Telstra recently published its 2019 security report, which is aimed at helping businesses better understand and respond to cybersecurity threats.
The report reveals that nearly one-third of organisations estimate that breaches occur completely under the radar more than 40 per cent of the time. Also, since the introduction of GDPR, 55 per cent of organisations reported that they have been fined for data security breaches. This all points to a serious challenge. This report breaks down the various elements that combine to result in high potential levels of vulnerability and offers some succinct action points on steps that can made be to bolster security.
IoT sensors are weak-point for hackers
The emergence of IoT is delivering dramatic improvements to business processes and for the good of society. However, the thousands upon thousands of sensors that are the new network end-points give criminal hackers more opportunities to enter insecure networks and cause havoc or steal money.
To compound the increasing number of possible entry-points for bad actors, is the fact that simple hardware components have no in-built security whatsoever. The sensors that might make up an IoT solution, such as temperature and moisture sensors in an agricultural setting, are notoriously easy for hackers to compromise. Moreover, once the breach has taken place, it can then be extremely difficult to detect in the first place and mitigate once discovered.
All of the above contributes to what is described as an “increased attack surface” for the cyber criminals to exploit.
In a classic game of cat and mouse, on the side of the bad actors there is a new supply-chain in existence, where lone-wolf hackers and small time petty criminals are discovering vulnerabilities within smaller business – and then selling either viruses or stolen credentials and passing these on to criminal gangs and state-sponsored cybercrime groups. Worrying indeed. Information, tools, stolen data, and comprised ID information are all now available on the dark web and shared freely among hackers and criminal gangs. There is no discrimination and smaller companies are just as likely to become targets and victims of attacks, and used as vectors into larger businesses and government.
Corporate-wide policies needed to protect against human error
The fact is that many breaches take place due to human error – either intentionally or unintentionally. Technology is available to prevent and react to cybersecurity breaches. But without a corporate-wide policy and programme, which is fully supported by the leadership of the company and across all members of staff, vulnerabilities will emerge.
Referring back to Telstra’s security report: at least 30 per cent of European respondents reported monthly or weekly brute-force hacking, malicious insider, and employee human error incidents during 2018.
Basic accidental errors are most prevalent overall, with 88 per cent of European respondents reporting experiencing these incidents at least once in the last 12 months, and 26 per cent identified the greatest risk of their organisation’s IT security likely to come from an accidental insider.
Therefore businesses need senior executives to take part in the security programme, and ensure that company-wide training on policies and the required steps for security compliance are adhered to and frequently reviewed.
How to improve cybersecurity
Companies need to begin adopting a more holistic view to security. In the past – before network and IT virtualisation and cloud platform adoption took off – the act of placing a firewall between the corporate site and the internet or private network was good enough. Today the security threat landscape has changed enormously and this means that security must be built-in at multiple points, including within the organisation’s LAN, on mobile devices, perimeter firewalls, and also into cloud and internet-hosted systems. Furthermore, if the internet of things (IoT) is a part of corporate systems, then efforts must be made to secure the network endpoints (sensors) right at the edge.
The second area to address is that of “zero trust”: companies need to start from the assumption that they are being hacked right now, or have already been hacked. Employee log-in activity has to be verified beyond basic username/password, ideally with double- or triple-factor authentication to thoroughly check that users are who they say they are.
Finally, bearing in mind that accidental insider breaches are common, organisations need to maintain regular employee training and education programs to make sure that this weakness is addressed effectively.