What Cybersecurity Risks Are Companies Currently Underestimating the Most?
34 Experts Have Their Say
Cybersecurity advice is in a state of constant flux, changing as technology and trends evolve. But what risks are companies not currently taking seriously enough? We get the thoughts of a host of industry experts
Their Own Employees
Always the people – without any doubt, if you want to improve the security of your business then you need ensure you take a look at your employees.
The reality is that your employees are and almost certainly will always be the biggest threat to cybersecurity and are often overlooked. However, you can mitigate the risk and reduce it as far as possible by regularly training staff, making them aware of the latest threats and creating a culture of heightened cybersecurity within your business.
Tim Hall, chief technology officer, Blue Logic
The Dangers of Dark Web Dumps
One of the biggest cybersecurity threats most organisations underestimate is the dark web: a haven for buying and selling corporate data. At RepKnight we detect thousands of dark web dumps every day containing sensitive corporate data like company credit card details and corporate logins, and the businesses to whom they belong are none the wiser.
In fact, businesses often take more than 450 days to spot a breach on average, which is worrying in itself, but with the deadline to comply with the EU’s GDPR regulation coming up, time has already run out for companies to protect their data. The key to combatting the dark web and avoiding the wrath of the GDPR is to have a way to detect whether your data has been posted on the dark web, a task only possible with advanced search technology and innovative data management processes.
Patrick Martin, cybersecurity analyst, RepKnight
According to Verizon’s annual Data Breach Investigations Report (DBIR), in 2015, compromised identities were responsible for 50% of all data breaches.
That number grew to 66% in 2016, and 81% in 2017. Attackers are focusing on the most vulnerable areas of the business: identities.
Still, most organisations aren’t making the connection. In 2017, companies will spend just 4.7% of their total security budgets on identity and access management (IAM)—the very technology that could help prevent four out of five breaches.
In 2018, a combination of increasing identity-related breaches and security vendor fatigue will force companies to reevaluate their entire security postures, from the ground up.
However, in the meantime, unfortunately things will get worse before they get better, but new models such as Zero Trust and a focus on securing identities provide a path forward to turn the cybersecurity tide.
Andy Heather, vice president and managing director for EMEA, Centrify
An Uptick in Ransomware
Ransomware has emerged as one of the most significant threats facing businesses. Recent news stories seem to indicate an uptick in this kind of cybercrime, and our data certainly supports this. In Q1 last year, ransomware accounted for 20.5% of our claims, compared to just 12.9% in the same time period in 2016.
Ransomware is a popular form of cybercrime mainly because it is relatively simple to carry out and can reap significant rewards for hackers. It is hard to believe that an attack capable of causing widespread mayhem can originate from an individual simply buying a kit online, but this is often the case. These kits can be modified and used to launch an attack, and what’s worse, the perpetrator stands little chance of being caught.
Despite the somewhat unglamorous origins of ransomware attacks, the act can be completely devastating for businesses. Although the average extortion demand isn’t exactly extraordinary – around $300 on average – we often see claims come in at around $10-20k, with some escalating into the hundreds of thousands. This is due to a number of factors, from business interruption expenses to the cost of bringing in IT specialists, forensic investigators and PR specialists to publically manage the issue.
The good news is that all of these are insurable losses under a typical cyber insurance policy. And not only can it cover these costs, but a good policy will incorporate access to specialist providers who can help a business manage the incident when trouble first strikes. Many insurers have panels of specialists in place that can help firms through each stage of incident response.
Graeme Newman, Chief Innovation Officer, CFC Underwriting
Permanent Denial-of-Service (PDoS) Attacks
PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations PDoS can destroy the firmware and/or basic functions of a system. It is a contrast to its well-known cousin, distributed denial of service (DDoS) attack, which overloads systems with requests meant to saturate resources through unintended usage.
Companies need to adopt hybrid DDoS mitigation models to protect on-premise and cloud services. It should be real-time and capable of addressing high volume attacks and protect pipes from saturation. Also recommended is behavioral-based detection that can quickly and accurately identify and block anomalies while allowing legitimate traffic through, and real-time signature creation to promptly protect from unknown threats and zero-day attacks.
They should also be combined with application protection, such as full coverage of OWASP Top-10 application vulnerabilities and IP-agnostic device fingerprinting capabilities, to overcome dynamic IP attacks and achieve improved bot-detection and blocking.
