According to Gartner research, the nature of cybersecurity threats is changing. State-sponsored threats are on the rise, for example, multivector DoS attacks are the new normal. AI is being turned against us, just like science fiction has been warning us for years. Even well-worn approaches to hacking — like ransomware and phishing — are getting makeovers, being applied in new and innovative ways.
In order to effectively secure networks and data, Chief Information Security Officers (CISO) have to stay on top of constantly-evolving cyber threats.
Top Cybersecurity risks for CISOs in 2020 and beyond
Here are 5 IT security concerns and cyber threats CISOs should consider as they work to secure their data ecosystems.
1. The Internet of (easily compromised) Things
The Internet of Things (IoT) is everywhere — on your wrist, in your home, and at your place of business. Everything from manufacturing equipment to tea kettles are becoming smart, but IoT devices are often not secured properly.
Many aren’t built with any security at all. According to Ponemon, 80 percent of IoT and 71 percent of mobile applications aren’t tested for security vulnerabilities, which can be a problem. If an unsecured device is on the same network as your other devices, cybercriminals can use that device as a gateway to your systems.
The other issue with the IoT is that it’s hard to keep track of. Employees may bring their own unsecured devices to work with them and connect to your network, not realizing they’re creating doorways for bad actors. More than 67 percent of employees use their own devices at work, and with the IoT creeping into more devices, like fish tanks or the office coffee machines, even employees at offices with strict BYOD policies may not realize they’re creating risk.
2. Cloud-based malware attacks
As more and more businesses migrate data and core business processes to the cloud, the cloud will increasingly be targeted by cybercriminals. While you might hope your cloud vendors are secure, that’s not always the case. Bad actors are continuously deploying ransomware against cloud providers.
This is a tactic that probably won’t work in the biggest cloud providers, according to MIT Technology Review, but check on your smaller cloud providers; they might not be okay. Smaller vendors, says MIT, don’t have the budget of Google and Amazon, and are more likely to be targeted by — and fall prey to — ransomware attacks.
3. AI phishing
Ah, phishing. Phishing is one of the classics; it never really goes away. Verizon’s 2019 Data Breach Investigations Report lists phishing as being responsible for 32 percent of all data breaches in 2018. The recent change is that bad actors are now bringing their pet robots phishing with them.
Take spear phishing, which uses targeted digital messages to trick people into installing malware, or giving up valuable data. This sort of phishing works particularly well on mobile users, according to Verizon, but it’s labor-intensive on the part of the cybercriminal. Not so with AI, which according to MIT Technology Review, is now able to create convincing fake messages without tiring, meaning the volume of these personalized messages are likely to increase, and more training will be needed to keep employees and vendors from falling for them.
4. Internal breaches
The call is coming from inside the house! One of the biggest threats faced by all CISOs is an internal one. According to Verizon’s report, breaches caused by system admins continued to rise last year — 34 percent of breaches were perpetrated by internal actors.
Internal breaches sound alarming — and they are, but not for the reason you might think. You probably don’t have cybercriminals on staff or working for your third parties. Instead, it means that insiders are making mistakes. A vendor might have misconfigured their Amazon Web Services (AWS) buckets, or someone on staff has mistakenly exposed information to the open internet.
5. Third parties
Cybersecurity risks are challenging enough when you’re focusing on your own organization. But you do have some control over your own security; you can create policies that protect your data and networks, control devices, and – for the most part — keep track of your employees’ behavior when it comes to cybersecurity threats.
Things get more complicated when you have to take into account the cybersecurity threats posed by your third parties: your vendors and partners, who often have access to your network. According to Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report, 61 percent of US companies have experienced a data breach arising from third party actions.
Having to worry about the cybersecurity of your third parties (and their third parties) may seem like a hopeless task. You can distribute security questionnaires to vendors, but those questionnaires only capture a discrete moment in time.
How SecurityScorecard can help
Managing third party relationships can be a labor-intensive administrative task. Automation, however, can help you manage risk easily, while continuously monitoring the risk associated with your third parties.
SecurityScorecard’s Atlas uses machine learning and advanced artificial intelligence to streamline the third-party risk management process. Your organization can easily upload vendor responses to questionnaires. Atlas compares their answers to previous questionnaires and the platform’s analytics, immediately alerting you to any issues and recommending specific remediation.
In addition, our security ratings, based on an easy to read A-F scale, give your organization's leadership the documentation they need to prove governance over your vendor risk management program.