Are you confident that your organization can anticipate all the digital threats it’s likely to face this year? That it can reduce the harm associated with those threats, if one or more come to fruition?
If you’re being honest with yourself, the answer on both counts is “no.” The threat landscape is too diverse and fast-moving to keep a bead on.
Critical data security measures such as comprehensive cloud backup and top of the line anti-malware protection certainly help. However, you can and must do more. We’ll discuss some of the steps you should take to protect your company’s digital assets in a moment, but first, let’s review the latest cybersecurity trends for 2020 and beyond.
Think again. Despite growing awareness of the threat, ransomware continues to pose serious risks for organizations. In fact, as the sophistication of ransomware vectors and sponsors increases, even organizations with adequate defenses may find themselves vulnerable to attack.
The threat posed by ransomware isn’t merely one of annoyance. In many cases, ransomware attacks result in massive data loss or corruption, setting organizations back months or years. The reputation hit is nothing to wink at, either. Prepare accordingly.
One of the most concerning AI-assisted malware vectors is the dreaded deepfake. Today, deepfakes remain discernible to careful observers, but it’s just a matter of time before they’re able to fool the best among us. When that day comes, watch out — you’ll never know for sure whether that video message from your boss is what it purports to be.
Whatever the reason, it’s crucial to educate your workforce about phishing. That means how to spot it, how to avoid falling victim to it, and what steps to take if you fail to do the first two. One easy thing you can do is ensure your email suite is set up to warn recipients about external messages, and that said recipients are educated about the dangers of opening attachments or viewing images in such messages.
A common example of spearphishing is the “boss email.” These messages purport to come from a higher-up in the organization, often a C-level executive, and ask for specific, sensitive information (passwords or bank account numbers, most often) that the recipient would know. If the recipient looked closely, they’d see that the sender’s email address was subtly different than the actual boss’s email, but they often don’t (and may not know the boss’s email, anyway).
It’s easy to see how a message like this can compromise an organization. How are you working to prevent that from happening?
Third-party breaches can do just as much damage as direct attacks. Ultimately, it doesn’t matter how the breach happens — it’s all about the results. So it’s crucial that you hold your vendors to the same high standards that you hold your own company. If they refuse, take your business elsewhere.
Perhaps. But, unless your company is completely shut off from the global Internet (and it’s not), it’s vulnerable to attacks from nation-state actors and hackers affiliated with nation-states. Some of the fastest-spreading malware programs in history, including the infamous WannaCry bug, were thought to originate with nation-state baddies.
These bad guys are becoming more ambitious and sophisticated by the year. The name of the game is deterrence — staying one step ahead of the enemy.
Most organizations do allow what have come to be known as “BYODs” — bring your own devices. Providing hardware for hundreds or thousands of employees is expensive and cumbersome. Combining an annual technology allowance and a strict BYOD security policy is much more elegant.
It’s the latter that’s the problem. BYODs come in all shapes and sizes, and what’s best for the security of one isn’t always best for the security of another. It’s therefore crucial that you make a comprehensive, detailed BYOD security policy a top priority, preferably one led by an in-house CISO (more on which below).
Combating so-called “man in the middle” attacks is a matter of fastidious network security and impeccable version control. Even these countermeasures might not be enough, but all you can do is try.
Wrong.
By definition, zero-day exploits are unknown unknowns: users and publishers alike don’t know about them until they begin causing problems. If you’re using an operating system or software program version with an unknown zero-day exploit, you might not realize it until it’s too late.
Strict version control is, therefore, absolutely essential. As soon as a new version becomes available, update all your devices (and your BYODs) with it. The longer you let old, corruptible versions languish in your digital ecosystem, the greater your risk of exploitation.
Of course, they caused real harm to the affected organizations, not to mention the unfortunate employees’ careers. And “at least it’s not me” only holds up so long as, well, it’s not you.
People still lose laptops in airports, restaurants, Ubers, and hotel rooms. And your luck isn’t guaranteed to hold forever.
Impeccable device security may limit the damage caused by a lost device, but if a determined and capable hacker really wants to breach those defenses, he or she will succeed.
