(Especially if you’re a small to midsize organization)
We aren’t alarmists or anything, but it’s our job to have our finger on the pulse of what’s happening out there in cyberland and 2018 had some major Code Red moments.
The writing was on the wall before last year was half done with Under Armour reporting that about 150 million accounts had been compromised when their mobile app, MyFitnessPal, was hacked. Also in March, the news broke that a Facebook developer had “improperly shared” information from some 8 million users with Cambridge Analytica, a scandal that is going to be causing ripples for a long time to come.
By the time a global report was released for the first half of 2018, there had been 945 data breaches involving 4.5 billion compromised data records. Yes, that was just for the first half of the year.
That might sound like a tough act to follow, but the second half of 2018 came through with T-Mobile reporting a breach putting at risk the personal information of between 2-2.5 million customers. Next, NASA had to scramble to determine if hackers managed to access sensitive information about their operations or only their employee’s personal data. And just last month the popular Q&A website, Quora, disclosed that about 100 million users had been affected by a data breach.
Of course, only the big players make the news when they say their mea culpas, but that doesn’t mean small and midsize operations are immune. Far from it. Unfortunately, the same trends that led to the data breaches of last year are making smaller businesses prime targets for cyber mischief. Here’s why:
#1 The proliferation of connected things.
In 2015, there were 15.41 billion devices connected to the internet. In 2017, there were 20.35 billion, in 2018 that number jumped to 23.41 billion. By 2020 (that’s NEXT year folks!), it’s predicted that more than 30 billion devices will have joined the Internet of Things, also known as IoT. And every one of those devices has to connect to the mothership on the regular in order to do what it was designed to do.
You probably have more of those connected things in your workplace than you realize. There are the obvious ones like your laptops, tablets, phones, printers, etc. But what about your thermostat, coffee pot, TV, or refrigerator or that handy smart watch that goes wherever you go?
Why does it matter? Because any device that is connected to the internet is a potential back door into your network. Without a security strategy that includes every IoT device, you could be guarding the castle but treating the thief like an invited guest.
Speaking of invitations, that’s exactly what an Application Programming Interface (API) is. It not only invites a “guest” to access your data, a good API even provides a guidebook listing all the goodies and how to get to them.
Theoretically, the guest needs to have an API “key”, but of course that’s just another name for “password” and we know how fail-proof those are. Plus, the “guidebook” sometimes gives up data that wasn’t supposed to be part of the tour. Google recently decided to move their “sunset date” for Google+ forward four months after discovering a bug in their API that mistakenly gave access to information the user had set to private. This bug, the second that Google has disclosed, would have affected 52.5 million users if it had been exploited.
As you design your business security strategy for this year (yes, of course, we’d love to do that for you) be sure you’re taking into account all the devices and platforms that are using the internet to send and receive data. Why? Because it only takes one unguarded window to jeopardize the whole castle.
#2 Artificial Intelligence is getting smarter.
We have a love/hate relationship with Artificial Intelligence. When AI is used for good, it’s a powerful weapon in the business security arsenal. But it’s also made hackers more effective and more efficient by automating everything from cracking passwords to sophisticated phishing attacks such as the one used to beat even a Google two-factor authentication process.
AI “deep learning” has been used for everything from facial recognition (like the authorization option on your iPhone X) to doctoring videos like the “deepfakes” shared on Reddit which featured celebrities and politicians in “compromising” activities. It can also be used to mask malware, unleashing it only when the computer is accessed by a specific user or visually recognizable demographic such as a select gender or race.
Whether AI is really getting smarter or humans are just getting more creative about how to use it to get what they want, you cannot afford to ignore AI advances and trends when designing your security plan.
#3 The workforce is changing, too.
The way people work, and the way they think about work, will continue to evolve, but there are some trends that can be a real pain in the corporate rear when it comes to security.
Two trends that aren’t likely to peak any time soon revolve around the portability of work. Anyone with a computing device (including a smartphone) can work from anywhere so long as they have access to the internet. And why would they want to switch devices when they do work on-site? As these trends grow, that flexibility will become expected by the talent you hope to attract and hire.
That means that if you don’t already have a distributed workforce (and if you have people who sometimes work from home, or a coffee shop, or a hotel your workforce is distributed), you will. And if you don’t have people working on their own devices while logged into your network (are you sure you don’t?), you will. (We wrote about BYOD policies here.) The average cybersecurity protocol doesn’t account for off-site work, and IT systems often don’t include personal devices in their security plan. Those can be costly mistakes, don’t make them.
You also have to take into account the changing attitudes and expectations of job tenure. According to a Future Workplace survey, 91 percent of Millennials expect to stay in a job for less than three years. Since nearly every job today involves some password protected access to the company network or cloud-based applications that means you’ll have a lot of ex-employees who might still have access to their old email account, or to your project management software, or even your financial system. You wouldn’t let someone leave your employment with keys to the building still in their possession, would you? So you shouldn’t let them retain access to your data either. Your security plan needs to include an employee exit protocol and access governance that closes all those doors and locks them up tight so they can never get back in.
