insecure Mobile Browsers
Mobile browsing is another weak spot for BYOD, to say the least. If nothing else, require that your employees install up-to-date anti-malware suites on their mobile devices. Encourage employees to use virtual private networks (VPNs); however, be aware that it is not a fix-all because DDoS attackers often use VPNs to mask the source of their traffic).
10. Insecure Third-Party Vendors
Some of history’s most sensational data breaches originated with insecure third-party vendors. One memorable example is the 2013 hack that compromised millions of Target shopper accounts and wiped billions off the retail giant’s valuation. It was traced to a regional HVAC vendor’s poorly secured IT system. The vendor was probably an afterthought for Target’s IT security team; it cost the company dearly.
The only solution here is to hold your vendors to the same high standards you carry yourself. Depending on your size, you’ll have real leverage here, allowing you to (in effect) tell vendors to accept your terms or forget your contract.
11. Insufficient “Eyes on the Street”
IF IT HASN’T ALREADY, the IT talent gap will bite corporate IT departments in 2020 and beyond. The world needs more qualified IT security professionals; many techies opt for sexier careers with more significant upsides despite generous compensation and benefits.
How you address this issue at your own organization depends on how much you can throw resources at the problem. You may have to rely on outside security partners more than you’d like.
12. Domain Spoofing
Back at ground level: Domain spoofing is a lower-profile phishing threat effective enough to fool otherwise careful users. Domain spoofers use low-tech tactics to mimic authentic domains, such as slightly altering a URL or replicating a logo, to make the sender of an email appear legitimate. The threat of domain spoofing should be enough to scare you away from clicking links in emails you’re not expecting.
13. Malicious Miners
Cryptocurrency mining is a big business that requires vast amounts of computing power. Well-funded miners typically have the luxury of setting up their own server farms with reliable power sources, but budget operations often take shortcuts of questionable legality. One tactic is hijacking hundreds or thousands of personal computers and combining their processing power to create ad hoc mining networks to compete with blue-chip miners.
14. Social Media Phishing
Social media phishing is just as it sounds: old-fashioned phishing with a modern vector. Treat unsolicited messages from second-and third-degree connections with the appropriate degree of suspicion, and never click on links in whose provenance you lack absolute trust. While at it, turn up the privacy settings on your personal social media accounts and encourage your employees to do the same, especially in a BYOD environment.
15. Formjacking
Formjacking is one of those creative threats you’d almost have to respect if it were not so destructive. Formjackers hijack eCommerce platforms’ payment systems, quietly stealing customers’ credit card and bank account information without their knowledge. Customers don’t appreciate that; if you accept payments online, form-jacking represents an existential threat to your business and deserves a disproportionate share of your IT security resources.
16. Man-in-the-Middle Attacks
Of all the IT security threats discussed thus far, the man-in-the-middle attack (MITM) may have the most room to run in the future.
Instances range from relatively rudimentary (traffic intermediaries on unsecured networks) to sophisticated and resource-intensive (Stingray devices built to capture cellular and LTE data in urban environments). MITM protection is a matter of vigilance and mitigation. If you suspect your organization has been victimized, you must identify and neutralize the attack’s source while assessing your loss and implementing your recovery plan.
Are You Ready for the New Normal in IT Security?
Even in an IT security landscape that feels permanently in flux, change is sometimes tricky to spot as it happens. It may seem as if there are not many changes from week to week or month for those not living on the front lines. That’s enough to lull otherwise attentive decision-makers into false complacency.
Some perspective is in order. Amid the seeming constancy of cybersecurity, it’s worth remembering that today’s threat landscape would be wholly unrecognizable to someone parachuted into the present day from, say, 2009.
The effect is equal opportunity. White and black hats have powerful new tools: AI-powered cybersecurity protection for the former, AI-enabled ransomware, and ever more creative malware vectors for the latter, for example. Both sides live in a new normal that has crept up and happened simultaneously.
As we reflect on the decade that was and look ahead to the decade that will be, we must expect that the IT threat landscape will change to a similar or higher degree in the 10 years. Our long-term strategic plans must anticipate new realities we can scarcely conceive.
In the meantime, we must all prepare for the new normal in IT security. The black hats certainly are.
