Here are important major cybersecurity threats that organizations should be aware of in 2020.
Traditional phishing attacks (when cybercriminals try to obtain sensitive information, like passwords or financial information) are “still extremely prevalent and still extremely effective. If they weren’t, bad actors wouldn't use them.
Phishing attacks — of both the targeted and broad sweep variety — are among the predominant threats for non profit organisations.
Many of these Non profit organisations don't have the alert systems built into their network infrastructures.
Threats like CEO fraud spear fishing and cross-site attacks are both on the rise. In order to combat those incursions and many others, experts say, educational awareness and training is vital.
An ounce of prevention is worth a pound of cure, - so that you can mitigate a significant number of these attacks. You don’t want your business to be known as the weak link.
Ransomware is malware that encrypts a target’s data until a ransom is paid and it remains a major threat.
Ransomware perpetrators typically avoid demanding huge sums of money, increasing the likelihood that victims will pay. But the cybersecurity community’s consensus opinion is “don’t pay,” even though the cost of that approach may be significantly higher. A very difficult decision as the unpaid ransom, could be a small fraction of the cost of recovery. There are credibility and liability issues. The number of non disclosed payments could be numerous.
Beyond the financial gain component - cybercriminals might be further motivated by politics or revenge. Non profit organisations ranging from food banks to hospitals have been an especially prominent target because they often lack effective cybersecurity resources and institutional security knowledge. Even though the sector as a whole is making strong improvements - they are the easiest targets.
For those who do pay ransoms, it might not be as simple as calculating the cheaper option.
IoT devices number in the billions and continue to multiply. And all types of businesses use them — everything from connected cameras to voice assistants to connected logistics gadgets. Nonetheless, experts say, security standardization has failed to keep pace with adoption.
The use of IoT devices is rising rapidly. it is estimated that by 2025 there will be more than 75 billion of them. Keeping them secure is hard and they are particularly vulnerable to hacking..
There are all kinds of ways a hacker can compromise an IoT device – via your central heating thermostat, by taking control of firmware in your smart car, via a baby monitor or even a child’s toy with a Bluetooth device which can be manipulated to function as a recording device. All of these things have happened, so it’s important to be aware of IoT device use.
There is not really an accepted standard on how we maintain the scurity around IOT.
Ensure you check IOT devices and the provider before you allow them to your network.
Do you need smart devices on your business network?
Could they go on their own segregated wireless?
Are you keeping them up to date with security patches?
You must consider IOT devices seriously for company security. These devices should be seen as another computer,
AI can also make malware harder to detect, as it blends into the background
Lawmakers are beginning to propose and pass more IoT-focused security legislation.
IOT devices have been used for very many years. Many were never secure, and many are still very active. That's going to present some real challenges to organizations and enterprises as we look across corporate real estate.”
4. The Cloud Vulnerability
Another potential third-party vulnerability stems from cloud ubiquity. Even though the cloud can be and often is a secure environment, companies shouldn’t consider it out of sight, out of mind.
As we migrate to cloud-based environments, enterprises still retain responsibility for the integrity, confidentiality and availability of that data, particularly with smaller enterprises, there is some assumption that because I've outsourced my data in the cloud with Amazon or Google, it must be secure - but we know it depends very much on the security posture that you've adopted.
Most organizations aren’t able to audit the effectiveness of a cloud provider. So we can expect to see a continuing trend toward hybrid environments — at least among a select group of fairly advanced organizations.
5. Supply Chain Susceptability
Companies have always faced some degree of exposure through the traditional, vendor-lined supply chain, but the prevailing gig economy adds a new problem. Contract workers often don’t have full security induction, but companies still grant them access to sensitive data — knowingly or not.
Just who can you trust?
6. AI – Artificial Intelligence
AI helps criminals as well.AI is being used to make tasks quicker and easier. AI is designed to learn and adapt and to mimic what humans do, which can be exploited by hackers.