What’s needed is a comprehensive security posture that erects a clear perimeter around your corporate cloud and ensures only those employees who absolutely need critical access permissions are able to obtain them. We discuss these and other posture-strengthening tactics in greater detail below.
Unfortunately, it won’t be enough. This is by no means an exhaustive accounting of the steps necessary to keep your digital assets out of harm’s way. But it’s a start — and a vital one at that.
Encryption is pretty technical, which is why it’s important to work with IT consultants you truly trust, or better yet hire a CISO to spin up and oversee an internal IT security team (more on that in a moment). One non-technical step you can take right away is to update your company’s BYOD policy to require virtual private network (VPN) usage on all BYODs storing company data. This is a low-stakes, low-cost measure that can (and probably will) prevent opportunistic attacks.
Two-factor authentication, or 2FA, means that employees trying to access protected accounts must supply two separate credentials, rather than just one. Typically, one credential is a traditional password, while the other is a numeric code, security question answer, or biometric reading. What’s important is that these credentials are uncorrelated, meaning knowledge of one does not imply or promote knowledge of the other.
Many accounts offer 2FA as a matter of course. If you currently have mission-critical accounts that don’t require 2FA, consider moving your business elsewhere — your data is more important than any one business relationship.
The digital world abounds with threats, many of which remain unknown to even the most intrepid security professionals. And the work of countering them is never done.
All the same, it must begin. If you’re to have a fighting chance amid the digital turmoil your company and its team face, you’ve got to go all in on a new approach to cybersecurity. The stakes are simply too high to do otherwise.
Photo: Getty Images / Blackjack3d
Read next: Study, 78 Percent People Forget Their Passwords And Then Go For Reset!
If you’re being honest with yourself, the answer on both counts is “no.” The threat landscape is too diverse and fast-moving to keep a bead on.
Critical data security measures such as comprehensive cloud backup and top of the line anti-malware protection certainly help. However, you can and must do more. We’ll discuss some of the steps you should take to protect your company’s digital assets in a moment, but first, let’s review the latest cybersecurity trends for 2020 and beyond.
1. Ransomware Is a Pervasive and Growing Threat in 2020
Ransomware is so 2019. Or is it?Think again. Despite growing awareness of the threat, ransomware continues to pose serious risks for organizations. In fact, as the sophistication of ransomware vectors and sponsors increases, even organizations with adequate defenses may find themselves vulnerable to attack.
The threat posed by ransomware isn’t merely one of annoyance. In many cases, ransomware attacks result in massive data loss or corruption, setting organizations back months or years. The reputation hit is nothing to wink at, either. Prepare accordingly.
2. AI Is Improving Faster Than You Realize — And That’s Helping the Bad Guys, Too
The next frontier in threat delivery is inhuman, literally. AI-assisted malware is already causing headaches for ill-prepared organizations, and as the quality of deep learning and natural language processing algorithms improves, it’s likely to affect even the best-prepared companies and individuals.One of the most concerning AI-assisted malware vectors is the dreaded deepfake. Today, deepfakes remain discernible to careful observers, but it’s just a matter of time before they’re able to fool the best among us. When that day comes, watch out — you’ll never know for sure whether that video message from your boss is what it purports to be.
3. Phishing: An Oldie, But a Goodie
Next to the deepfake, phishing is a comparatively ancient form of digital impersonation. Somehow, some way, it remains effective.Whatever the reason, it’s crucial to educate your workforce about phishing. That means how to spot it, how to avoid falling victim to it, and what steps to take if you fail to do the first two. One easy thing you can do is ensure your email suite is set up to warn recipients about external messages, and that said recipients are educated about the dangers of opening attachments or viewing images in such messages.
4. Spearphishing: Phishing 2.0 (Back and Better Than Ever)
Spearphishing is, in a nutshell, phishing 2.0. Whereas phishing is a numbers game that relies upon credulous recipients, spearphishing actively exploits recipients’ vulnerabilities.A common example of spearphishing is the “boss email.” These messages purport to come from a higher-up in the organization, often a C-level executive, and ask for specific, sensitive information (passwords or bank account numbers, most often) that the recipient would know. If the recipient looked closely, they’d see that the sender’s email address was subtly different than the actual boss’s email, but they often don’t (and may not know the boss’s email, anyway).
