THE IMPACT OF CYBER CRIME
As we approach 2019, both the frequency and cost of cyber-attacks continue to rise unchecked. According to the 2017 Cost of Cybercrime study by the Ponemon Institute, the average annualized cost of cyber security for corporations last year was $11.7 million, a 22.7 percent year over year increase.
However, even though large enterprises usually dominate the cyber security headlines, small and medium sized businesses (SMBs) are often at much great risk of attack!
Most SMBs don’t take a systematic approach to security. Sometimes it’s a lack of resources or time, and sometimes it’s the false assumption that they don’t have enough valuable information to steal.
Hackers know this, making SMBs an easy mark. Half of SMBs in the U.S. have reported a data breach – and that’s only the ones who actually report them. Further, 60% of small businesses fold within 6 months of a cyber-attack, according to the National Cyber Security Alliance.
In their Cyber security and Digital Risk white paper, Gartner summed up the situation in this way: “Cyber security threats will continue to pervade the global economy in 2018. CIOs expect cyber security threats to increase and affect their organizations.”
In response, Gartner asserts that organizations must ‘develop a pragmatic vision’ for cyber security that addresses not only the technical but also the human aspects of securing the enterprise.
THE MOST COMMON CYBER SECURITY MISTAKES
The MOST COMMON CYBER SECURITY MISTAKES
Five of the most common mistakes include:
- Lack of Security Training. Providing continual training sessions for employees on safe security practices is critical. The #1 tactic hackers use to gain access to small business is through malicious email. Employees are the weakest link in the security chain – it’s imperative to put a program in place to educate your employees on cyber security best practices.
- Lack of an Acceptable Use Policy. Every business needs to document rules around what employees can and cannot do on company devices and networks. This includes internet usage, email usage, software installation policies, password policies, downloading attachments, and much more.
- Not Keeping Software and Systems Up to Date. Sounds so simple, but many companies neglect to keep operating systems updated. (Including the IRS, believe it or not – read up on the risks of outdated technology.) It’s essential to use up-to-date software products and be vigilant about patch management. Cyber criminals are famous for exploiting old software vulnerabilities.
- Not Properly Managing Access and Admin Privileges. It is an axiom of IT security that all users should have only the privileges needed for them to do their jobs and no more. Viruses spread readily in an environment in which users have more access than absolutely necessary. It may seem convenient to give someone local administrative rights on her computer, but those rights can put your entire organization at risk.
- Not Having a Backup and Disaster Recovery Plan. As a minimum, you should have an on-site solution for rapid recovery of data, and an off-site (cloud) solution for a catastrophic situation. If you have a data breach, do you know what to do? How will you secure your network to protect data from further damage? How will you inform partners and customers? All of this needs to be thought through and documented in advance in a business continuity plan.
TOP SECURITY TRENDS TO WATCH FOR
2018 has seen the continued growth, frequency, and sophistication of cybercrime, with CSO estimating that damages from cyber-attacks will hit $6 trillion annually by 2021. Luckily, most businesses are taking the threat more seriously, with security spending increasing by an average of 7.5 percent year over year.
Here are six security trends to watch as we head for 2019
Ransomware continues unabated
According to research conducted by Cybersecurity Ventures, damages from ransomware attacks will exceed $8 billion in 2018, up 60 percent from last year, and almost 25X from 2015. The report also estimates that a business ransomware attack will take place every 14 seconds by the end of 2019, nearly tripling in frequency from 2016.
Security software maker Symantec echoes the year over year increase in attacks and found that last year more than 100 new malware families were introduced by hackers. Further, Symantec determined that 34 percent of global ransomware victims were willing to pay their attackers — and that number was much higher (64 percent) in the United States.
Companies are turning to artificial intelligence and machine learning to combat more sophisticated, self-propagating ransomware attacks. These technologies are much faster and more efficient than human intervention in detecting and responding to rapidly-changing ransomware threats.
Increased attacks on Internet of Things (IoT) devices
According to Symantec, IoT attacks increased 600 percent between 2016 and 2017.
Research by the Ponemon Institute found that 97 percent of respondents felt a data breach on unsecured IoT devices could be catastrophic, yet only 29 percent actively monitored the IoT risk in their networks.
Once hacked, IoT devices can be turned into surveillance devices, working as a ‘botnet’ to capture user data.
