Posted on Jul 23, 2019
According to Gartner research, the nature of cybersecurity threats is changing. State sponsored threats are on the rise, for example and multivector DoS attacks are the new normal. AI is being turned against us, just like science fiction has been warning us for years. Even well-worn approaches to hacking — like ransomware and phishing — are getting makeovers, being applied in new and innovative ways.
In order to effectively secure networks and data, Chief Information Security Officers (CISO) have to stay on top of constantly-evolving cyber threats. Here are 5 threats CISOs should take into account when they’re securing their data ecosystems.
The Internet of Things (IoT) is everywhere — on your wrist, in your home, and at your place of business. Everything from manufacturing equipment to tea kettles are becoming smart, but IoT devices are often not secured properly.
Many aren’t built with any security at all. According to Ponemon, 80 percent of IoT and 71 percent of mobile applications aren’t tested for security vulnerabilities, which can be a problem. If an unsecured device is on the same network as your other devices, cybercriminals can use that device as a gateway to your systems.
The other issue with the IoT is that it’s hard to keep track of. Employees may bring their own unsecured devices to work with them and connect to your network, not realizing they’re creating doorways for bad actors. More than 67 percent of employees use their own devices at work, and with the IoT creeping into more devices, like fish tanks or the office coffee machines, even employees at offices with strict BYOD policies may not realize they’re creating risk.
As more and more businesses migrate data and core business processes to the cloud, the cloud will increasingly be targeted by cybercriminals. While you might hope your cloud vendors are secure, that’s not always the case. Bad actors are continuously deploying ransomware against cloud providers.
This is a tactic that probably won’t work in the biggest cloud providers, according to MIT Technology Review, but check on your smaller cloud providers; they might not be okay. Smaller vendors, says MIT, don’t have the budget of Google and Amazon, and are more likely to be targeted by — and fall prey to — ransomware attacks.
Ah, phishing. Phishing is one of the classics; it never really goes away. Verizon’s 2019 Data Breach Investigations Report lists phishing as being responsible for 32 percent of all data breaches in 2018. The recent change is that bad actors are now bringing their pet robots phishing with them.
Take spear phishing, which uses targeted digital messages to trick people into installing malware, or giving up valuable data. This sort of phishing works particularly well on mobile users, according to Verizon, but it’s labor intensive on the part of the cybercriminal. Not so with AI, which according to MIT Technology Review, is now able to create convincing fake messages without tiring, meaning the volume of these personalized messages are likely to increase, and more training will be needed to keep employees and vendors from falling for them.
The call is coming from inside the house! One of the biggest threats faced by all CISOs is an internal one. According to Verizon’s report, breaches caused by system admins continued to rise last year — 34 percent of breaches were perpetrated by internal actors.
Internal breaches sound alarming — and they are, but not for the reason you might think. You probably don’t have a cybercriminals on staff or working for your third parties. Instead, it means that insiders are making mistakes. A vendor might have misconfigured their Amazon Web Services (AWS) buckets, or someone on staff has mistakenly exposed information to the open internet.
Cybersecurity risks are challenging enough when you’re focusing on your own organization. But you do have some control over your own security; you can create policies that protect your data and networks, control devices, and – for the most part — keep track of your employees’ behavior when it comes to cybersecurity threats.
Things get more complicated when you have to take into account the cybersecurity threats posed by your third parties: your vendors and partners, who often have access to your network. According to Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report, 61 percent of US companies have experienced a data breach arising from third party actions.
Having to worry about the cybersecurity of your third parties (and their third parties) may seem like a hopeless task. You can distribute security questionnaires to vendors, but those questionnaires only capture a discrete moment in time.
Managing third party relationships can be a labor intensive administrative task. Automation, however, can help you manage risk easily, while continuously monitoring the risk associated to your third parties.
SecurityScorecard’s Atlas uses machine learning and advanced artificial intelligence to streamline the third-party risk management process. Your organization can easily upload vendor responses to questionnaires. Atlas compares their answers to previous questionnaires and the platform’s analytics, immediately alerting you to any issues and recommending specific remediation.
In addition, our security ratings, based on an easy to read A-F scale, give your organization's leadership the documentation they need to prove governance over your vendor risk management program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.