Andrew Foxcroft, regional director, Radware
The Automation-Driven Standardisation of Detection and Response
As the cybersecurity skills gaps continues to widen the single largest understated risk is standardisation of detection and response through automation. The industry is scrambling to minimise the impact of a skills shortage through structured automation and standardisation that creates predictable patterns of behaviour for hackers to exploit.
Businesses, especially those that can't compete for the scarce security talent are becoming overly reliant on software to automate and identify threats on their environment. This abstraction of security, often being manned by untrained security employees results in an inherent trust in the data being presented.
This predictability combined with a lack of skilled security professionals to question the output allows hackers to manipulate security environments even in some of the more mature security programs. Hackers are already using techniques that intentionally trip alarms and send signals to defenders as a way of drawing attention away from their primary objective.
Manipulating the standard operating procedures of SOCs is the current stage if evolution for hackers. Just as in the 2010s they realized the user was the easiest way to break into a system. This generation of hackers have realised that discovery by a security system is simply a phase in the exploitation cycle rather than the end of the mission.
Ross Rustici, senior director, intelligence services, Cybereason
A Lack of Understanding about Their Own Systems
Broadly speaking, many companies are missing out on fundamental security practises, leaving them exposed. While it can be worrying to be targeted by nation states, or organised hacking groups, the reality for most companies is that most risks manifest through not knowing where assets are, what the network topology looks like, where critical data is held and processed, or understanding where vulnerabilities exist internally and on public-facing apps.
Perhaps the most underestimated emerging risk is that of using cloud technologies. While cloud providers, by and large, do a very good job of providing secure infrastructure, the customer still has a responsibility to ensure it is configured properly and data is adequately protected. As we’ve seen with the recent spate of breaches through incorrectly configured AWS S3 buckets, it can only take setting one wrong option to expose all your private data.
Javvad Malik, security advocate, AlienVault
Cryptomining Malware is crippling Enterprise CPU power, and although many organisations are just waking up to the threat, it is far from new on the scene. Since summer 2017, cryptomining malware has steadily become an increasing threat to organisations, as criminals have found it to be a lucrative revenue stream.
Over the last three months, the most prevalent malware threat has been CoinHive, a cryptominer designed to perform online mining of Monero cryptocurrency without the user’s approval when visiting an infected web page. CoinHive impacted more than one-in-five organisations in January 2018 alone.
It is particularly challenging to protect against cryptomining malware, as it is often hidden in popular websites, enabling hackers to use their victims’ machines as their own massive enterprise-sized CPU resource. The threat is particularly insidious as it is two-fold; not only will cryptominers slow down your PCs and servers, but once those agents have penetrated they can be turned to other, more nefarious matters. It is therefore more important than ever for enterprises to employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.
Aatish Pattni, head of threat prevention – Northern Europe, Check Point
The Blurring of Home and Work
UK SME businesses rely heavily on enabling a mobile workforce, allowing people to work where and when they want, accessing business data and applications. Using mobile devices including laptops, they are too often underestimating that they are at risk at all.
2018 could be the year that we begin to see significant challenges. Larger businesses are increasingly more protected, with a dedicated IT resource who ensure all the latest security patches are applied and closely monitor who is accessing sensitive data.
Our research tells us smaller companies are lagging behind as cybercriminals look to switch to softer targets. If the average cost of a cyber-attack is estimated to be more than £10,000, then that has the potential to be devastating for an SME.
Part of the problem is that in a small business, there is a blurring between the work and home devices as many of these organisations are owner-driver businesses and need to be agile and responsive to customer needs. If you’re going to be accessing data or sending files from your phone or tablet, it needs to be as protected as the workstation in an office.
SMEs must set aside time regularly to consider security, starting with securing all devices. Protected at home, what about when you download files when you are out and about? Sat in a coffee shop, someone can easily hack your data while you access it unless you put protections in place.
Finally, secure your data. GDPR makes this a regulatory requirement but how many smaller companies really know the regulation also applies to them? The answer is to get into the Cloud. Data in the Cloud much better protected if you work with a recognised supplier that provides security but can also help with data compliance.
Julien Parven, SMB marketing director, Daisy Group
The Lack of a Global, Declarative Cybersecurity Policy
Enterprises, in general, do not have a stated security policy that flows downstream to the countless number of security controls across the attack surface. Most security and access controls, whether for legacy infrastructure or new forms, such as cloud and containers, are for ‘current’ state, without reference to the ‘desired’ state the organisation needs.
When lacking a declarative policy – this can do that, that cannot do this – organisations carry around a bag full of security controls that inadvertently conflict with one another. We are managing security controls through exceptions, but when the exceptions outnumber the desired security posture, it leaves open millions of potential hazards.