IoT hacks may have other, more dire consequences. Last year CNN reported that the implantable cardiac devices (pacemakers and defibrillators) at St. Jude’s Medical facility could be compromised, leading to the theft of patient data or even altering the performance of the devices themselves.
IoT devices are often easy targets for hackers. Many of these devices are owned or provided by third parties, and most organizations do not keep an accurate device inventory. And, according to Ponemon, there are a lot of them — the average organization has almost 16,000 IoT devices, with that number increasing to nearly 25,000 in the next two years.
Attacks on strategic infrastructure
A recent CNBC article pointed to the inevitability of a significant cyber-attack on physical infrastructure. According to quoted cybersecurity expert Tarah Wheeler, "the more I speak to people, the more they think that the next Pearl Harbor is going to be a cyber-attack.”
CNBC also stated that nearly 40 percent of all industrial control systems and critical infrastructure were subject to a cyber-attack in 2017, and that much of this infrastructure ran on Windows XP or other obsolete, un-patchable platforms.
Infrastructure such as power grids and nuclear plants are vulnerable to both criminal hackers and foreign government operatives.
According to the World Economic Forum’s 2018 Global Risk Report, “cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018, according to the risk perception survey that underpins the Risks Report.”
As networks become more automated and decentralized, the risk to the power grid and other utilities heightened by the growing use of sensors and machine learning. Acknowledging the threat, and in response to a 2017 hacking campaign of electrical and nuclear facilities, the US Department of Energy established almost $100 million in funding to monitor and counter potential cyber attacks.
Increased mobile and BYOD use raising security concerns
Use of mobile and BYOD devices is skyrocketing in the workplace.
This growth is being driven by digital transformation, lower device costs, and an increasingly mobile workforce, many of whom use multiple devices.
Mobility and BYOD, however, can create significant security vulnerabilities.
Unlike corporate-provided equipment, user devices are typically not inspected to ensure that configurations and software comply with company guidelines. The use of non-authorized applications on users’ mobile devices also creates increased exposure to malware and other security breaches.
Finally, the greater access to company data and assets provided by BYOD use raises the risk for data loss or exfiltration, either deliberately or accidentally.
While acknowledging that mobile and BYOD use will continue to grow, companies are putting more robust security in place to manage the risks, including network access control, device enrolment, and publishing a listing of approved software applications and usage guidelines.
AI-based cyber-attacks on the rise
In a headline earlier this year, CSO referred to 2018 as ‘the year of the AI-powered cyber-attack.’ They also cited the rise of automated ‘bot’ attacks in 2017 and the reporting of the first AI-powered cyber-attacks.
AI provides these cyber-attacks with the ability to respond quickly to thwart common enterprise security measures. AI-powered malware also adapts to its host environment and can remain undetected for months.
Wired Magazine states that ‘AI cyberattacks will be almost impossible for humans to stop,’ predicting that these attacks could take over AI assistant programs used for tasks like scheduling and managing email, and even begin to impersonate interactions with real people.
In the near future, enterprises may soon be turning to AI-based systems to thwart AI-powered cyberattacks. These AI-based security solutions will be able to predict normal activity patterns for every device and user in the network, and then take automatic and immediate action to isolate and neutralize cyber threats.
Heightened concerns about cloud security
With the acceleration of business cloud adoption comes greater concerns about cloud security. According to IDC, over 90% of businesses will use multiple cloud services by 2020.
At the same time, a recent report by Gartner states that “concerns about security have led some CIOs to continue inhibiting their organizational use of public cloud services.”
Industries with more stringent compliance or data privacy concerns (such as finance or healthcare) may even take the step of slowing cloud adoption or opting for private cloud solutions to maintain direct control of sensitive data.
The Gartner report, however, largely debunks concerns about cloud security.
“The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user — not the cloud provider — who fails to manage the controls used to protect an organization’s data.”
Companies can mitigate cloud security risks in many ways:
- Establishing and enforcing strict data access and management policies
- Providing ongoing employee training
- Actively monitoring the network,
- Choosing a proven cloud provider with robust physical and network security infrastructures in place.
HOW TO IMPROVE YOUR IT SECURITY
While there are countless ways to make your business environment more secure against hackers and cybercriminals, there’s widespread agreement on a number of initiatives that best combine practicality and effectiveness.
Here are six of the most recommended priorities:
Upgrade your network security infrastructure - starting with your firewall
Most legacy networks are ill-equipped to deal with the growing sophistication and frequency of today’s cyber attacks. Organizations should review their entire infrastructure to determine network security viability, then create a prioritized plan to address any deficiencies.
