IT
5 Major Cyber Security Threats You Need to Watch Out For by Paul Delahunty
5 Major Cyber Security Threats
You Need to Watch Out For
by Paul Delahunty
When you start a conversation with someone about Information Security, it will almost immediately turn towards phishing, hackers, data protection/the GDPR and other commonly known threats. Ransomware in particular is usually one of the first threats people mention.
While these are certainly important and need to be addressed, there are many other threats that people and companies often overlook.
1. The Internet of Things
We have all heard of the Internet of Things (IoT). Basically, it is a nice way of describing how all devices and “things” can connect together. It is an internet of devices, software, sensors, and other ‘things’ which enable the world, and the devices in it, to be connected. It is an incredibly powerful concept, and over the last few years, it has left the realm of science fiction and entered normal, everyday life. After all, even if you don’t have an Alexa yourself, I’ll bet someone you know does!

More connected “things” means a much bigger attack surface. The bigger the attack surface, the harder it is to defend. To put some numbers on that, today we have about 30bn connected devices. This is predicted to rise to 75bn by 2025…. less than 3 years from now.

We have never before experienced such a monumental increase in the threatscape, or attack surface. That’s 75bn attack vectors now open to hackers….to the “bad guys”.

The potential for chaos is huge. Almost everything can, or will be, connected, which means almost everything can, or will be, hacked. While the convenience of having your heating, fridge, cooker, garage door, lights and alarm system all accessible remotely is very attractive, if someone breaks into just one of those things, they potentially have access to everything. If someone hacks into your baby monitor and your laptop is on the same network, is it protected? With so many people working from home at the moment, this is a soft underbelly which attackers can use to target companies.

phone on tablet with security software
With consumers demanding greater and greater functionality and connectivity, vendors who don’t provide this get left behind. Many of the connected devices are not properly secured yet are connected to everything. Does your ordinary everyday person know how to properly secure the new device they just bought? Do they care? Are they aware of the risks? Do they bother to change any default passwords? Is it even possible to do this on the device they just bought? Have they segregated their home network?

Whereas it’s one thing having these in your home, concerningly, more and more organisations are introducing them into their work environment. This poses a huge danger, as the amount of data in most organisations means they’re a very attractive target for hackers.

Connected “things” aren’t generally designed with security in mind. Security doesn’t sell…..functionality and ease of use sells. Security just isn’t sexy. It’s not something you put on the front of the box to generate sales. So many manufacturers just don’t care about it, as it’s not worth the investment.

The result is a race to be the “latest and greatest”, where security is often the last thing to be considered.

2. Lack of an Information Security Mindset
Information security is a mindset: a mindset that comes from the top down. The C-suite management must buy into it and that buy-in must percolate through the organisation.

Companies can invest thousands and thousands in the latest firewalls and security systems but, if the InfoSec culture and mindset isn’t ingrained in the organisation, it is only a matter of time before there is a breach.

Too often, security is thought of as being a technology problem. The truth is security begins and ends with every single individual in your organisation. Little things, like locking your laptop when you get up from your desk or wiping off a whiteboard at the end of a meeting, actually have a big impact when it comes to protecting your company.

Every single employee, from entry-level to C-suite, should have regular InfoSec training. InfoSec posters should be visible throughout the office. Regular penetration testing should take place. If employees walk away from their desk and leave an unlocked laptop, remove it from their desk.

The people in any organisation are both your strongest line of defence and your weakest underbelly. They are the strongest when properly trained to have a cyber security outlook. From day one, the company must display a cyber security ethos and instil a cyber security mind frame in all employees.

Building an Information Security mindset isn’t something that can be achieved in a week or a month or by any specific action; it is something that is built over time by repeated good behaviours and by example from the top down.

3. Data on Mobile Devices
Mobile devices have become an integral part of people’s work lives. Smartphones, tablets etc, are being used more and more for work-related activities and are, in many cases, replacing the traditional laptop. However, these devices were not designed for storing data in the way laptops were. Mobile devices are designed for ease of use and ease of connectivity – things that don’t often go hand in hand with information security. While it is possible to lock down these devices and configure them so that data is stored in the right place, this is rarely done. Moreover, company policies to enforce this practice are even rarer.

The amount of personal and company information held on mobile devices is stunning. Furthermore, the lack of security awareness among mobile device users and the ease with which such devices can be compromised makes for a huge security threat. Yet, many companies don’t even have this on their radar. On top of that, organisations must also consider the possibility of mobile devices being lost or stolen.

At a minimum, mobile devices should be encrypted, with 2-Factor-Authentication (2FA) enabled. Where possible, organisations should look at employing a Mobile Device Management (MDM) solution. In cases where neither of these solutions are available or practicable, the removal of mobile devices from the work network should be considered.

4. Physical Security
Often companies spend thousands on their IT infrastructure but completely forget about the physical environment. It’s as if physical security just isn’t seen as being important. However, it is an essential part of an organisations cyber security. Cyber security is all about protecting data. Physically securing your organisation against attacks from nature and malicious actors is a key part of this.

Do you have a plan in case of floods, fire, or some other natural disaster? Do you have access control in place? Is your server room locked and secured? Are your offices (and therefore data) easily accessible from the street? If someone from outside your organisation gains access to your office, are your employees trained and empowered to challenge them or alert security/senior management?

Even if you do have access control, do your employees regularly tailgate into the office? When your employees leave in the evening, is equipment and sensitive data securely put away? It is not uncommon to find organisations, with top of the range network security, whose employees leave sensitive data lying around when leaving at the end of the day, fully accessible to the third parties.

Physical security, and education around physical security, is an essential part of every organisation’s information security armour.

5. Lack of a Disaster Recovery Plan (& Lack of Training for Disaster)
Most of us, instinctively, try not to think about disasters, rather, we focus on success. However, organisations need to plan for all of those “what if” scenarios. In times of trouble, having a good (& tested) disaster recovery plan in place can be the difference between the success and failure of your business.

Many organisations have a “plan” written down, gathering dust somewhere. But, in the white heat of disaster, are you sure it will really do its job? And even if it is sufficient, will your employees know how to follow it? Do they even know it exists?

A disaster recovery plan can cover anything from what to do if there is a flood and employees can’t enter the office, to a ransomware attack where hackers have gained access to your organisation’s systems. Once disaster strikes, it is essential that your employees know how to react. Therefore, regular training is vital.

Given the potential for such disasters to be business-ending, it is essential that every business has a robust, and tested, disaster recovery plan in place.

Paul Delahunty headshot
Paul Delahunty,
Paul Delahunty, one of the country’s top Information Security experts, is the Chief Information Security Officer at Stryve, a Carlow headquartered private cloud and cybersecurity company.