This is a stupefying risk, because it engenders a random security profile. New personnel arrive, what is their mandate? Unsure. New applications are deployed, what is the protocol? No clue. New computing resources are spun up, what are the correct security settings? Shoulder shrug.
Without a compass guiding which security controls to enact and which to avoid, the whole organisation has a rat’s nest of controls that do not conform to the declarative security policy.
This is why many organisations are shifting to intent-based security. With intent-based security, you establish a declarative, global policy that allows new security controls to fall into place with direct reference to the intent. Intent-based network security (IBNS) dismisses the need to write rules for the current state (which never stays current) and gives you command over your network with your intent: this is allowed, that is not.
Like a Constitution that determines which subsequent laws are permissible, this model begins with a global, declarative policy, then translates that declaration into specific security controls. Unfortunately, the lack of a global, declarative policy is a staggeringly underestimated cybersecurity risk.
Josh Mayfield, director, FireMon
Siloed Departments Compromise Communications
One of the biggest cyber security risks to companies today is that of siloed departments, operating without streamlined communication with one another. Our own study commissioned with Forbes Insights found that 60% of IT decision makers globally say operations and security teams have only a general or little understanding of each other’s requirements.
If these two critical teams are not in sync, this leaves businesses vulnerable to data breaches and makes remediating threats extremely difficult. We call this gap the ‘Secops gap’ and it is critical it is closed to keep modern businesses on the move.
Companies that develop closer partnerships between security architecture and operations can reap rewards that far surpass simply passing audits.
Whether viewed from a security, operational or compliance perspective, SecOps alignment is essential for keeping modern businesses performing at levels required in today’s highly competitive global marketplace.
Paul Cant, VP of EMEA, BMC Software
Unintentional Exposure of Cloud Resources
One issue often overlooked is the unintended exposure of cloud resources. Many organisations do not adequately plan and control cloud deployments. Quite often, these deployments happen as part of ‘shadow IT organisations’, meaning that parts of the organisation who are usually not tasked with IT are signing up for cloud resources without proper controls. The result is that confidential data will be stored on improperly configured cloud systems.
A number of high profile data breaches recently happened because data was stored on cloud services like Amazon's S3 service. These services are often ‘open by default’ and any access restrictions need to be specifically configured. In addition, these resources are outside the traditional perimeter and various existing controls, like data leakage protection or vulnerability scanning do not apply to them.
But even if cloud services are deployed properly, the impact of the use of cloud services on incident response and breach recovery is often underestimated. For example, web mail systems often do not provide the same granular logging and auditing capabilities that are commonly enabled for on premise mail services.
In case of a phishing attack, it can happen that an attacker will use stolen credentials to access an employee's webmail account and enable forwarding mechanisms for incoming e-mail. It can be very difficult to identify which e-mails the attack had access to, which can directly impact legal requirements to identify leaked information and notify affected parties.
Johannes Ullrich, Dean of Research, SANS Institute
Ddos Attacks Are Only Getting Stronger and More Targeted
In the past, cybercriminals would orchestrate DDoS attacks to cause as much damage as possible within a short period of time. Today, those same cybercriminals are achieving higher levels of success against organisations through more sophisticated, targeted and frequent attacks.
According to Neustar’s recent Global DDoS Attacks & Cyber Security Insights Report, 52% of brands that suffered a DDoS attack also reported a virus, while 35% reported malware, 21% reported ransomware and 18% reported lost customer data. Beyond that, 75% of respondents recorded multiple DDoS attacks following an initial assault on their brand’s network.
Despite growing awareness around the potential effects of DDoS attacks, many of today’s firms are still extremely unprepared. While this is due to various internal and external issues, it often boils down to the fact that as the threat landscape continues to evolve, many IT and security professionals find themselves overwhelmed and unable to keep up.
Many organisations are often left without the proper resources and defences in place, resulting in disastrous outcomes. For organisations, one of the main issues lies within detection speeds, which have continued to lag, and are considered to be a determining factor relative to attack impact. To address this, they must ensure they understand where the greatest risks to their business lie, outside of just the web perimeter, and take the necessary actions to safeguard against them. From securing web-facing applications, to encrypting mission-critical data and IP, fortifying the most valuable data and information should be the priority when it preparing an organisation against cyberattacks.
Anthony Chadd, senior director of EMEA Security Solutions, Neustar
Proprietary, Closed-Source Software
In an age where we face complex, relentless cyber threats to our IT systems, the problem starts and ends with proprietary, closed source software.