A logical place to begin is with the network firewall. While legacy firewalls do provide basic packet filtering, inspection, and VPN capabilities, they no longer provide adequate security to counter current threats.
Today’s Next Generation Firewalls (NGFWs) provide comprehensive threat protection, including application control, intrusion protection, antivirus, and deep packet inspection.
A best-of-breed NGFW will perform all of these functions simultaneously with no performance degradation, and also offer integrated security management while scaling to meet future requirements.
Perform regular software updates and patches
If you’re not convinced that updating software is a security priority, consider the Equifax breach, which may have exposed the personal data of over 140 million Americans.
According to security solutions provider McAfee, “the hackers were able to access the credit reporting agency’s data through a known vulnerability in a web application. A fix for this security hole was actually available two months before the breach, but the company failed to update its software.”
Aging software is especially susceptible to cyber-attacks. All applications, operating systems, and security software should be reviewed regularly, and software updates and security patches subsequently applied. Software that is no longer supported by the manufacturer or provider should be identified and slated for upgrading or replacement.
Secure the network edge
It should be noted that while securing the network edge is still important, attention is starting to shift elsewhere.
As an example, while making sure your firewall is up-to-date is important, companies are also focusing on closing vulnerabilities, detecting compromises quickly and responding to those compromises in a rapid, comprehensive manner.
So instead of physical security and network edge, the conversation is now more about having the right security incident response plan in place, the right intrusion detection system (SIEM), and other more sophisticated protection methodologies.
Improve physical security
Despite this, you should not overlook the basics such as physical security. Restricting or denying access to computers, servers, and data centers is an integral part of protecting digital assets, as is educating users on effective physical security protocols.
The International Organization for Standardization (ISO) provides an excellent reference resource for securing data and physical assets. ISO 27001 is the corporate security standard outlining best practices for information security management, including the protection of secure areas.
These physical security measures include:
- employing barriers to protect restricted or secure areas
- limiting entry information to authorized staff
- safeguarding sensitive equipment for hazards and natural disasters
- monitoring and controlling delivery and loading zones
- securing power
Networking giant Cisco maintains that
“Attackers who can gain physical access to a computer can almost always take advantage of that access to further their efforts. Merely getting access to a physical terminal where a memory device can be plugged in is usually sufficient. Any device present that is connected to the network must be protected to ensure that it cannot be turned into a tool to be used in an attack.”
One of the most effective means of combating hacking and
Organizations that provide little training and set few staff expectations regarding security are highly vulnerable to data theft or loss, whether deliberate or incidental. Trained teams, however, are more vigilant and typically follow company security guidelines.
According to Graham Hunter, VP Skills Certification at CompTIA, training and educating employees about security is critical.
“If staff understand that accessing valuable and confidential information on an insecure server could lead to someone else taking it,” said Hunter, “or that a weak password may be easy to remember but also leaves them highly vulnerable, they are far less likely to fall prey to attacks.”
Security training is an ongoing process, not a one-time event, and requires a full range of training and awareness methods. Traditional classroom and computer-based training should be supplemented with less conventional approaches — multimedia, newsletters, daily email tips, and executive engagement.
For proof, HBR cited the SWIFT banking attack, which resulted in the cyber theft of $81 million. A vigilant bank employee spotted an anomaly, leading to a quick response while the crime was in progress. Had the employee not intervened, it’s estimated the theft could have exceeded $1 billion.
A structured risk assessment can help identify and address significant security gaps that may be putting your company’s data, digital assets, and network at risk.
While an assessment can be performed on any application, asset, or process within the organization, multiple assessments may be too expensive and time-consuming to be practical. The initial step is to prioritize those systems or applications that are most critical to the business and represent the highest risk — then target those for review.
A typical assessment involves defining the system, identifying threats, determining the potential impact, analyzing the environment, and finally calculating the associated security risk.
While risk assessments can be undertaken in-house, there are multiple advantages to engaging a specialized security partner.
External vendors typically have extensive experience in conducting assessments and are very familiar with the required tools and processes. They can also provide an objective view of your organization and are less liable to make assumptions about your environment.
FICO, a leading software analytics firm, calls the ability to establish and quantify cybersecurity risk ‘a competitive business advantage,’ and takes the case for risk assessments further — recommending that organizations also take steps to understand the cybersecurity posture of key business partners and suppliers.
