By Jason Porter, Vice President, Security Solutions, AT&T Business Marketing
Information security threats are evolving and companies are increasingly vulnerable. Traditional “grab and go” forms of breach are now being superseded as online criminals seek to gain access to valuable personal and financial data and corporate intellectual property through more insidious “low and slow” threats that are harder to detect. At the same time, the increasing prevalence of mobile enterprise applications, big data initiatives and Internet of Things (IoT) devices is giving cyber criminals new points of entry for malicious attacks.
This combination of new threats and greater exposure means that organizations of all sizes face heightened security risks in 2015. Fortunately, security technologies also continue to develop and, when implemented alongside robust security policies, can provide protection through multi-faceted prevention, early detection and rapid response.
What trends will information security officers most need to watch in 2015?
• Destructive malware spreads further and faster
While crimeware – such as keyloggers or password-stealing trojans – has typically been the most common malware against which companies need to protect themselves, new destructive types of malware are now on the rise. Wiper-style attacks and ransomware trojans are being let loose by cyberterrorists and criminal groups. Hacktivists are also adopting these new weapons as organizations gain the ability to mitigate the consequences of distributed denial of service attacks. In addition, destructive malware is now spreading into mobile environments.
Preparing for these types of attacks is crucial. Businesses use network security and analysis to improve detection of malicious activity before it can take hold and recover more quickly from incidents with offline backups.
• Software vulnerabilities impact more critical systems
As is the case every year, a number of software vulnerabilities were announced in 2014. A few, like Heartbleed, Shellshock and POODLE, even caught the attention of people outside the IT community. We can expect more of this in the year ahead. Much of today’s software, such as the open source code used by device manufacturers to reduce development costs, is widely used across systems and vendors, which increases the destructive potential of vulnerabilities. There is no way to know where the next vulnerability will emerge, but there will certainly be more to come.
With vulnerabilities being more widespread, more critical systems will be exposed to attack. It will no longer be possible to avoid patching these critical systems so as not to disrupt performance. Thus, patching will become a new priority for organizations in the coming year.
• BYOD adoption reaches an inflection point
With the proliferation of “bring your own device” (BYOD) practices, security risks are multiplying. Users lack the knowledge and tools to adequately protect corporate information on their consumer devices or the privacy of their personal data in the corporate environment. Furthermore, some devices need to support more than two personas. For example, doctors who work for multiple hospitals need to segment and secure data from each organization, as well as their personal data.
Businesses can deploy a layered approach that addresses security with device-level containers to separate data for different uses, secure network connections and advanced security in the cloud, thus creating a highly secure end-to-end connection. Administrators will need to be vigilant in demanding consistent patching of BYOD devices. Now is also a good time to begin preparing for the next phase of BYOD: bring your own cloud.
• Unsecured IoT devices present an open backdoor
As organizations increasingly embrace the IoT to enable “connected business” and achieve efficiencies, concerns about the security of IoT devices are coming to the fore. Badly configured devices are not just vulnerable themselves, but could present hackers with an open backdoor to corporate networks. The use of inadequately protected consumer BYOD devices to control IoT devices adds to the problem.
The industry needs to do a better job manufacturing devices with proper security, but the limited processing power of many low-cost IoT devices and the difficulty of patching them will make this a challenge. In the meantime, isolating IoT devices in segmented networks with boundary protection and monitoring measures in place can help safeguard corporate assets. Businesses can also require device vendors to provide appropriate support and patching processes.
• SMBs find themselves in the crosshairs
The focus of cyber attacks is expected to shift dramatically to small and mid-size businesses (SMBs) in the coming year. Without the same level of protection as big enterprises, SMBs are attractive targets for cybercriminals, even if potential payouts are smaller. Banking fraud and scams now more commonly target smaller banks, while point of sale theft is shifting to smaller businesses as big retailers have upgraded their systems following high-profile attacks. Start-ups establishing infrastructure on a budget are particularly vulnerable, since they may be leveraging the cloud and mobile devices without adequate security strategies.
SMBs can go a long way to improving security simply by following the basics. These include anti-virus/anti-malware on all devices and network-level firewall protection, which can be cost effective., along with a monitoring strategy to quickly detect when a breach occurs. Regular user education is also a must. Most breaches can be traced back to someone making a mistake that could have been avoided.
Even organizations with good security systems in place will need to shift their thinking in two areas to ensure their networks remain protected in 2015.
First, companies should assume they will be breached and therefore should deploy robust monitoring systems to detect and respond to issues. Prevention is no longer enough. Even so, security threats evolve through incremental change. Organizations can monitor these changes and enhance their defenses as required. It takes time to launch a cyber attack, so it is possible to gather insights by paying attention at the attack preparation stage and therefore to prepare in advance.
Second, companies now need to treat assets inside the network as if they were on the outside. Consumer BYOD devices and IoT infrastructure in particular demand better controls, more complete threat management and constant event monitoring. On the flipside, it is now possible to create a public cloud with sufficient protections to allow the same security as legacy systems.
In the connected world of 2015, the threat of a cyber attack is now greater than ever. However, there is much that company directors and their information security officers can do to mitigate the risks as threats evolve. Continuous investment in information security and ongoing security education cannot be avoided.