For enterprises, a reliance on closed source has created a situation where a firm may have a multitude of siloed, legacy softwares all operating in tandem.
Each of these IT systems can come from a variety of vendors, which can subsequently limit the knowledge level of the system administrators, as they must now manage patching and updating an array of complex mechanisms.
Being proprietary by nature, these distinct platforms will all have unique security protocols and issues, which administrators will have to manage separately. This all weighs down on the cyber-readiness of a firm, leaving them open to exploitation as a result.
Cloud services based on proprietary software are even worse, locking away the source code and the data itself.
This can lead to vendors not communicating breaches in a timely and thorough manner. Cloud services must be built with open source software to be trustworthy.
By keeping code open, developers can collaborate across tools developed by a multitude of vendors with greater visibility, and identify the errors of colleagues sooner.
The transparency inherent in open source encourages greater examination and testing of the code, which through community input, allows bugs and exploits to be traced faster than with closed source software.
With an open source model, the source code is out there in the open, not hampered by vendor IP or a lack of visibility, and can therefore help mitigate the growing problem of enterprises using fractured, proprietary software.
Rafael Laguna, CEO, Open-Xchange
IoT Threats: Not Just Digital Damage, but Physical As Well
Internet of Things (IoT) devices have become common place in today’s society, both inside the home and out. Many companies are aware of the issues surrounding IoT device defence, but they all underestimate the damage that some of these devices can cause when they fall into the wrong hands.
Vulnerabilities in IoT devices and supervisory control and data acquisition (SCADA) systems can lead to physical – not just digital – damage. While many IoT devices are small, limiting the causalities to a minimum, unlike stuxnet and flame targets, IoT and SCADA devices are leveraging common open-source frameworks that are easy to fingerprint and hard to patch after installation, which makes them prime targets. While companies may look to keep information on these devices safe, many don’t realise the full danger that can come from an IoT device hack.
Ronald Sens, EMEA director, A10 Networks
Machine Identity Protection is Overlooked
A key threat that is being overlooked by too many organisations is hackers attacking and fooling the machines we use. Just as humans use usernames and passwords to identify ourselves, machines use keys and certificates in much the same way. These keys and certificates allow our machines – everything from software applications and algorithms to servers and laptops – to communicate securely. Without them, machines are unable to function, just as if we forget our passwords, we are unable to access the network.
Nearly $8bn a year is spent on human identity and access management, yet only a fraction of that amount goes on protecting machine identities.
Hackers know this and have started to target machine identity as a way to attack enterprises. By stealing the keys and certificates that underpin machine identity, hackers can essentially shape-shift into an entity that appears trustworthy, sneaking past defences without raising any alarm bells. Enterprises therefore need to be able to determine who they’re letting in and whether they are who they really say they are.
The fact is that unlike human identities, the world of machine identity is relatively unchartered. Every year the number of machines in our environment grows, yet we are still trying to manage this explosion using spreadsheets – it’s no wonder hackers are waking up to this huge gaping hole in enterprise security.
Craig Stewart, VP EMEA, Venafi
Staff Ignorance is Key
One of the most significant threats to a company’s cybersecurity isn’t hackers, or ransomware; it’s ignorance. Many staff members are of the opinion that guarding against cyber threats is the IT department’s responsibility, but the reality is that the majority of security breaches are the result of human error. Your security strategy can only do so much if your end users click on links in spam emails, and lock their accounts with the same password they’ve been using for ten years.
The most important thing a company can do to protect itself in the face of advancing security threats is to initiate a sea change in their workplace. Businesses need to position cybersecurity as an ‘us’ issue, rather than a ‘them’ issue. Employees need to understand that cyber threats don’t come through a single, mythical pipeline behind their firewalls, but attack from all angles, on all fronts.
With cyber threats constantly evolving, businesses need to be more reactive in the way they educate their employees; having staff read and sign a list of rules once a year isn’t enough. It’s just as important to “patch” your people as it is your software. Businesses should regularly circulate concise and informative updates, ensuring all staff are aware of any new trends or known threats to look out for.
Mark Hill, CIO, Nigel Frank International
Account Takeovers are Widespread
Because of sensational headlines focusing on nation-state attackers, enterprises tend to think first about those kinds of risks rather than about the more common ones. Account takeovers are much more prevalent for the purposes of fraud in retail, banking, airlines and any place where criminals can steal or monetise something of value.
