Last month we took a look at the dark web and how hostile actors based within this vast, unindexed sector of the internet present a clear danger to businesses of all sizes.
As we noted in that post, even conservative estimates suggest that 85% of businesses with fewer than 1,000 employees have already been hacked. And the big guys aren’t safe either: just days ago news broke that Canadian banking titans BMO and CIBC/Simplii were successfully hacked.
The perpetrators were able to seize the personal banking information of nearly 100,000 customers, and are presently threatening to release this information into the dark web if their million-dollar ransom demands go unmet.
So how did we get here?
Barbarians at the Firewall
BMO and CIBC are both large enough to be able to comfortably reimburse any customers who are defrauded as a direct result of their security breach. They’d better be able to do so: after all, the main selling point of a bank remains its ability to safeguard your hard-earned wealth.
The true cost is not the direct losses caused by the hack, but rather the erosion of the public’s confidence in their security. It remains to be seen whether their competitors will enjoy an influx of new clients.
For smaller businesses, however, the threat may be more existential.
If the average breach results in the loss of 30,000 records, think about how many customers that figure might represent. Some of them might have to be compensated monetarily. Others might feel fully justified in walking away, perhaps leaving a major project hanging in the balance.
Now think about your profit margins. What level of loss is sustainable?
The findings of Ernst & Young’s 2017-18 Global Information Security Survey are illustrative of the overly laissez-faire attitude rampant in the business world:
“70% [of respondents] say they require up to 25% more funding, and the rest require even more than this. However, only 12% expect to receive an increase of over 25%.
For many organizations, the worst may have to happen for these calls to be met. Asked what kind of event would result in cybersecurity budgets being increased, 76% of survey respondents said the discovery of a breach that caused damage would be likely to see greater resources allocated.”
Considering that the United Nations has identified cybercrime as one of the top five threats to world security, skimping on IT safety rates somewhere between unprotected sex and leaving your sports car unlocked in a rough neighborhood on the unnecessary foolhardiness scale.
And it gets worse: a full 64% of respondents admitted that if a breach didn’t cause obvious damage, they believed it was unlikely that more budget would be allotted to cybersecurity. That’s not mere complacence—in a court of law, it might constitute willful negligence.
Ponying up for high-quality IT security might be an easier sell for business owners if it were a one-time investment.
Unfortunately, the classic biological metaphor of malicious software as virus still holds true: techniques evolve rapidly and asymmetrically, meaning the most impenetrable systems of today are only one clever crack away from open season.
That isn’t to say, however, that the defenders should abandon their positions and accept the occasional pillaging as a cost of doing business.
Continuous is one of leading companies offering enterprise-level IT security and support to companies who lack the budget to support an in-house cyber security department.
Our service stands out thanks to the comprehensive day-to-day support options we offer. We can handle most daily IT needs remotely, and our systems are automatically alerted when your security envelope is penetrated.
When we say pro-active cybersecurity, we mean it.
With regularly scheduled vulnerability audits and immediate availability in the event of a crisis, Continuous offers a formidable challenge to even determined hackers.
2018 Cybersecurity Threats
We’ll close this post by taking a look at three major threats that experts have identified as especially critical for 2018.
Business Email Compromise (BEC) Scams
According to the FBI, BEC scams cost US businesses $2 billion in 2016 alone. Maybe we should write the whole number out to let that sink in: $2,000,000,000.
That’s a lot of heavy zeroes to swallow.
BEC scams are defined as “as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The E-mail Account Compromise (EAC) component of BEC targets individuals that perform wire transfer payments.”
Criminals gain access either by posing as clients/suppliers and manipulating staff, or via malware. Once inside, they can easily scrape vulnerable customer data and initiate transfers of their own.
After the money has been transferred, it is nearly impossible for authorities to retrieve as the attackers generally rout the money through a series of foreign accounts.
Science fiction is rife with stories of automated devices going haywire. Manufacturers assured us, a few preliminary driverless car disasters aside, that it wouldn’t be a problem.
But they may not have fully considered the risks of hostile human intervention in the AI space.
As The Telegraph reports, “two new botnets (a collection of internet-connected devices that are infected with, or running, some sort of malware) have appeared, called ‘Reaper’ and ‘IoTroop’” that zero in on IoT devices.
Although neither has performed any explicitly hostile actions yet, they have managed to gain access to many popular devices which could be used to assert control with relative ease.
Not only that, but each infected device becomes a vector to infect all of the nodes with which it interacts—and in an increasingly connected IoT world, that’s a huge risk. Here's another salient clip from the article:
So next year, businesses must ensure that the basics – such as data management and protection; patching; and good hygiene (alerts for anonymous new users, changes in device performance, and regularly auditing passwords) – are covered.
The threat they pose means it’s more important than ever to exercise good password hygiene (regular changes; policies to ensure passwords are of a sufficient complexity) and not to allow IoT devices unrestricted access to your office networks.
API Security Gaps
Application programming interface (API) security should be considered a top priority for IT decision-makers. There are vulnerabilities everywhere, from the credential and cookie levels to crippling DDoS attacks and unauthorized data transfer, manipulation, and deletion.
Your strategy must be designed to ensure that only the people you want are gaining access to sensitive information. Using device identification and checking IP addresses can create a few hassles now and then, but it greatly improves the likelihood that those who are requesting access are in fact who they say they are.
In conjunction with regular, properly managed security patches, you stand a much better chance of staying secure.
Where Do You Start?
Nobody is born an expert in cybersecurity. It takes years of dedication and constant attention to the latest trends to advertise yourself as an 'expert'.
And if you're like most executives, you don't have time to dedicate to the craft, but with IT support services from companies like Continuous, you don't have to. Even in-house IT managers can benefit from bringing in outside resources to help bolster support in areas that are constantly in need.
Most businesses stand to benefit greatly from an IT security audit which takes in a detailed account of a businesses' current infrastructure and a provides blueprint to a more productive, scalable model.