The new cyber threats read like the script of a horror movie.
Hackers are smart. And they're busy—generating 300,000 new malware attacks and hacking 30,000 websites daily. Phishing attacks—also known as social engineering—target human emotions, tricking recipients into an action that puts themselves and their information at risk. On average, 1 out of every 99 emails is a phishing scam. That averages about 4.8 phishing emails a week per employee, and nearly 30% of those get past security filters.
Phishing is a factor in 90% of data breaches. Last year, data breaches increased 54% over the previous year. Data breaches happen so frequently that only the really big ones make the news. That may be why 66% of small business owners think their company is too small to be a target. They're wrong. Small businesses were targeted in 43% of cyber attacks last year. The average cost of recovering from a cyber attack, for businesses of all sizes, is $200,000. Large businesses have greater resources, so they are more likely to recover, but recovery costs can range into the millions—or billions of dollars. Smaller business are more vulnerable. Sixty percent of small businesses that are victimized go out of business within six months.
Phishing, viruses, malware—these are the familiar threats. But even more challenging threats have entered the picture through IoT devices, 5G, and edge computing. Threat analysts warn that the rapid and widespread adoption of these technologies has outstripped the pace of security, making companies even more vulnerable to cyber attack. Then there's the biggest threat of all. It's not new, but it's more dangerous than ever.
This blog summarizes what you need to know—and the steps you can take—to reduce your risk of becoming a victim of cyber attack.
The Internet of Things (IoT) promises control and convenience. Smart devices control our thermostats, lock our bikes, start our cars, check our calendars, water our lawns, call our friends, and monitor our babies. And along with the smart devices employees bring to work for fun or convenience, business owners are urged to install smart calculators, printers, vending machines, digital assistants, building management platforms, vacuums, video conferencing tools, and even light bulbs. Yes, you read that right: smart light bulbs.
Consumer demand is fueling the IoT market, and businesses are adopting IoT devices to increase efficiency and productivity. The IoT market is expected to grow from $190 billion in 2018 to $1.1 trillion by 2026.
But the manufacturing pace of these devices is much more rapid than the risk assessment and security development. A Brookings Report warns that manufacturers who are "underinvest[ed] in cybersecurity" and consumers who fail to consider security risks before making purchases are increasing cyber attack risks. The report recalls the 2016 incident in which "hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders." The cameras and recorders were not the target of the attack; they were the means through which the attack was accomplished. Your IoT devices may seem completely harmless with no reason for concern, but they could be the channel through which hackers gain access to another target.
The IoT market is growing in conjunction with the rapid adoption of 5G. Together, the two have security analysts very worried.
Two thirds of companies are expected to connect to 5G in 2020. If you believe the commercials broadcast by Verizon, T-Mobile, and other networks, 5G wonderfully fulfills the promise of higher bandwidth, lower latency, and other enhancements.
All that may be true, but according to Paul Lipman, CEO of Bull Guard, "5G is scary." Lipman explains: "Because 5G is a switch to mostly all-software networks, and upgrades will be like the current periodic upgrades to your smartphone, the cyber vulnerabilities of software poses potentially enormous security risks." Rapid adoption of 5G before risks are completely understood and security measures are established exponentially increases both the attack surface and the severity of the potential consequences.
The Brookings Report explains that with 5G, instead of a centralized, hardware-based structure with a centralized security "choke point," networks become distributed, software-based routing systems. "Higher level network functions" formerly performed by hardware are now virtualized in software that uses well-known operating systems and common IP language, making the software highly vulnerable to attack. The report goes on to warn that "Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network."
With the rapid and widespread deployment of 5G, IoT devices have grown more sophisticated, leading the way to mass adoption of edge computing.
Edge computing places computational tasks as close as possible to locations where data is being created and used. Instead of transporting data to the cloud for processing, data is processed by computational devices placed "at the edge" of the network or on a nearby server or computer, where it can be analyzed and applied immediately.
Advocates of edge computing tout speed, lower latency, reduced network traffic, improved efficiency, and lower cost as the advantages of edge computing. According to IBM, about 15 billion edge devices are now in use. That number is expected to grow to 55 billion by 2022—and to 150 billion by 2025.