Getting access to email accounts is most important for attackers, as that's where password reset emails and other alerts are sent; they're the keys to the kingdom. This means that all employees should be using two-factor authentication, for their accounts, regardless of whether they have access to privileged information.
Wendy Nather, director of advisory CISOs, Duo Security
Failure to Monitor
Not monitoring is a risk, particularly when not many do it well or at all. Many organisations have failed to do a good job of monitoring their networks, which is how we ended up with the situation whereby average time to detect issues is 200 days, and arguably why GDPR scares people so much. How the hell would we know if we had been hacked and data was lost?
One of the ways of effectively monitoring is with the security phoenix rising from the ashes: Intrusion Detection Systems (IDS) . IDS is probably the best example of a security tool that for years was thought to be dead, and one that you could argue should have solved a lot of monitoring and threat detection issues.
So why is a tool that has been around for years and almost went extinct on the list of tools to help with the risks most commonly underestimated? IDS is the boy who cried wolf over the years. IDS gets deployed and someone does basic tuning, thinking they will come back and tune it later. The problem is that tuning is an ongoing job that requires expertise and people who know what they are doing to get real value, as opposed to noise.
After some time and many false positives, the IT team is desensitised to the alarms and ignore them until someone comes to renew the product and throws some tuning back at them. Then there is the issue of time spent to investigate and the continued tuning. Who has time, are aligned to the business to know what normal looks like, and can they even handle dealing with the speed of change at today’s rate of evolution. Are traditional security built to handle todays challenges at all?
So why do we now need IDS now? Many businesses today are starting to realise that just relying on blocking tools is not the right approach, businesses still get hacked with the best blocking tools and biggest budgets. It’s the lack of visibility in many cases has led to businesses missing the obvious signs of attack and worst still, successful attack.
What was missing from back in the day was organisations that bought tools with no expertise when they needed a service and so landed up with shelf ware. What they needed was an expert, tuning and investigating 24/7 with product improvement, not only servicing the IDS when they were not doing the other 101 things they have to-do.
The next issue with IDS is the unknown. How do we handle what is suspicious and not currently a known threat? You can’t build rules for something you have no idea of the threat, this is compounded by volume of suspicious traffic and so it was almost impossible with IDS to handle that volume – until now with machine learning.
Oliver Pinson-Roxburgh, EMEA director, Alert Logic
Compromised Web Infrastructure
Malicious actors have been compromising legitimate web infrastructure for years now in an effort to effectively target a wide swath of victims on the internet. While RiskIQ does not see this trend changing in 2018, there has been a noticeable increase in cyber criminals compromising legitimate web properties to mine cryptocurrency.
While ransomware seemed to be the scourge of 2017, it seems that in the beginning of 2018, not a week goes by without a new report of a web page being compromised with malicious code that harnesses the power of unwitting victims browsers to mine for cryptocurrency.
While crypto mining scripts can be used by legitimate companies to monetize websites, the majority of sites identified running these scripts have not installed the mining software for legitimate purposes, but rather have been compromised with the intent of hijacking a visitor’s browser resources.
Steve Ginty, senior product manager, RiskIQ
Mobile Working Presents Fresh Risks
A key element of digital transformation is the increased use of mobile working for business needs away from the office, but this can also expose organisations to cyber security risks.
One example of this is the Key Reinstallation Attack (KRACK) vulnerability, which allows an attacker to intercept and read Wi-Fi traffic between devices and a Wi-Fi router, and in some cases even modify the traffic to inject malicious data into websites.
It could even allow attackers to obtain sensitive information from those devices, such as credit card details, passwords, chat messages and company-sensitive emails. While a new WiFi security protocol is expected to be released later this year, we can still expect to see an escalation of attacks over public or open WiFi connections until that time.
To mitigate these risks, companies should use virtual private networks (VPN) to encrypt traffic flowing between laptops and enterprise services, but it can be more challenging to protect sensitive data that employees access using their own mobile phones.
This is a particular risk, given that Android devices are vulnerable to the most extreme and devastating variant of attacks exploiting the KRACK vulnerability. To alleviate these dangers, organisations should take steps to monitor and secure all endpoints used by staff to access company data. It is also vital to educate employees about the best ways to work securely while remote working and using personal devices.
Ian Goslin, managing director, Airbus CyberSecurity UK
Insecure Software Adopted Widely
One of the greatest cybersecurity risks that companies are currently underestimating are those introduced by insecure software.