For example, malware that uses spam-phishing, sending convincing, targeted emails to users who click on malicious attachments, giving access to systems. AI could make these emails even more convincing and more successful.
7. Internal Threats and Vulnerabilities
How do you protect critical information from an insider.
Businesses now know that some of the most dangerous calls come from inside the company. Most organizations say that they have appropriate controls to prevent internal attacks. However many companies admit that they have fallen prey to at least one such attack in the previous 12 months.
Insider threats depend on how people are feeling and what their motivations are.
A company is far more likely to be attacked because of internal sloppiness than maliciousness - whether it’s falling for a phishing attempt or failing to patch code.
There are also people who know they're doing things wrong but think there's a good reason for it, like business expediency.
Often companies are so quick to use the latest and best technologies, but they haven't really mastered the security protocols to educate their team on how to minimize careless mistakes.
8. Data Rights and Compliance
The European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are gaining momentum- and these will implement more stringent data-protection safeguards. That is good news for the general cybersecurity industry - but it also creates a state of concern because practices may not be uniformly compliant.
A changing regulatory landscape means that many companies must decide whether or not to meet the strictest requirements.
And the interconnected nature of the business environment means regulations have a broad reach. GDPR rules, for example, apply to even non-EU-based companies if they offer services to the EU or monitor behaviour of data subjects in the EU.
Companies know they need to prepare for big changes that are coming, but they don't know which way the wind is blowing because of political shifts.
Those realities, coupled with pressure applied by insurers, mean company heads must closely monitor liability issues. Plus, those affected by data breaches are hardly litigation-shy these days.
When a major breach happens, many class action suits tend to follow. Therefore some insurance costs will go up, and directors and officers will become more and more involved.
The sheer and ever-growing number of threats and vulnerabilities can be overwhelming. Therefore organizations should not overdo the disiplinary actions on staff. A company needs to find the most effective security for your particular company situation.
More Cyber Security Issues
Foreign State Threats to Company IP Trade Secrets
Operating facilities abroad in hostile regions where intellectual property rights are weak or non-existent should be viewed by the CISO as a major threat. Organisation’s should not be learning or building new security capabilities for the first time simply when a company decides to deploy company assets and capabilities abroad particularly in hostile regions.
It is very difficult protecting Intellectual Property and Trade Secrets.
Typically many Boards of Directors might take risks with intellectual property or trade secrets, particularly with increased potential revenue offered in emerging markets. Corporate management, often do not think about the loss the potential loss of intellectual property heavily enough.
Information Security practitioners should know the long established golden rule that Information Security is not just about technology. Widespread deep Security Strategies are required to protect a company’s high value information assets from probable foreign adversaries.
Underestimating the risks of 3rd Parties, especially if they are based in a hostile area, will probably be the company's weakest IT Security link.
If a company has not considered and prepared for all of the potential risks including contractual expectations, information controls, and external monitoring capabilities etc., it may already be compromised.
Information Security Managers have the great opportunity to implement measures to minimise corporate information risks by incorporating control expectations into their service provider contracts, or re-negotiating a service provider's contracts if they are already in place.
Information Security Managers, should accept that taking risks with Intellectual Property and Trade Secrets is often the cost of doing business. However your senior managers may not officially agree.
Organisations should learn to be ready for these risks
Aggressive third parties can always find security areas to exploit.
Companies should assume that they have already been breached.
There is a need to identify corporate most valuable assets, where they are located, how they are used and what specific additional controls are necessary.
Industries that produce and rely on their original Patent Protected Intellectual Property or Trade Secrets, such as:
Pharmaceutical, Chemical, Life Science, High-tech Manufacturing, Industrial Manufacturing, Supervisory Control and Data Acquisition, are already progressing.
Our intelligence capabilities are an important reason why Information Security practitioner’s strategies need to include People, Process, and Technologies. Often employees just walk out the door with the company on USB devices etc.