New Trends in Corporate Cyber Security
In the wake of several high-profile security breaches in 2015, corporations are continuing to adapt to changing technological and geopolitical landscapes that present threats to information security. Last year, a global cost analysis study from IBM estimated the cost of corporate data breaches at $3.79 million dollars, underscoring the imminent need for corporations to tighten and enhance their cyber security. So far, in 2016, these five recent trends have made their mark on corporate data security tactics. From issues surrounding new technologies like cloud computing and the Internet of Things, to threats from increasingly sophisticated phishing and malware, companies continue to fight back against malicious attackers with continuous security improvements.
The Rise of Cloud Computing
Cloud computing has developed rapidly over the last few years. As more and more services store data in the “cloud,” corporate IT departments can find themselves losing a degree of oversight and control. To ensure that information is secure, it’s important for IT to have full visibility. One potential threat is that employees may attempt to bypass IT to access information or services that they feel they need. In the process, they may be bypassing security systems and protocols, potentially creating vulnerabilities.
To retain control when using cloud systems, it’s important to scrutinize cloud vendors closely. Company IT departments should be cognizant of where data is being stored, and whether the cloud service vendor meets appropriate security standards. From a risk management perspective, it’s wise to keep an eye on any third-party vendors who are responsible for the security of your data. Another solution would be to utilize a highly rated information technology staffing agency which thoroughly vets all of their employees.
The Office of the Comptroller of the Currency has cautioned against several things that can increase the risk of a data breach. Although their recommendations are aimed toward banking institutions, they are not exclusive to banks:
- Failure to assess and document the inherent risks in outsourcing services
- Failure to perform ongoing monitoring of third party services
- Entering into contracts with third party vendors without assessing the vendors’ security and risk controls
- Entering into contracts that may incentivize third parties to take risks with data security to maximize profit
- Engaging with third party vendors with inadequate formal contracts
Ransomware is a type of malware that encrypts a user’s files. The attacker then requests payment in return for the encryption key. According to the Cyber Threat Alliance, a recent variant of ransomware known as “CryptoWall 3.0” has cost global users a total of over $325 million. The virus renders data inaccessible without paying the ransom, and attackers often use social engineering to gain an initial foothold.
The problem with ransomware is that in many cases, it works. The easiest way for a company to regain access to their data is often to simply pay the money and be done with it. Companies can mitigate the threat from ransomware with robust backup routines, and better cyber security education for personnel can help deter the social engineering component of these attacks.
“Spear phishing” is a malicious tactic that targets specific individuals or companies. The attacker deceives the user into handing over passwords, user information, and other sensitive information. Its effectiveness is primarily a matter of social engineering. While more technically inclined users are often aware of spear phishing, phishing websites are becoming increasingly sophisticated and convincing. It’s not uncommon for an employee to fall victim to a phishing scam that looks like the official login for a website or service.
Recently, spear phishing attacks are increasingly targeted toward high-level personnel, including C-suite executives. It’s important for IT departments to educate such personnel about the dangers of possibility of spear phishing.
Dealing with Publicly Known Vulnerabilities
In many cases, hackers will exploit vulnerabilities that are already publicly known, but have not yet been resolved. While newer exploits are more likely to be publicized, the majority of attacks exploit bugs that have been known for years. This means that security analysts need to devote time and resources to fixing known exploits. The rise of new technologies compounds this issue, and many hackers target point-of-sale and internet of things technologies.
Last year, HP released a 2015 Cyber Risk Report. The following tactics are recommended:
- Comprehensive patching to keep systems up to date
- Regular penetration testing
- Understanding new potential for attacks associated with new technologies, e.g. IoT
- Keeping up with new developments in the cyber security industry
The Nascent Internet of Things
The “Internet of Things” is arguably in its infancy, but is widely predicted to be one of the next major developments in the tech world. The IoT creates the potential for many new business opportunities, but it also creates new inroads for possible malicious attacks. Access to IoT devices and data needs to be restricted, with significant oversight by IT personnel.
The Future of Corporate Cyber Security
As technology continues to develop, and new devices and systems like cloud storage and the Internet of Things present both new strategies and new threats, corporate information security must continue to adapt. From technical vulnerabilities like software bugs, to human vulnerabilities to social engineering, there will always be malicious individuals and groups who attempt to compromise companies’ data. Strong IT resources, along with good education for non-technical personnel, can help ensure optimal cyber security for corporations of all sizes.