Many organisations are undergoing massive digital transformation projects to create new revenue streams and optimise processes, with over two thirds of British business leaders reporting their budget for software implementation increased as a result. But with less than a third of software applications failing security tests when measured against the OWASP Top 10, which checks against the most important vulnerability categories in web applications, it’s clear digitisation is amplifying the cybersecurity risk.
The risk from insecure software is enhanced as organisations are failing to actively monitor the components that can lead to security breaches, with less than 28% of businesses carrying out regular software composition analysis to find out what components are in their software and more importantly which parts are vulnerable. And ultimately, if you don’t know it’s broke, you can’t fix it.
With the Verizon DBIR showing that almost 60%of breaches involve web applications, it is essential to be testing early and often.
When purchasing software from external providers, ensure that they have security verification. While for developing application internally, ensure that security is built-in through the software lifecycle.
Also educate your developers on the threat and how to mitigate security flaws, to ensure that software is secure by design. With eLearning, for instance, organisations typically see a 19% improvement in vulnerability fix rates.
Paul Farrington, manager, EMEA solution architects, CA Veracode
Basic Digital Hygiene
The two biggest and most underestimated cyber security threats for companies are simple basic hygiene and employee training. The media has been extremely active in reporting on breaches carried out by supposed elite hackers and this may be giving some companies a sense of false security. In fact, more data breaches occur through the cyber equivalent of leaving the window or back door unlocked for opportunistic criminals to walk through. Last year, Equifax, Time Warner and Verizon’s high-profile breaches were all traceable to failures of basic hygiene within the organisation.
Of course, it’s important that organisations are properly protected against attacks from outside. However, this protection starts internally. IT systems must be properly configured, maintained and managed – even if they’re billed as secure straight out of the box. But it’s poorly defined or insecure internal processes that can result in the most danger. Employees must be carefully trained in the handling of data and protocols must be constantly refreshed. This is where the CISO is key.
CISOs must be the conduit from Board-level management down throughout the company. Their main role is to promote a data management culture which must cover all forms of information. With regular training, staff won’t become complacent and will stay up-to-date with ongoing events. Staff should be trained to identify behaviour that is unusual or odd. In many cases following a breach, co-workers may say they thought something was ‘off’. Making sure that they flag these cases well in advance of a breach should form a key part of data hygiene education.
There will always be skilled hackers trying to break in and this will always receive lots of attention. However, the underestimated threat is potentially the most dangerous—leaving the doors and windows unlocked from the inside.
Gareth Lindahl-Wise, director of cyber risk, ITC Secure
The Notion that More of the Same is the Right Approach
The biggest threat currently underestimated is the assumption that continuing to do more and more of what we have always done to secure our organisations is an effective way of controlling and managing the risks faced by organisations today and in the future.
Dr Anton Grashion, manager – security practice, Cylance
Sub-Saturating DDoS Attacks
The vast majority of DDoS attacks last less than 10 minutes in duration and are less than 5Gbps in size, but many companies mistakenly believe that this means they are harmless. While attacks of this size are unlikely to cause lasting downtime or customer complaints, the worrying truth is that they often mask more serious network intrusions.
Due to their small size, these sub-saturating DDoS attacks tend to go undetected by IT security staff and many DDoS protection systems. However, they are just disruptive enough to knock a firewall or intrusion prevention system offline so that the hackers can target, map and infiltrate a network to install malware and engage in data exfiltration activity.
Most DDoS protection strategies employ a network monitor to detect anomalies, human intervention to analyse these anomalies, redirection of the suspect traffic and a DDoS scrubbing centre to cleanse the traffic. The detection and human analysis typically takes 10 minutes. Logically, this must mean that most attacks are going un-mitigated and many will go un-detected due to the detection and analysis delays. Reassured by the belief that these attacks “don’t cause a problem”, it is reasonable to conclude that the full extent of the DDoS threat is, at best, being massively under-reported to senior management and compliance teams.
But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives. Hopefully it won’t take a catastrophic, category one (C1) style cyberattack for the majority of companies to wake up to this threat.
Andrew Lloyd, president, Corero Network Security
Email Hacking: Not Just High-Profile Targets
Recently the hacking of David Beckham’s PR agency’s emails and the infiltration of the Democratic National Committee’s computer system were stark reminders of the harm organisations can be exposed to – both reputational and financial.
However, it’s not just celebrities and political parties that are at risk from email hacking.