It’s easy to see how a message like this can compromise an organization. How are you working to prevent that from happening?
5. Vendors Are Still Vulnerable, And You Might Not Know Until It’s Too Late
Many of the worst data breaches in history occurred through poorly defended third parties. The infamous Target hack happened because a regional HVAC supplier lacked adequate cyber protections, for example.Third-party breaches can do just as much damage as direct attacks. Ultimately, it doesn’t matter how the breach happens — it’s all about the results. So it’s crucial that you hold your vendors to the same high standards that you hold your own company. If they refuse, take your business elsewhere.
6. State-Sponsored and -Affiliated Attacks Are Growing More Sophisticated
What could your organization possibly offer to a sophisticated nation-state attacker? You’re just a lowly digital services startup or tech company!Perhaps. But, unless your company is completely shut off from the global Internet (and it’s not), it’s vulnerable to attacks from nation-state actors and hackers affiliated with nation-states. Some of the fastest-spreading malware programs in history, including the infamous WannaCry bug, were thought to originate with nation-state baddies.
7. Organized Criminals Are Upping the Ante, Too
It’s sometimes difficult to distinguish between nation-state actors and organized cybercrime rings. In some countries, the two groups exhibit grotesque symbiosis — working hand-in-glove for mutual benefit, with organized hacker groups using stolen data (such as credit card numbers) to fund their host governments’ illicit activities.These bad guys are becoming more ambitious and sophisticated by the year. The name of the game is deterrence — staying one step ahead of the enemy.
8. BYODs Are Ticking Time Bombs, And You Can’t Do Without Them
Do you allow your employees to use their own devices for company business?Most organizations do allow what have come to be known as “BYODs” — bring your own devices. Providing hardware for hundreds or thousands of employees is expensive and cumbersome. Combining an annual technology allowance and a strict BYOD security policy is much more elegant.
It’s the latter that’s the problem. BYODs come in all shapes and sizes, and what’s best for the security of one isn’t always best for the security of another. It’s therefore crucial that you make a comprehensive, detailed BYOD security policy a top priority, preferably one led by an in-house CISO (more on which below).
9. IoT Is the Next CyberSecurity Frontier
And no one seriously thinks we’re prepared for what to come. Connected cars, medical devices, critical infrastructure — all are vulnerable to sabotage, with potentially deadly consequences. If your organization isn’t prepared for the worst-case scenario, it needs to be. The bad guys already are.10. MitM Attacks Can Strike Without Warning
And, sometimes, without leaving a trace. At least, until you wake up to find your company’s crown jewels in the wrong hands.Combating so-called “man in the middle” attacks is a matter of fastidious network security and impeccable version control. Even these countermeasures might not be enough, but all you can do is try.
11. Patches May Not Protect Against Unknown Zero-Day Exploits
Your organization is fastidious about applying the latest software updates and patches. Which means you don’t have to worry about known vulnerabilities in the cloud and desktop products you use every day. Right?Wrong.
By definition, zero-day exploits are unknown unknowns: users and publishers alike don’t know about them until they begin causing problems. If you’re using an operating system or software program version with an unknown zero-day exploit, you might not realize it until it’s too late.
Strict version control is, therefore, absolutely essential. As soon as a new version becomes available, update all your devices (and your BYODs) with it. The longer you let old, corruptible versions languish in your digital ecosystem, the greater your risk of exploitation.
12. Human Error Remains a Leading Cause of Breaches and Data Loss
Back in the day, stories about key employees leaving laptops or Blackberries in airport terminals or taxicabs seemed to break every week. These cringe-inducing failures were cathartic to hear about, in a way — the old “at least it’s not me” defense.Of course, they caused real harm to the affected organizations, not to mention the unfortunate employees’ careers. And “at least it’s not me” only holds up so long as, well, it’s not you.
