The high-speed, always-on digital ecosystem is evolving. As you build your next-generation enterprise on platforms that offer unprecedented power, convenience and economy, keep in mind that cybercriminals are evolving, too.
Today, significant cybersecurity breaches have become so commonplace that it’s easy to gloss over headlines and move on. But the attacks that quickly fade from the news cycle still leave a significant mark. McKinsey reports that 47 percent of c-suite executives claim their company experienced a cyberattack. Of those affected, over a quarter rated the damage as “high” or “severe.” Only 11 percent said the impact had “little or no effect.”
To grasp today’s cybersecurity landscape, keep a close eye on emerging and persistent risks.
Attackers look for value
Cybercriminals are increasingly looking for higher-value targets. While breaches of retail and hospitality chains still make headlines because they affect millions of consumers, security experts have developed toolkits to manage the consequences—making these attacks less lucrative for hackers. Attackers are moving on from huge consumer databases in search of caches that are less splashy on paper, but potentially more valuable, such as law firms, which store volumes of sensitive and privileged information, but reportedly lack sophisticated cybersecurity measures. CEO of B Suite Cyber Security Bart Barcewicz predicts that public accountants and title insurancefirms will also be appealing targets.
Staffing is essential
As your IT infrastructure evolves, it’s important to ensure that your in-house cybersecurity experts understand the new challenges—like the difference between protecting data on-premise and in the cloud, for example. In a tight labor market with a scarcity of trained talent, retraining in-house staff is essential to survival in the short term.
“With your enterprise IT systems in a constant state of change and external threats evolving and scaling even more quickly, it’s essential to have team members on-staff who are responsible for ensuring best practices are being followed,” says Joe Sullivan, chief security officer at Cloudflare. “Leveraging security tools designed to help you quickly cover your bases goes a long way, but you cannot simply spend your way to good security.”
Passwords remain a glaring vulnerability
An essential step you can take today is to move past the world’s widely popular yet vulnerable single-factor authentication: the password. “Single-factor passwords are one of the simplest possible keys to the kingdom and are the key tool for attack vectors, from novice hackers right the way up to nation-state players,” writes Ian Kilpatrick, Nuvias Group executive vice president of cybersecurity. “And yet they still remain the go-to security protection for the majority of organisations, despite the low cost and ease of deployment of multi-factor authentication solutions.”
Near-universal mobile phone adoption makes code verification via text message or apps much easier to deploy than a dedicated security token. “Smartphones are convenient,” says Barcewicz, “And convenience makes it easier to convince executives to actually embrace multi-factor authentication.”
Even so, Sullivan warns against placing too much confidence in any one method: "We encourage people to not rely on SMS as a second factor. Hard keys are the ideal second factor, but there are also apps that serve as strong second factors. SMS is not safe enough."
Stop bad bots
The future of tech and the future of cybersecurity threats are linked in the Internet of Things (IoT). Gartner projects over 14 billion connected devices this year, en route to 25 billion in 2021.
Forrester expects IoT botnets to grow in size and sophistication with the potential to siphon millions of dollars per day through seemingly legitimate (but actually fraudulent) behavior. This means that an infected device might not actually inconvenience or compromise its user.
Analysts at F5 Labs consider IoT insecurity even more threatening than the traditional weakest link: under-informed users. “It’s easier to compromise an IoT device exposed to the public Internet and ‘protected’ with (known) vendor default credentials than it is to trick an individual into clicking on a link in a phishing email,” they report.
As organizations address these emerging risks, services like automated bot management will likely grow increasingly crucial.
Governments—not private criminals—will set the tone
Cybersecurity risks amplified when individual attackers gave way to organized crime syndicates. Now, governments are overshadowing both groups. Chinese cybersecurity officials recently gained broad powers to penetrate networks operating inside the country and to both collect and share data obtained from those entry points, without warrants, notification or apparent recourse.
Because state actors are playing such a huge role in both setting policy and commissioning exploits, business leaders are bracing for consequences.
Security and privacy enforcement will converge
As damaged reputations and plummeting stock prices occur due to privacy breaches, we may see security and privacy converge into a single practice. “Legal and privacy personnel will become more technical, and technical personnel will become more familiar with legal and compliance mandates,” writes Andrew Burt, chief privacy officer and legal engineer at data governance firm Immuta, in Harvard Business Review. “The idea of two distinct teams, operating independent of each other, will become a relic of the past.”
“State and non-state actors are honing cyber weapons into cheap but effective—and unpredictable—geopolitical instruments,” writes PwC. Its survey found that 72 percent of global CEOs anticipate that “their company may be affected by geopolitical cyber activity.”
Responsible leadership must prepare today
Join the growing movement among business leaders and treat cybersecurity as a core priority. Even so, you may still be in the minority. An EY surveyfound that only 39 percent of companies say their board or leadership team has a “comprehensive understanding of information security.”
Incorporate vendor risk management to better protect your organization and ecosystem. Aim to assess risks both within and beyond your four walls, perpetuated by choices or inaction of partners—from IT suppliers to cleaning crews. “Bring cybersecurity into the boardroom by talking about it, and not just for five minutes,” Barcewicz says. “Challenge them to identify your most critical assets, and discuss what would happen if they were lost.”
Above all, see your cybersecurity efforts through from discussion to implementation and constant revision. At a recent Council On Foreign Relations event, former National Security Council Director of Cybersecurity Policy Robert Knake emphasized both progress and a need for more diligent execution: “The optimistic part is we actually probably know how to secure these devices,” he said. “The pessimistic part is, we’re not doing it.”
Source - Forbes available here