5 Major Cyber Security Threats You Need to Watch Out For by Paul Delahunty
More connected “things” means a much bigger attack surface. The bigger the attack surface, the harder it is to defend. To put some numbers on that, today we have about 30bn connected devices. This is predicted to rise to 75bn by 2025…. less than 3 years from now.
We have never before experienced such a monumental increase in the threatscape, or attack surface. That’s 75bn attack vectors now open to hackers….to the “bad guys”.
The potential for chaos is huge. Almost everything can, or will be, connected, which means almost everything can, or will be, hacked. While the convenience of having your heating, fridge, cooker, garage door, lights and alarm system all accessible remotely is very attractive, if someone breaks into just one of those things, they potentially have access to everything. If someone hacks into your baby monitor and your laptop is on the same network, is it protected? With so many people working from home at the moment, this is a soft underbelly which attackers can use to target companies.
Whereas it’s one thing having these in your home, concerningly, more and more organisations are introducing them into their work environment. This poses a huge danger, as the amount of data in most organisations means they’re a very attractive target for hackers.
Connected “things” aren’t generally designed with security in mind. Security doesn’t sell…..functionality and ease of use sells. Security just isn’t sexy. It’s not something you put on the front of the box to generate sales. So many manufacturers just don’t care about it, as it’s not worth the investment.
The result is a race to be the “latest and greatest”, where security is often the last thing to be considered.
Companies can invest thousands and thousands in the latest firewalls and security systems but, if the InfoSec culture and mindset isn’t ingrained in the organisation, it is only a matter of time before there is a breach.
Too often, security is thought of as being a technology problem. The truth is security begins and ends with every single individual in your organisation. Little things, like locking your laptop when you get up from your desk or wiping off a whiteboard at the end of a meeting, actually have a big impact when it comes to protecting your company.
Every single employee, from entry-level to C-suite, should have regular InfoSec training. InfoSec posters should be visible throughout the office. Regular penetration testing should take place. If employees walk away from their desk and leave an unlocked laptop, remove it from their desk.
The people in any organisation are both your strongest line of defence and your weakest underbelly. They are the strongest when properly trained to have a cyber security outlook. From day one, the company must display a cyber security ethos and instil a cyber security mind frame in all employees.
Building an Information Security mindset isn’t something that can be achieved in a week or a month or by any specific action; it is something that is built over time by repeated good behaviours and by example from the top down.
The amount of personal and company information held on mobile devices is stunning. Furthermore, the lack of security awareness among mobile device users and the ease with which such devices can be compromised makes for a huge security threat. Yet, many companies don’t even have this on their radar. On top of that, organisations must also consider the possibility of mobile devices being lost or stolen.
At a minimum, mobile devices should be encrypted, with 2-Factor-Authentication (2FA) enabled. Where possible, organisations should look at employing a Mobile Device Management (MDM) solution. In cases where neither of these solutions are available or practicable, the removal of mobile devices from the work network should be considered.
Do you have a plan in case of floods, fire, or some other natural disaster? Do you have access control in place? Is your server room locked and secured? Are your offices (and therefore data) easily accessible from the street? If someone from outside your organisation gains access to your office, are your employees trained and empowered to challenge them or alert security/senior management?
Even if you do have access control, do your employees regularly tailgate into the office? When your employees leave in the evening, is equipment and sensitive data securely put away? It is not uncommon to find organisations, with top of the range network security, whose employees leave sensitive data lying around when leaving at the end of the day, fully accessible to the third parties.
Physical security, and education around physical security, is an essential part of every organisation’s information security armour.
Many organisations have a “plan” written down, gathering dust somewhere. But, in the white heat of disaster, are you sure it will really do its job? And even if it is sufficient, will your employees know how to follow it? Do they even know it exists?
A disaster recovery plan can cover anything from what to do if there is a flood and employees can’t enter the office, to a ransomware attack where hackers have gained access to your organisation’s systems. Once disaster strikes, it is essential that your employees know how to react. Therefore, regular training is vital.
Given the potential for such disasters to be business-ending, it is essential that every business has a robust, and tested, disaster recovery plan in place.