We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

2019 Cybersecurity Risks – Own IT. Secure IT. Protect IT

October is National Cybersecurity Awareness month, raising awareness about the importance of cybersecurity since 2004 and providing individuals and businesses the resources they need to be safer and more secure online. Own IT. Secure IT. Protect IT. – The theme of 2019, as proclaimed by The Department of Homeland Security, emphasizes personal accountability and stresses the importance of taking proactive steps to enhance cybersecurity at home and in the workplace.

Let’s discuss the biggest cybersecurity risks to be aware of in 2019.

1. 3rd Party Data Breaches

You likely have heard about or have been impacted by one of the recent large data breaches – from Target to Equifax. If a large organization can’t mind its security – how can you? It feels as if no one is safe. Below are some great steps in the right direction…
For Businesses:

  • Adopt a security strategy and security control framework, such as NIST, PCI, HIPAA etc. which outlines basic security controls that can be implemented in your environment and/or demonstrate areas of improvement. Selecting an appropriate framework(s) depends on organizational objectives and regulatory requirements, among other things.
  • Select a 3rd Party security assessor to independently validate the integrity of your IT Infrastructure and security controls. 3rd Party assessors should not be selected by IT. This often results in a ‘check the box’ type of an assessor, rather than a truly objective assessment. The key to a successful security assessment is independent validation and verification of the organization’s security.

For consumers and businesses:

  • Adopt a password management system with integrated rapid notifications of 3rd party data breaches, password facilitation for authentication and randomization to protect against credential / password stuffing.
    • Credential / password stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
  • Consider the adoption of hardware authentication devices as a 2FA authentication mechanism which provides an additional layer of security. Hardware authentication devices not only reduce the need to remember complex passwords/passphrases, they enhance the organization’s overall security posture.

2. Business Continuity

Ransomware is a type of malware that not only can perpetually and permanently block access to data, but threatens to publish victim’s data unless a ransom is paid. Did you know that ransomware attacks are merely an emerging market for the cybercriminals? That’s right. Although a big threat to businesses and consumer data, ransomware accounts for roughly $1 billion out of the whopping $1.5 Trillion cybercriminals are making.

Traditional backup methods are dead, e.g. backing up to hard drives, network-attached storage and/or to tape. Regardless of whether you are storing locally and/or offsite, approximately ~70 – 75% of backups fail resulting in massive business impacts with outages ranging from 3 – 7 business days, to months, to some business having to close their doors permanently as a result of a single significant cyber impact, such as a ransomware attack.

Consider having a 3rd Party Assessor, such as Withum, conduct a business continuity assessment and/or implementing automated controls embedded in backups to identify and mitigate ransomware and data integrity attacks.

3. Windows 7 Operating System

Windows 7 will no longer be supported by Microsoft starting on January 14, 2020. These operating systems will have reached the end of their life cycle and will be highly vulnerable to attacks since they will no longer be patched with security updates. Security and vulnerability patching is a must-have, must do. If not, cybercriminals will do their job and hack your system. Just as you are aware of Windows 7 being highly vulnerable after January 14, 2020, so are the cybercriminals.

Cybercriminals have long ago adopted automated tools and scanning techniques to identify vulnerabilities. Therefore, identifying exposed and vulnerable systems is quickly accomplished through malicious code and Internet scanning. Once hackers identify a vulnerable system, it is exploited, often pilfered for financial data and personally identifiable information (“PII data”). They then remain dormant and remotely monitor activities, using it to extort victims and to orchestrate additional cyberattacks with systems and data compromised.

Consider that allowing Windows 7 systems, even a single system, to reside on your network(s) makes not only the computer; but the network and data vulnerable to exploits and intrusions.

4. Accounting for Data

Companies rely on the data that they collect – from employees, clients and the business overall. This can be everything from social security numbers and bank account information to health information and credentials. Losing this data could lead to the demise of your business and your reputation. 83% of SMBs lack the funds to deal with the repercussions of a cyber attack as the average cyberattack carries a price tag of nearly $3 million.

Consider that accurate and verifiable metrics of confidential data is being mandated by new data privacy laws, such as GDPR, CCPA, the New York Shield Act, among others. Additional legislation, such as the Corporate Accountability Act may impose criminal, civil and other sanctions against corporate executives who are found to be negligent and/or reckless with their businesses.

