Taken from our new playbook, which highlights the major trends in cybersecurity, here is the second set of top trends. In case you missed it, here is part 1.
6. The Internet of Things (IoT) will have repercussions across all organizations
The IoT represents a key emerging challenge for all organizations by muddying the boundary between the physical and online worlds. The truth is that many IoT devices were not designed with security in mind. Now that we are connecting everything from refrigerators to hair dryers to the Internet, it’s just a matter of time before a significant breach occurs.
It is likely that organizations will increasingly suffer breaches originating from an insecure IoT device connected to their network. With the IoT, organizations risk creating loopholes in their own firewalls and providing access to devices on their network. The access point might be anything from a security camera or network printer to a climate control device or a remote-controlled light bulb. Once inside a network, hackers can take over connected devices and misuse them as part of a bigger hack or distributed denial-of-service attack.
7. Collaboration is the solution for cybersecurity in the supply chain
The nature of global supply chains demands that companies exchange sensitive information with multiple partners, some of them several tiers removed from the provider. For this reason, after the organization’s employees, the supply chain is often the next weakest link, with some large organizations linked to as many as 400,000 suppliers. To highlight the scale of the risk, 63% of breaches can be traced to third-party vendors, according to the Soha Systems survey on third-party risk management.
Not surprisingly, some of the biggest and most complex supply chains have so many external partners that they are unable to assess the risk of doing business with one another. Hackers know that the more interconnections there are, the greater the number of weak links that can be exploited, especially if the supply chain is not properly managed in terms of cybersecurity.
To remain safe, organizations must ensure confidence in third parties’ data safeguards, security policies and procedures, and determine whether their security posture is sufficient to respond to a data breach or cyber attack.
8. Organizations need to prioritize data integrity
We can expect to see attackers changing their methodology from pure data theft and website hacking to attacking data integrity itself. The goal of cyber attacks is normally to obtain sensitive information that can be held for ransom or sold. But if finding protected data is the goal for attackers, organizations also need to be concerned about the integrity of their data, protect it from unauthorized changes, and make sure they are alerted to any changes as they occur.
An attack on data integrity, in comparison to straightforward data theft, serves to cause long-term harm and damage by getting people to question the integrity of the data. Some possible scenarios to consider:
- For healthcare organizations, considering recent medical record breaches, if someone changes medical records, the lives of patients are literally at risk.
- For airlines or travel companies, ensuring the integrity of schedules – from traveler information to engine maintenance – is critical to operations and brand reputation.
- For financial institutions or public companies, even small changes in data can quickly create big problems, especially if those data are part of regular reporting to shareholders or filings with regulatory agencies.
Evidence of data theft is often provided by tools that monitor the movement of data. One of the many challenges with data integrity attacks – where data does not move – is that the effects may not be detected for years, until there is a reason to question the data.
9. Organizations must get serious about monitoring and managing third-party risk
Third-party risk management is already a key priority for many organizations. Most have established regular assessment protocols but few go beyond a ‘one snapshot at a time’ approach. This emphasis will likely shift to the need for continual monitoring. Security in this new age is about putting in place a sustainable, proactive approach to ensure that your enterprise can adapt intelligently and quickly as new forms of threat are identified.
The frequency and diversity of attacks means that organizations need to be able to establish a baseline view of what “normal” looks like in order to be able to prioritize activities instead of simply reacting to every security event. Furthermore, the increased regulatory focus on vendor risk, coupled with the upcoming deadline of the GDPR, mean that firms won’t be able to continue outsourcing their security risk to third parties.
By adopting an optimized, continual monitoring approach, organizations can move from a compliance-driven prevention focus to one of actively seeking out and countering threats to your most valuable digital resources.
10. The cybersecurity skills shortage is not getting any better
Cybersecurity has been identified as the top ‘problematic shortage’ area across all of IT for the past six years in a row. In 2017, 45% of organizations said they had a “problematic shortage” of cybersecurity skills. Correspondingly, when Information Systems Security Association (ISSA) members were asked to identify the impact of the cybersecurity skills shortage on their organizations, 35% said a lack of cybersecurity skills led to an inability to use some security technologies to their full potential, according to the ESG Research Report.
This points to a couple of clear conclusions: the cybersecurity shortage is not getting any better, and it is having a real and demonstrable impact on organizations.
|LESSONS TO BE LEARNED: PART TWO
In case you missed them, here are the first five of the top ten cybersecurity trends.
Download a free copy of the Cyber Testing Playbook to discover how you can build a stand-out cyber testing program.