Every company - large or small – that uses email could be in danger if they don’t secure valuable data and communications from third party interception. We have seen example of billions wiped off of company valuations as a consequence of ‘data leakage’ and whilst encrypting messages can stop interception and data abuse / identity fraud, companies also need to make sure their staff are aware of the danger cyber hacking poses for their business and are well trained to spot threats.
The Information Commissioners office has also identified the fact that simply encrypting information doesn’t solve the problems that can ensue if data is sent to the wrong party.
Customers quite rightly expect their data is treated with respect by businesses, so protecting it as in every way possible is critical – not just to avoid fines and embarrassment but also because all organisations have a responsibility to be decent corporate citizens.
Paul Holland, CEO, Beyond Encryption
Active Directory Security
Companies are still underestimating the importance of securing their Active Directory (AD) against cyberattacks. For an attacker to gain the most ransom and return on investment, they will usually look to infiltrate systems that include the most sensitive files. Therefore, a network that compromises a collection of the company's information and employee's sensitive data is destined to be the first port of call for a threat actor.
Active Directory is the primary authentication and authorisation directory for over 90% of the world's enterprises and some 500 million active user accounts; and worryingly, more than a whopping 95 million AD accounts are under cyberattack on a daily basis, according to Microsoft.
Therefore, in order to properly protect against insider and outsider threats, plus avoid heavy costs and significant damage to reputation, organisations must look to adopt a continuous lifecycle methodology with an end-to-end hybrid AD security solution.
Colin Truran, principal technology strategist, Quest Software
Skipping the Basics
Many organisations skip the basics when it comes to cyber security and move straight on to ‘installing a soc’ which isn’t going to work when you don’t know what you need to actually protect or what is at risk.
So what do we mean by basics? To begin with, the stakeholder/s/board members need to work out what their worst case scenario would be with regards to security. For many, this would be someone hacking in and stealing funds, for others, e.g. a legal entity, it may be an email list being hacked which would be a huge confidentiality breach. So you need to understand your assets and what could happen to them if you were hacked.
Knowing 'what you’ve got’ (servers etc) is of extreme importance (and ensure the team know what they are and what needs protecting). Taking the basic steps is critical and often it’s these that are overlooked or their importance is underestimated.
However, understanding what’s precious, what the risk is and the impact of that risk isn’t enough – the board needs to communicate this down to the rest of the team, especially CIOs and delivery managers.
Glyn Wintle, co-founder and CTO, dxw cyber
A Lack of Breach Detection
The cybersecurity risk most underestimated by businesses isn’t related to a new type of threat, growing digitisation, or the dangers of operating within a supply chain. While these are all important issues, perhaps the biggest cause for concern is organisations’ failure to discover and respond swiftly to data breaches. Regardless of in-place security controls, every business is at risk of being compromised by a skilled and persistent hacker. Having robust cyber security defences goes a long way to help deter attacks but sadly there is no silver bullet.
Unfortunately, too many breaches still go undetected. For those that are, the average time of detection is 191 days – by which time it might already be too late. In 2018, the businesses most at risk are those that don’t have the capability to proactively identify intruders, or believe that the strength of their perimeter security makes them immune to being compromised.
Recently there has been a sharp rise in breach claims being made against businesses. In such instances, organisations can struggle to verify whether attackers are genuine, which is a deeply troubling position to be in.
With the GDPR coming into force this year, it is not acceptable to be ignorant of data breaches or sweep them under the carpet. Being able to quickly detect if someone is on your network and report the extent of the attack is more important than ever.
Andy Kays, CTO, Redscan
The Dangers of Email
Today, the biggest and most commonly used attack vector for cyber criminals trying to breach an organisation is email. In fact, using data collected from endpoints around the world, our Security Insight platform reveals that in the last 30 days 15,143,470 of the 15,342,074 zero-hour advanced threats faced by the organisations being monitored were launched via email.
The threat posed by email is nothing new, yet its evolution has meant that many organisations still underestimate the impact that a single attack can have and- as such- leave themselves vulnerable. The reality is that, nowadays, securing the gateway alone is not enough. Organisations need to take a layered approach to email security and invest in both effective technologies and staff training.
When it comes to preventing an email attack, often your employees are your last line of defence. And, given that cybercriminals are becoming increasingly clever- putting huge amounts of time and money into creating targeted spear phishing campaigns which are designed to bypass traditional security measures- investing in your ‘human firewall’ has never been more important. User awareness courses and phishing simulation tools can help to train employees throughout the entire business and transform humans from a security liability to a strength.