Ensuring accurate data flow mappings is a useful first step for data privacy adherence. A data-flow diagram is a way of representing a flow of data of a process or a system. The data flow diagram also provides information about the outputs and inputs of each entity and the process itself. Having a written record of data processing activities is a requirement for many organizations under GDPR Article 30 and a best practice for even those that are not required to do it.

Independent validation of where your data resides, how it is being used and maintained, and whether it is leaking from your environment is critical to avoiding costly impacts and regulatory violations.

5. Firewalls

A firewall is a networking security device or application that monitors and inspects traffic, much like a traffic cop or US Customs security inspection for data. However, a firewall is only as good as it is configured. Firewalls have the ability to scan for malicious traffic, inspect data packets (like opening a physical container), ensures policy enforcement, and before malicious traffic enters or/departs a network or device.

Often, firewalls are misconfigured or are only set to protect against inbound traffic from the Internet. Modern threats and regulatory requirements mandate that inbound and outbound network traffic is properly inspected.

6. Single Factor Passwords

Many companies have still failed to implement multi-factor authentication, also known as 2FA (Two-factor authentication). Multi-factor authentication means that there are two-steps or more that one must take in order to log into a system or application. If you have avoided implementing multi-factor authentication, now is the time to do it. Don’t select “Not Now” anymore!

At Withum, we use multi-factor authentication to access all of our systems – from our email and communication systems to our time and billing software. Once 2FA has been adopted and over time, delays in accessing systems and resources are relatively marginal. In comparison to a cyber impact, such as a hacker gaining access to systems and resources, the benefits of 2FA far exceed any potential inconveniences.

7. Insider Threat

We all think we know our employees, but according to the Verizon 2019 Data Breach Investigation report, 34% of all breaches in 2018 were caused by those inside of a company. This is up from 28% in 2017. An insider-related incident can cost a company up to $11.1 million a year in North America.

Consider the deployment of security controls overtly and covertly to monitor for computer abuse and data privacy violations. In other words, security controls should be visible and invisible to users. If a threat actor is aware of all your security controls, regardless of whether they are an external hacker, an employee, or a 3rd party vendor – they will look for ways around those security controls. A silent alerting system will provide indicators of nefarious activities and anomalies, which will often allow enough time to mitigate serious impacts. Alerting systems should be meaningful, e.g. an alarm that constantly ‘sounds’ will inevitably be ignored.

8. Shadow IT Systems

What is a shadow IT system? Shadow IT are Information technology systems built and used within organizations without explicit organizational approval, for example, systems specified and deployed by departments other than the IT department.

Provide acceptable use policies of systems, data, communications, and resources. Align security controls to policies and procedures. IT Security programs should not be the department of “NO, you can’t do this!”; but rather adopt a practice of, “Yes, you can; but here is how you can do this securely.” IT and IT Security must be business enablers. For example, innovations in braking technologies have allowed vehicles to go faster; not slower. Consider how far and safely your vehicle could travel without having any brakes?

Successful IT and IT Security programs are built for the business, to enhance it, to enable it. In other words, business drives IT; not the other way around. IT & IT Security integrations must be forward-thinking or they themselves will become obsolete.

Key takeaways from these cybersecurity risks include:

  • Start having a conversation about your cybersecurity plan and really understanding your risk will help eliminate future headaches and financial loss.
  • Adopt a security control framework and align security controls to policies and procedures, as well as regulatory controls.
  • Conduct an independent security assessment and avoid ‘groupthink’.
  • Remember, the hardest impacts your organization will face are the ones they never see coming.
  • Knowledge alone does not equal power or help mitigate cyber attacks. It’s the appropriate application of that knowledge that enables our Clients to Be in a Position of StrengthSM.

Want to increase your organization’s cybersecurity posture, remain compliant and competitive by avoiding impacts and regulatory violations….Complete the form below to contact our internationally-recognized and highly awarded cybersecurity team to find out how!

How Can We Help?

Previous Post
Article Sidebar Logo Stay Informed with Withum Subscribe
X

Insights

Get news updates and event information from Withum

Subscribe