People still lose laptops in airports, restaurants, Ubers, and hotel rooms. And your luck isn’t guaranteed to hold forever.
Impeccable device security may limit the damage caused by a lost device, but if a determined and capable hacker really wants to breach those defenses, he or she will succeed.
What’s needed is a comprehensive security posture that erects a clear perimeter around your corporate cloud and ensures only those employees who absolutely need critical access permissions are able to obtain them. We discuss these and other posture-strengthening tactics in greater detail below.
How to Strengthen Your Security Posture Now - An Abbreviated Guide
Your security posture won’t strengthen itself. To stay one step ahead of the bad guys, protect your most sensitive bits of data, and keep your company out of the headlines, you need to take these proactive steps as soon as possible.Unfortunately, it won’t be enough. This is by no means an exhaustive accounting of the steps necessary to keep your digital assets out of harm’s way. But it’s a start — and a vital one at that.
1. Invest in a Top of the Line Cloud Backup Solution
We’ve already harped on the importance of a top of the line cloud backup solution, but we really can’t stress it enough. On top of all the threats enumerated above, cloud backup can prevent or mitigate data loss from a host of others, including natural disasters, fires, physical security breaches, power interruption, and other events that could compromise the integrity of your internal IT systems (and data stores).2. Tighten Your Encryption Requirements (And Ask All Employees to Use VPNs on BYODs)
Your device encryption policy could use an upgrade, especially if you haven’t looked at it in years.Encryption is pretty technical, which is why it’s important to work with IT consultants you truly trust, or better yet hire a CISO to spin up and oversee an internal IT security team (more on that in a moment). One non-technical step you can take right away is to update your company’s BYOD policy to require virtual private network (VPN) usage on all BYODs storing company data. This is a low-stakes, low-cost measure that can (and probably will) prevent opportunistic attacks.
3. Institute Two-Factor Authentication Across the Board
Another non-technical step you can take to limit the risks associated with data theft and loss is to institute two-factor authentication across the board, for all company and company-associated personal accounts to which employees have access.Two-factor authentication, or 2FA, means that employees trying to access protected accounts must supply two separate credentials, rather than just one. Typically, one credential is a traditional password, while the other is a numeric code, security question answer, or biometric reading. What’s important is that these credentials are uncorrelated, meaning knowledge of one does not imply or promote knowledge of the other.
Many accounts offer 2FA as a matter of course. If you currently have mission-critical accounts that don’t require 2FA, consider moving your business elsewhere — your data is more important than any one business relationship.
4. Educate Your Employees Around Email Hygiene
As we’ve seen, phishing is still a thing. Spearphishing, meanwhile, is growing in popularity and sophistication. Before one of your team members gives bank account information to an intrepid attacker pretending to be your company’s controller or CFO, develop policies around how and when to share information over email. Hint: share as little as possible, and never transmit passwords or account information, even when you trust the sender. You can always pick up the phone or walk down the hall.5. Constrain Permissions and Account Access to the Smallest Possible Circles
Keeping permissions to a strict “need to know” basis is a vital security measure for any organization. It’s especially important when it comes to financial information, such as bank account numbers — let those fall into the wrong hands and your accounts could be drained before you know what hit you.6. Hire a CISO
Lastly, hire someone who knows more about all this stuff than you. Yes, a Chief Information Security Officer is a highly compensated role that you’ll need to spend considerable resources to fill. But it could be the most important hire you make this decade. Don’t put it off any longer.The Work Is Never Done
As we’ve made clear, neither the potential security threats above nor the posture-strengthening measures below comprise comprehensive lists.The digital world abounds with threats, many of which remain unknown to even the most intrepid security professionals. And the work of countering them is never done.
All the same, it must begin. If you’re to have a fighting chance amid the digital turmoil your company and its team face, you’ve got to go all in on a new approach to cybersecurity. The stakes are simply too high to do otherwise.
Photo: Getty Images / Blackjack3d
Read next: Study, 78 Percent People Forget Their Passwords And Then Go For Reset!
){kind=link}