Chris Ross, SVP international, Barracuda Networks
Quality Cybersecurity Resources Out of Reach for Many Businesses
One of the biggest risks in the cybersecurity sphere is the fact that capable, cyber-savvy resources are out of reach for the majority of many organisations creating a cyber skills gap in the public sectors such as healthcare and local government.
The cybersecurity bandwagon is well and truly rolling with all the whooping and hollering that accompanies a new age and new technology. This is driving unprecedented levels of recruitment in all sectors that can afford to pay the big bucks and land the best people. Often these highly sought individuals are little more than graduates straight out of University with a cybersecurity degree.
Whilst everyone is trying really hard to create cybersecurity professionals from virtual thin air, the stark reality is that demand is going to continue to outstrip supply for a good few years. In this vacuum of talent, wages are only going to keep going up and keep those people out of the reach of those sectors that desperately need to secure our data and deliver vital services.
In the meantime, organisations should adopt the basics as outlined in the government’s Cyber Essentials scheme and encourage cyber aware cultures to take root in order to help reduce the threats they face.
Until supply meets demand, we need to both think differently and operate in other ways. Automation is going to be important but not as a way to replace people like we see happen in so many other industries, but automation that enables people to concentrate and focus on the key questions rather than the underlying problems. The tools available need to be both innovative, but much more importantly, transformative.
Andy Rees, Director, XQ Cyber
Dangers in the Hybrid IT Environment
Hybrid IT is the new normal for the enterprise. Beyond a mix of public and private cloud services, it recognises that organisations’ cloud and legacy technologies must coexist for the foreseeable future. Yet maintaining consistent security controls across the entire hybrid IT environment is growing increasingly complex as more cloud services are adopted.
Operational support for legacy and cloud services is often divided between distinct teams and tools. As these cloud services interact with data on legacy systems, businesses are allowing gaps in security coverage between systems – and either underestimating the extent of this issue or not even noticing it. These cybersecurity gaps are often missed because coverage may be sufficient on one platform but not on another. Yet attackers are identifying these opportunities and exploiting them
Companies should not underestimate the importance of maintaining consistent security controls across hybrid environments. Implementing predictive analytic technology to visualise and analyse threats across different computing environments will enable IT to spot attack patterns, detect threats and neutralise them faster. Combining this with privileged user management, data encryption and an integrated identity and access management system will allow organisations to strengthen security in their hybrid IT environment by both protecting the data that criminals are after and spotting unusual patterns of behaviour.
Travis Greene, identity solutions strategist, Micro Focus
Adequately Empowering Employees with Cybersecurity Training
In terms of underestimating cybersecurity risks, organisations often don’t empower their employees so that they are the first line of defence rather than the first point of vulnerability.
In an era of social engineering, hacking can easily occur through targeting individuals to provide confidential or personal information that is then used fraudulently. The attack can take many forms including requests that are made to look like they are from bona fide senior members to undertake an activity that the user would usually undertake, requests to change supplier bank details, or requests for information.
The key to avoiding a hack is to teach the user to be constantly vigilant about potentially suspicious activity; if emails and requests seem odd, they probably are.
An effective way to achieve this is to reinforce employees’ understanding about the risks with routine internal, but controlled ‘phishing scams’ to identify areas of weakness, which can then be addressed. Tests can include emails coming from different email addresses, links to non-company URLs in the email, and requests to provide credentials such as passwords or sign-in to an account directly from a link in the email.
Training teams to both recognise fraudulent emails and know what action to take should they receive one is a critical element in preventing breaches. The additional benefit is that testing can be manual and does not have to be expensive, just consistent to ensure resilience is developed.
Simon Persin, director, Turnkey Consulting
The Importance of Assisting Employees with Password Management
Password mismanagement has to be up there. With weak, reused and compromised passwords being the cause of many breaches, it’s worrying that a recent study highlighted that 75 per cent of IT executives lacked control over password security in their organisations. In many cases, employees are being left to their own devices, with companies failing to implement the right technology to close the divide. We’re also increasingly seeing the lines between work and personal accounts blurring, which can have a knock on effect on enterprise security.
Thankfully, following the high-profile data dumps that hit companies including Equifax, Yahoo and Uber, many CIOs and security chiefs are starting to realise the burden of password management cannot be left to employees who could likely continue this lackadaisical approach to security with corporate accounts. And, with GDPR on the horizon, the impact of a breach may be more costly than ever before.
Business leaders, IT teams and security professionals, need to understand the threat that poor password management can pose to company security. To combat it, they must ensure that they don’t just educate employees on best security practices, but that they also provide the right tools.