Speaking at a recent CRN-hosted security summit for midsize enterprises, Paul Furtado, Gartner’s Vice President of Midsize Enterprise Security stated, “The only thing harder than defending yourself against a cyberattack is telling your executives and your partners why you didn’t do enough to protect yourself.” His comments reflect current security trends from our historic “Trust but Verify” security model to one that is “Never Trust; Always Verify” — also known as Zero Trust.
Expectations are changing and our tolerance for breaches is dropping. More than 56% of successful attacks exploit known vulnerabilities with patches available for more than 90 days. Frankly, many of us are failing at the fundamentals of IT security and this needs to change.
While smaller in size, SMBs remain prime targets of cyber attacks. With “Ransomware as a Service” readily available, finding and attacking vulnerable small businesses is inexpensive and effective. SMBs are more likely to have fewer security protections; SMBs are less likely to be able to recover from an attack and more likely to pay ransoms.
Here are 7 security trends that warrant our attention and action:
1 Zero Day Exploits
As the name implies, Zero-Day Exploits take advantage of newly discovered security holes before our tools and systems can be updated to prevent an attack.
Next Gen solutions are needed to protect from attacks on devices, in the flow of email, and in web traffic.
2 Insider Threats
Insider risk refers to every account that has access into an organization’s environment such as service accounts, custom integrations, and API accounts. Insider threats, meanwhile, are the small percentage of insiders actually doing something that will cause a security incident, intentionally or not. For example, the increased use of QR codes allows attackers to create malicious QR codes that install keyloggers and screen grabbers to steal identities and multi-factor authentication tokens.
We need Security Awareness Training to help individuals understand the risks and build safe habits.
3 Regulatory Changes
As noted, security expectations are changing. State and federal laws are changing. Passed by the Senate this year, the Strengthening American Cybersecurity Act will require businesses to report significant cyber events within 72 hours and ransomware payments within 24 hours. These requirements lay on top of other federal regulations, multiple states’ privacy laws (CCPA, MA PII, etc.), and industry regulations (PCI-DSS, etc.).
With cyber insurance and cyber response services in place, small businesses are more likely to avoid fines, losses, and legal actions.
Internet of Things devices, and similar automation technologies are popular and often lack basic security features.
As IoT-based solutions move into smaller businesses, we need to secure and monitor devices and the networks on which they run.
5 Supply Chain
Bad actors know that attacks on supply chains can be more effective than attacking an intended target.
If your smaller business is in the supply chain of a larger company, expect security to become an issue. They are likely to request — or demand – additional security measures as a condition of your business relationship. And, be ready to demonstrate (prove) that you actually do what you claim on the security checklist.
6 Data Mining
Data mining enables attackers to not only go after your business, but your vendors and customers as well. Imagine attackers telling your customers their private data will be released if you do not pay the ransom. Even more common, imagine your customers receiving emails “from” (impersonating) you instructing them to send money.
We need to start protecting unregulated data in the same ways we protect regulated data. Encryption, for example, does not prevent a breach but ensures the data cannot be used.
It would be nice to think we are past the ransomware pandemic, but we are not. Over 80% of ransomware attacks are on small and mid-size businesses. Because attacks have moved beyond encryption to data exfiltration, attackers are likely to understand your business and set ransoms that are steep, but payable (often 1% to 1.5% of annual revenue). Businesses hit by ransomware average more than 20 days of significant business disruption. On average, they permanently lose more than 35% of their data.
A response and recovery plan that includes business continuity ensures that you can keep your business running while you recover from and respond to an attack.