MANAGING THE SECURITY TALENT SHORTAGE
MANAGING THE SECURITY TALENT SHORTAGE
IS OUTSOURCING YOUR SECURITY REQUIREMENTS A VIABLE OPTION?
Depending on your view, it’s a great time to be a cybersecurity professional. With unemployment rates virtually at zero, security pros often have their pick of assignments, locations, and in many cases, salary.
On the other hand, staff shortages mean that security professionals are often over-burdened with long hours and too many responsibilities, and as a result, employee turnover is high.
While even the largest organizations have difficulty attracting security talent, securing qualified resources can be even more difficult for smaller or more geographically remote companies.
A recent study by Gartner, Adapt Your Traditional Staffing Practices for Cybersecurity, calls out an additional challenge. As cybersecurity threats evolve, there may be few or even no candidates with the new skills and experience required to counter these threats.
In response, Gartner recommends taking a shorter-term approach by outsourcing IT security functions to managed security service providers.
This option promises a number of benefits:
Faster, more comprehensive security protection. Qualified IT security providers require minimal ramp time. They come with proven toolkits and processes, and can quickly assess, prioritize and implement security solutions for your organization. They also come with the experts who can interpret those results and help organizations spend their limited IT security dollars wisely.
More cost-effective. Building security infrastructure, creating processes and hiring and onboarding security talent are all costly and time-consuming endeavors. Employing an IT security provider can help organizations preserve capital by using an opex-based, ‘pay as you go’ service. Pricing models are typically transparent, with predictable incremental costs if you choose to expand the engagement.
IT can focus on core business. IT security providers can manage all aspects of security, even administrative tasks, allowing in-house IT resources to focus on more strategic, forward-looking initiatives.
Expertise beyond technology. While IT security providers are primarily engaged for their technical expertise, they bring other essential skills to the table. Implementing effective cybersecurity involves building processes, establishing training, and implementing reporting and compliance.
As cyber-attacks increase in frequency and severity, the shortage of qualified security resources threatens the ability of many smaller or mid-sized companies to protect their digital assets.
By working with external security experts, these companies may find the means to implement more comprehensive security — quickly and cost-effectively.
NTIVA cyber security Services
Managed Security Services
Ntiva’s managed IT services include a wide range of options to secure your IT environment.
All of our Managed IT service packages include round the clock monitoring and management of your network, systems and data -proactive patch management and software upgrades, - and unlimited access to expert IT advice through our Service Desk.
Our more advanced packages offer additional security services. Take a look at our pricing and packaging options to see which Managed Service Offering is right for you!
Virtual Chief Information Security Officer (vCISO)
As cyber threats continue to escalate, many companies are challenged with limited resources to stay ahead of risk.
Ntiva’s vCISO service allows you to leverage the executive leadership skills of our security and compliance experts who are not only CISO certified, but also have years of practical security experience.
This service has been developed for organizations that require a seasoned expert on staff, but don’t want to take on the expense of hiring and retaining the right talent. Our flexible offerings allow you to leverage the experience, skills and business acumen of vCISO either full or part-time, and who can perform the specific services you require.
Security Risk Assessment
A security risk assessment is the process of identifying, analyzing and understanding IT assets, possible impact of security risk, weaknesses and threats in order to implement appropriate security measures.
Conducted by our certified security specialists, our comprehensive assessment will uncover any security holes that might be putting your organization at risk.
Once complete, we’ll provide you with a complete report that includes actionable and prioritized recommendations that will help you to harden your security profile.
End User Security Training
It’s a well-established fact that employees are the weakest link in an organizations’ security chain. We all make mistakes, but unfortunately one single silly mistake can cause your business tremendous financial loss.
To protect your business, ongoing cyber awareness education is crucial. We offer customizable training services which include options for onsite training, computer-based training, and phishing campaigns.
Business Continuity Planning and Disaster Recovery
Business continuity and disaster recovery (BCDR) are closely related practices, in fact so close that we now see them more often than not combined into a single term.
However, business continuity is much more strategic and proactive, and generally refers to documented processes and procedures that an organization will follow during and after a disaster.
Disaster recovery is more reactive, and typically determines the specific technology solution to be used, and steps the organization should take place after an incident.
Our BCDR experts specialize in helping our clients create an appropriate business continuity plan that meets the organizations’ specific needs, along with recommending, deploying and managing the right data backup and recovery solution.