By John F. Wysseier, President and CEO, The CEI Group, Inc.
My theme in this continuing blog is that business disruption – the kind that results from a continuous strategic embrace of cutting-edge technology – is not just a good thing, but a requirement. Call it creative destruction. But there’s another kind of technology-powered disruption that is simply destructive: the hacking of an organization’s digital infrastructure.
How pervasive is the threat? Consider the following:
• Computer Ventures, a researcher and publisher covering the global cyber economy, estimates that cyberattacks cost the global economy $3 trillion in 2015, a figure is likely to double to $6 trillion a year by 2021.
• PWC, the accounting and consulting firm, says that 32 percent of U.S. organizations were victims of cybercrime in 2016, and projects that 34 percent will have become victims by the end of 2018.
• Microsoft estimates that average cost of a data breach to a business is $3.8 million, and that the average attacker resides in a network for 146 days before being detected.
• A University of Maryland study found that hackers were attacking computers and networks “at near-constant rate”, with an average of one attack every 39 seconds.
U.S. consumers and businesses of all sizes are being targeted, by individuals, organized crime and even state-sponsored agencies. What they’re after is consumer personal data, credit card numbers, login credentials, access to funds, technology and intellectual property, ways to cripple operating systems and – in a recent and rapidly growing trend – ransom to restore them.
The lure of rich bounty from cybercrime has attracted some of the brightest rogue minds and hostile regimes, and they’re widely believed to be working on the cutting edge of digital technology. In addition to the fact that hundreds of thousands of new viruses and other kinds of computer malware are created every day, a concern is that some hostiles are working on quantum computers that could hack the most sophisticated encryption systems while being invulnerable to hacking themselves.
As bad as 2017 and 2018 were, 2019 is likely to even worse, as the following evolving and emerging threats are gaining momentum (my thanks here to the Lazarus Alliance):
Phishing Schemes. Nearly all successful cyber-attacks begin with a phishing scheme. Business email compromises, a highly targeted spear phishing attack, are responsible for more than $12 billion in losses globally.
Cloud Cyber Security Threats. Cloud computing has transformed the ways in which we live and conduct business, but it has also given hackers a broader attack surface and created a host of brand-new cyber security threats and vulnerabilities, from cloud malware to misconfigured Amazon Web Service (AWS) buckets. Cloud security must be addressed differently than on-premises security, and solid cloud security starts with a secure cloud migration.
Use of Shadow IT Apps. More than 80 percent of employees admit to using unauthorized IT apps at work, which are known as shadow IT. Most of the time, their motivations aren’t malicious or negligent; they’re just trying to do their jobs better. However, shadow IT usage can be a serious compliance and cyber security threat. The best course of action is to open a dialogue with your employees to determine why they believe these shadow applications are better than your existing, vetted applications.
Cryptojacking. Cryptojacking malware, which allows hackers to hijack enterprise computer equipment for the purpose of “mining” cryptocurrencies, has become more common than ransomware. These attacks can be hard to detect, but they can be snuffed out by upping endpoint security and monitoring network traffic for unexplained spikes at odd times.
Ransomware. Cryptojacking malware may be more common today, but that doesn’t mean ransomware has fully gone away. While cryptojacking can waste energy and slow productivity of your systems, ransomware can stop you dead in your tracks.
Unsecured Internet of Things (IoT) Devices. A recent Mozilla report shows that there may be up to 30 billion IoT devices by 2020. Both the public and private sector are scrambling to secure the Internet of Things. In recent weeks, the National Institute of Standards and Technology released guidelines for securing medical IoT devices, and Microsoft launched a public review of its new solution for developing secure smart devices. Ask your IT team how many things really need to be connected and automated before adopting them, and always look to secure these devices with regular updates and passwords.
What business leaders must do
Cyber defense is critical to every business, and it’s too important for senior executives not to be familiar and up-to-date on cyber threats and counter-measures, especially those in charge of companies that may not have invested enough in computer security in recent years. A sound approach to cyber security rests on two key practices: an ongoing review and dialog between CEOs and their Chief Information Officers about the organization’s security technology, and a continuing program to educate all employees about cyber threats and the organization’s computer security policy.