The 7 Cyber Security Threats Your Company Is Overlooking
8 August 2017 12:29
With phishing and ransomware attacks taking up most of the headlines in the tech world, businesses are finally starting to roll up their sleeves. But the less obvious dangers still aren't getting the love and attention they need - Here are the 7 main threats your company might just be overlooking.
As cyber security slowly creeps towards boardroom level, companies of all sizes are taking potential attacks more seriously than ever. But what about the smaller and less obvious types of attacks? If these little guys don't get the love and attention they need, then their bite could be a lot more painful than many of us care to realise.
Here are 7 of those threats your company might just be overlooking...
#1 Data is becoming more mobile
Working solely from PCs or laptops are now a thing of the past for most businesses. Mobile phones, tablets and even wearable technologies now possess access to company data. But businesses simply aren’t matching this movement when it comes to protecting the stored data on those devices.
Not only is corporate data at risk, social information is also easily handed over by end users. Claiming freebies and promotions often means parting ways with their email address, username or social media profiles. This data can eventually end as public information should a data breach occur.
There needs to be an understanding that these types of mobile devices just aren’t built for data storage in the way that PCs and laptops are. There's a lot of configuration management that has to be done to ensure users are storing data in the right place, and not in their personal iCloud accounts.
#2 Open-source app development widgets
The way applications are developed has changed a lot over the past few years. They’re now built by third-party agencies who are often lacking when it comes to security experience, and they’re missing the steps and testing of old.
Even in production, attackers can open the door to sensitive information by targeting non-critical applications. But perhaps the scariest part is that the technologies being used were built by the bad guys.
Today’s developers create apps with widgets and frameworks. They prefer open-source tools, and a lot of those components were built by attackers. Developers need to work with security teams to ensure they are doing the right thing. Automation could help developers make secure decisions without always being aware of it.
#3 Your employees aren't educated
One of the biggest problems with cyber security is the belief that it is purely a technology problem. The easiest reply to that is -- it’s not. Every end user has a responsibility to protect company data and act with caution. But, in pity to employees, security awareness in the workplace just isn’t good enough.
And how can it be? It’s still too common for many boards to drop security awareness onto the shoulders of a CISO. Security training is needed on all levels. Hackers are increasingly targeting lower-level employees, as they know they’re a much easier target.
Educating users on the importance of cyber security and data protection should be on every board's agenda. But, sadly, the increasing number of successful data breaches caused by human error paints a clear image that this is still a far cry.
#4 The Internet of Things (IoT)
When people think of the Internet of Things, they think of smart accessories or connected appliances. But that's where other IoT threats can glide subtly under the radar. A lot of people don't actually realise that much bigger piece of tech, like industrial control systems, are also IoT devices -- which makes securing them a much difficult job.
Businesses are also struggling to keep up with IoT devices outside of their critical infrastructure. Appliances, like smart refrigerators, are increasing and can put corporate data at risk if hacked. If your IoT home devices are hackable and are on your network along with your laptop, what's protecting them? Businesses know to protect their critical infrastructure, but they're less aware of how connected home devices and appliances affect security.
Part of the problem with IoT security is that manufacturers don't provide long-term support, leaving technologies exposed. From their perspective, it makes more sense to discontinue a product after less than ten years because the cost of changing hardware is so high.
#5 Encryption practices aren't good enough
Most businesses have a good focus on encryption and have mastered the encryption of data in transit. But a failure to secure data at rest is failing to give encryption it’s full value.
If we don't have the security platform in place -- the key controls, identity access management -- encryption is nothing. Breakdowns in identity strategy and soft data management practices leave information at risk.
Sloppy key management also lowers the barrier to entry for cyber criminals. Many businesses store encryption keys on the same system as the data and give the keys to many employees. When everyone has access to the keys, it's the same as not being locked.
#6 Malvertising hasn't disappeared just yet
Malvertising, not long ago, was a seen as growing threat in the cyber world. Although it may have dropped off the radar lately, the threat of malicious advertising has changed, and could potentially creep back into attention.
It used to be that malvertising targeted high-profile media sites. But attackers learned that those attacks brought a lot of attention. Now, they’re targeting smaller names with a lot of traffic and less visibility -- from foreign websites and file-sharing.
Attackers rely on malicious ads to generate revenue, but it's also used to collect identities or install malware that can be used to add a machine to a botnet in the future. Contractors are more likely to overlook malvertising compared with full-time employees who manage websites.
#7 The "Evil Maid" attack
Employees aren't just bringing corporate devices home with them, they're taking them to cafes, hotels, airports, and other Internet-connected places, increasing the risk of attacks. There's a danger of leaving a device unattended in a place where someone might be able to access it.
Physical access to a computer, unless a full hard drive encryption is enabled, means that it should be hackable. "Evil maid" attacks, for example, target machines that have been left unattended for the purpose of stealing information or installing malware, and go unnoticed because the device isn't physically stolen.
But the security risks of business travel don't stop there. company executives often log into their email accounts from computers in high populated business areas during business events and conferences. There's no reason why those machines couldn't be passively monitoring everything being entered.