As the world becomes more digitally connected than ever, 2015 is shaping up to the point where cyber security pushes past compliance and even, to some extent, cost management as the top corporate priority.
“If we can call 2014 ʻsophisticated,’ then the word for 2015 will be ʻelusive.’ We believe that [advanced persistent threat] groups will evolve to become stealthier and sneakier, in order to better avoid exposure,” says Costin Raiu, director of the Kaspersky Lab Global Research and Analysis Team.
His group and others list a number of threats all companies will need to anticipate and prepare for in the coming year.
• Some are entrenched, such as malware, social engineering, and weak authentication, all of which must continue to be dealt with.
• Some are entirely new—and, yes, the internet of things is starting to emerge on the radar as a potential new threat. Here’s a rundown of what various analysts see coming down the cyber pike.
Experian Data Breach Resolution
• The rise, rush, and fall of payment breaches. Adoption requirements for EMV chip-and-PIN technology being implemented later this year may drive an increase in the frequency of payment breaches as the window closes for hackers to profit from this type of attack on brick-and-mortar retailers.
However, businesses should be wary of the potential for the new infrastructure creating a false sense of security for consumers.
“Cyber thieves likely already have identified vulnerabilities to target in the new infrastructure,” says Michael Bruemmer, vice-president. [Read Deloitte expert Prakash Santhana’s “To EMV or not to EMV?”]
• The persistent and growing threat of healthcare breaches. The expanding number of access points to protected health information and other sensitive data via electronic medical records and the growing popularity of wearable technology make the healthcare industry a vulnerable and attractive target for cyber criminals.
• A fresh breach point via the internet of things. Like it or not, the internet of things is spreading rapidly, offering a wide range of benefits for businesses looking to review data and optimize performance. As more companies adopt interconnected systems and products, cyber attacks also will likely increase via data accessed from third-party vendors.
“While the internet of things has huge potential, it also brings more points of vulnerability for organizations,” says Ozzie Fonseca, senior director.
This team of cyber security experts have observed more than 60 threat actors worldwide, and have made these predictions for 2015:
• Fragmentation of bigger advanced persistent threats. A growing number of smaller threat actors are likely to lead to more companies being hit.
• APT-style attacks directly on banks. The days when cyber criminal gangs focused exclusively on stealing money from end users are over. Criminals capable of Advanced Persistent Threats now attack banks directly.
• Targeting executives through hotel networks. Hotels are perfect for targeting high-profile individuals around the world. [Read John Ginovsky’s earlier article, “Don’t check into ‘Darkhotel’!”]
• Enhanced evasion techniques. More APT groups will be concerned about exposure and will take more advanced measures to shield themselves from discovery.
• New methods of data exfiltration. In 2015, more groups are expected to use cloud services in order to make the unauthorized transfer of data from a computer stealthier and harder to detect.
• Use of false flags. APT groups will exploit government intentions to make it appear as if their attacks are carried out by some other entity.
International Data Corp.
“Through 2016, 75% of the chief risk officer’s time will be focused on risk data architectures, credit analytics, fraud and cyber security, and creating new risk efficiencies,” says IDC Corp.’s Futurescape Report. Some of its predictions include:
• Mammoth costs. Led in part by big data solutions, fraud and financial crimes analytics will set global financial institutions back $2.8 billion for software and services by 2016.
• Cloud will pay off. Industry clouds will disrupt legacy risk operations and contribute to 10% reduction in know-your-customer and other compliance costs by 2016.
• Passwords may crumble … To meet the demand for convenience, by 2016, 10% of mobile-initiated commerce will be biometrically secured, and password usage will begin to show signs of decay.
• Bitcoin & Banking bond? By 2017, with workable boundaries of regulation at state and federal levels, financial institutions will find their role in crypto-currency [for example, bitcoin] clearing.
• A CRM for CRO. Virtually all chief risk officers will be engaged in credit risk modernization initiatives through 2016.
“Cyber threats pose a real risk to business profitability, which is why corporate treasurers have made IT security their top area of focus,” says Marc Harrison, consultant.
Common IT vulnerabilities to address include:
• Weak authentication. Noncomplex passwords without additional authentication factors are easily bypassed.
• Unpatched vulnerabilities. Hackers rely on known vulnerabilities in operating systems and other common software.
• Malware. Trojans and other forms can steal data, access financial accounts, or create bots, which can automate digital activity, either wanted or unwanted.
• Comprised vendors. These are targeted for their access to clients’ systems, either directly or through products they provide.
• Social engineering. Employees throughout an organization are at risk, as hackers use seemingly legitimate communications.
• Web injection. Public-facing websites can be compromised and misused to glean data or deliver malware.
A new Trustwave report provides a snapshot of how businesses in general struggle with information security deficiencies. While not pinpointing exact threats, the report highlights areas where corporate IT and security officials could focus attention. Some elements of the firm’s report for 2014:
• High-level executives are only somewhat involved. Forty-five percent of businesses have board or senior-level management individuals who take only a partial role in security matters. [Read “Do boards have a role in cyber risk?”]
• Sensitive data isn’t tracked. Sixty-three percent do not have a fully mature method to control and track sensitive data.
• If they’re breached, they don’t know what to do. Twenty-one percent of businesses do not have incident response procedures in place.
• They understand legal implications but fail to take action. Sixty percent of businesses are fully aware of their legal responsibilities in safeguarding sensitive data, yet 21% never perform security awareness training.
• They do not know where their valuable data lives. Thirty-three percent of businesses have not commissioned a risk assessment to identify where their valuable data resides and what controls, if any, are in place to protect it.
• Third-party providers’ security controls are lax. Forty-eight percent of businesses do not have a third-party management program in place.
• Patch management programs are lacking. Fifty-eight percent of businesses do not have a fully mature patch management process in place.
Michael Aminzade, vice-president at Trustwave, sums up this report, and probably the prospects for coming years, succinctly:
“Businesses must look at security as a business-as-usual imperative. Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”
Sources used in this article include: