A recent SANS survey of security professionals identified today’s biggest cybersecurity risks. Among survey respondents, 61% chose people as the greatest risk, and Part 1 of this article examined why.
However, 22% of security professionals identified technology as the greatest risk, and 14% selected processes and procedures. Part 2 of this article examines those risks in addition to ways to making your company more secure.
Cybersecurity risks presented by technology
Technology allows businesses to work in unprecedented ways and at unparalleled performance levels. "A simple look at an old photo of an accounting office from 50 years ago shows us that the work done by a room full of 25 or more people in a week can now be done in a few hours by a single person with a laptop — and probably with much more accuracy," says Michael Nizich, Ph.D., an adjunct associate professor in the department of computer science at the New York Institute of Technology, director of the Entrepreneurship and Technology Innovation Center (ETIC), and director of the NSA/DHS CAE Cyber Defense Education Program.
"The issue is that the more we rely on technology and the more valuable information we need to store in a centrally accessible location like the Internet to be efficient, the more risk we incur."
It’s a view shared by Eric Williams, founder and CEO of ijura, a cloud-based cybersecurity platform, who believes that bring-your-own-device (BYOD) policies and commercial IoT implementation are major contributors.
"Enterprise IT managers have significantly less control and visibility to enforce their traditional security policies," he says. "Many companies are using consumer-oriented connected devices such as Apple TV or Google Chromecast in conference rooms and Nest thermostats to regulate building temperatures."
While these new tools are great, Williams says traditional cybersecurity solutions aren’t capable of addressing the security and compliance needs of the enterprise on a holistic level. "In the near future, on-device security solutions will no longer be feasible as most transactions are executed in an online/cloud environment via the internet."
As employees become more dependent on mobile devices for business communications, opportunities will increase for criminals to successfully phish via text messages or email. “Users are significantly more susceptible to the social attacks they receive on mobile devices, due to both device design and behavioral norms,” Williams says.
"Manufacturers such as Apple and Google (Pixel) have removed most of the on-device mechanisms and visibility that traditional security solutions relied on to safeguard against the installation of malicious content or apps." There are additional cybersecurity risks with mobile devices.
"Limited screen sizes restrict clear viewing; operating systems and apps restrict or limit the availability of verification information, such as SSL certification; and mobile software enhances elements that foster actions such as accept, reply, send, etc; so it’s easier — and riskier — for users to make snap decisions," he explains.
Cybersecurity risks posed by processes and procedures
Shouldn’t processes and procedure serve to limit cyber risks, not contribute to the problem? “A bad process, automated well, is still a bad process and can introduce risk if not evaluated properly,” warns Barbara Filkins, senior analyst at SANS.
Often, failing to take a holistic approach in this area can be a contributing factor. "The six components required to establish an information system are hardware, software, data, networks, people, and processes," says Nizich.
"If a procedure or process established by the organization places either system users, system data, or system appliances at risk, then that procedure has violated one or more of the security policies established by the organization’s security leader and must be revised for conformity." If this doesn’t happen, he says the organization could not only be more susceptible, but may even be violating compliance guidelines.
However, establishing and enforcing policies aren’t that simple, especially with mobile devices. For example, Williams says BYOD policies tend to ensure that an employee’s personal laptop, tablet, and smartphone are secure when accessing business-critical and proprietary information. "In the case of tablets and smartphones, it is increasingly difficult to apply traditional security policies without significantly impeding on the user experience. The policies don’t address the personal data and apps being accessed — that this opens the backdoor to malicious actors trying to gain access."
"BYOD policies are typically enforced through a mobile device management (MDM) solution, which can create a false sense of security as MDM is not a threat defense application," says Williams. As a result, he says most smartphone or tablet users are vulnerable to being compromised through their personal data/browsing.
"These policies also do not address phishing attacks, which are now widely accepted as the key culprit for corporate data breaches as well as ransomware attacks, which are estimated to have cost companies over $8 billion in 2018."
How companies can stay secure
Now that we’ve identified the major risks, what steps can companies take to ward off both intentional and unintentional threats? "Start building security into the evaluation, design and deployment of networked assets — as in the ICS space," says Filkins.
Some organizations may need to take a giant step back and reevaluate how they allocate resources. If you haven’t done this already, Nizich says the first step is to retain an experienced and knowledgeable security leader. "Companies must also plan to make long-term financial investments in the six-component framework previously mentioned so that their internal information system can be as secure as possible."
In addition, companies would benefit from adopting a zero-trust attitude. "Forrester Research introduced the concept of Zero Trust in 2010, which eliminates ‘the idea of a trusted network inside a defined corporate perimeter,’" Williams explains.
Instead of operating under the assumption that your corporate network is secure, assume that it’s not — and act accordingly. "Allow access only to necessary resources and keep everything locked down." Williams says it’s nearly impossible to get every single employee to make critical security updates, and their personal applications and data usually fall outside the remit of corporate device management and security policies.
"Traditional anti-virus and anti-malware software may be enough for the corporate network and endpoints, but simply do not provide the holistic protection required for the mobile device environment."
Educating employees through quarterly training sessions on online security best practices is another step in the right direction. "You can try to teach people to recognize phishing emails and set fake traps for them as practice," Williams says. “Also, you can tell people to stop taking online surveys on their social media accounts."
But be advised that we are human and make mistakes, forget what we’ve learned, and are often distracted.
"Instead of relying on your employees to individually download critical security updates to their mobile devices, consider a cloud-based mobile threat technology solution integrated with your company’s mobile telecommunications operator."
The SANS survey also noted that 10% of malicious attacks are caused by former employers. Revoking access from employees before you terminate employment is a relatively simple way to mitigate this intentional threat.