Also, because exiting employees necessitate new hires you’ll need to have an onboarding protocol that tracks every door you open and every key you hand out. And while you may include security training in your initial orientation, do you really expect that to be the learning priority of someone who is trying to navigate a career move? Data breaches aren’t always hack jobs, sometimes an act of negligence like leaving a computer unlocked and unattended or falling into a social engineering trap is all it takes. That’s why your security plan should include regular training refreshers for good security hygiene and crisis control.
#4 You can hire a hacker almost as easily as you can hire us.
Sad but true, although you won’t get the same personal attention (or humor) from them as you do from ThrottleNet.
As this article about a Masters student who created an instruction booklet for want-to-be hackers says, “As more people learn to code, more will learn to hack.” From amateur “Script Kiddies” to hacking as a brokered service, we’re seeing that cybercrime is becoming business as usual for the criminally inclined. There are even “exploit builder kits” and “ransomware-as-a-service” platforms that are as well maintained and updated as any enterprise software.
It might be shocking to learn all this, but it’s all driven by money. According to a report from RAND, large-scale hacking can be more profitable than the drug trade. Since most hackers are in it for the money, not the thrill, it stands to reason that an entire economy has grown up around cybercrime. Another key finding in RAND’s report states that “the cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups often connected with traditional crime groups …”
These “cybercartels” will be working to stay ahead of security trends, and it’s up to you (and us if you are one of our clients) to stay ahead of the bad guys. We’re on it. Are you?
#5 Increased complexity creates blind spots.
You know that old saying, “When a door closes a window opens?” Hackers take that adage very literally. While security tools have become more advanced and more effective, they are also more complex and change more frequently. Cybercriminals at every level of the game can almost count on you skipping a step, overlooking a detail, or failing to configure something that could have protected you “if only.”
We have an article coming up on “Top Security Features You’re Probably Not Using (Even if You’re Paying for Them)”, but let’s just say that we anticipate security will become even more advanced (and complex) and we know that integrating hardware and software into a seamless security defense plan is going to be your only protection. We call it “The Power of the +” and it’s not a slogan, it’s a mission.
#6 The most dangerous attacks to your business don’t always leave clues behind.
Some of the sneakiest ways to snatch your data don’t have to attach executable files on your hard drive. So any anti-virus scanner looking at your hard drive is going to give you an all-clear report. While these “fileless attacks” aren’t new – they’ve been around since the early 2000’s –they are potentially devastating and they are on the rise. The “2018 State of Endpoint Security Risk report” released by the Ponemon Institute showed that 77 percent of successful compromises involved fileless techniques and that attacks incorporating fileless techniques were 10x more likely to succeed than traditional file-based attacks.
Another tactic that’s on the rise exploits software bugs before the vendor offers a patch. These bugs are called “Zero-day vulnerabilities” and depending on the bug and the software affected, they can be used to open the door to your accounts, your network, and your data.
#7 SMBs are looking good (if you’re a hacker.)
Being a small fish might make you think the sharks won’t notice you, but many small and midsized businesses have had that sense of security bite them where it hurts most: their data. Just because you don’t read about attacks on SMBs doesn’t mean they aren’t happening. In fact, they’re on the rise. And not only are attacks on SMBs becoming more prevalent, but the level of sophistication used in those attacks is on the rise as well.
There are several reasons that hackers are zeroing in on SMBs. One, there are a lot of them – they make up the largest segment of enterprises in the United States. Two, smaller enterprises are using and storing an increasing amount of valuable data as even “Mom and Pop” businesses go digital. Three, hacking tools that use automation and AI make attacks scalable, so the effort to reward ratio is more inviting than ever. And four, the big fish are adding a lot of armor while smaller businesses don’t have proper protocols or employee training for things like passwords, internet-connected devices, and mobile computing, nor are they investing as heavily in security protection.
The worst of it is that SMBs are also less prepared to survive a cyber-attack. The average direct cost to a small or midsized business may be less than the millions a larger enterprise will bleed out after they’ve been hit, but it’s estimated that about 60 percent of SMBs fail within the first year following a ransomware attack or data breach and 72 percent fail within two years.
We can offer a bright light of hope to offset the gloom and doom predictions. Cybersecurity is a classic example of “an ounce of prevention is worth a pound of cure.” Or maybe the better cliché is “forewarned is forearmed.” With this “forewarning,” now is the perfect time to do an audit of your security plan for the coming year to be sure your castle is prepared to withstand an attack or siege. And if you don’t want to do that on your own, we’re here to help. Just give us a call at (866) 826-5966 or, you can use this handy contact form.