5G enables edge computing devices to be connected directly to the network without passing through a company's internal network security protocols. This distributed connectivity is sometimes offered as a security advantage: an attack on an edge device would be less likely to spread to the company's internal network. However, like IoT devices, edge computing devices are being manufactured at a pace that outstrips security research and risk assessment. Locating devices in work areas instead of in a secure IT data center makes them vulnerable to compromise from careless or disgruntled employees, and direct network connection on a software-based network makes the devices, along with the data they store and process, more vulnerable to cyber attack.
"We have met the enemy, and he is us."
The Pogo cartoon twist of the famous quote by Navy hero Oliver Hazard Perry has never been more applicable. The biggest, scariest cyber threat facing companies in 2020 is people. Hackers know that the people are the weakest link in cyber security. Ninety percent of cyber attacks start with phishing. Research shows that even though 78% of employees know not to click on a suspicious link, 4% will click anyway.
Phishing attacks continue to increase for one reason: they work. Whether through carelessness or malice, just one employee clicking one link can bring down an entire system of security protocols.
And hackers are getting smarter. Phishing emails are becoming more sophisticated. The tell-tale signs of incorrect spelling and awkward wording are being replaced by more realistic appeals. Experts warn that phishing attempts are increasingly directed at mobile devices. In fact, personal email, social networking, SMS, and MMS are expected to become the most common targets because mobile phishing success rates are higher. Researchers attribute this to the smaller screen size and the distracted attention most people give to mobile devices. When successful, the attacker may gain control of a user's personal information, including work IDs and passwords.
This risk is exacerbated as more employees use personal devices for company email and work. Unsecured networks in coffee shops, airports, restaurants, and other locations increase the vulnerability of information stored on personal employee devices.
Yet despite this greatest threat, just 3 out of every 10 employees receive annual security training.
How to reduce your risk of cyber attack
The cyber security landscape is a scary one, but you can take specific steps to significantly reduce your risk. Here's a summary of what the experts recommend:
1. Regular employee training is essential. Train employees to recognize and respond appropriately to phishing emails. Provide exercises and occasional tests to make sure they respond appropriately. Repeat training regularly—at the very least, annually. New employees are the most vulnerable targets, so include cyber security training in every new employee orientation.
2. Adopt a secure password policy that requires passwords to meet security standards. If employees have access to multiple parts of the network, require different passwords so that if one password is compromised, the damage can be limited to one part of the network. Make sure all employees know never to share passwords and never to use the same password for more than one account or application. Password information or reminders should never be given by email or text. If you are not using 2-factor authentication (2FA) for secure access, you're behind the security curve. Many companies are already moving to multi-factor authentication (MFA) or biometrics.
3. Protect servers and other critical computing devices. Encrypt data on servers and locate servers and critical devices in securely locked areas. Adopt a policy of least privilege that limits access—both physically and online— to the least amount of information and access an employee needs to accomplish his or her job.
4. Install a user monitoring system that records each user's access to data and equipment. Small businesses are the least likely to realize the critical need for such a system. That may be why the average time before a small business detects a threat is 101 days. A lot of damage can happen in 101 days.
5. Immediately cancel access for employees who resign or are terminated.
6. Research security risks or consult a security adviser before installing IoT or edge computing devices and before adopting 5G.
7. Do a regularly-scheduled inventory of every device connected to and through your network, including IoT and edge computing devices. One gap in your security can leave you vulnerable. J. P. Morgan learned that the hard way in 2014 in what was, at the time, the largest financial data breach in history. The company was spending $250 million annually on security. Like most banks, they had upgraded to double password authentication (2FA). But one server was overlooked in the 2FA upgrade, leaving a vulnerability that allowed hackers into the network, where they accessed more than 90 servers. The bank never revealed the total cost of recovery, but estimates put it above $12.7 billion.
Automate security reviews and upgrades, including software updates and removal of legacy programs (programs no longer supported by manufacturers). Make sure you have a strong firewall and have installed anti-virus and anti-malware software on every workstation. Configure every workstation to lock automatically after a few minutes of non-use and to require password re-entry for access. An employee who steps away from an unlocked computer—even just to grab coffee or take a restroom break—leaves a gaping hole in security.
8. Analyze your website for security vulnerabilities. Many business owners are unaware of issues like cross site scripting (XSS) that make websites vulnerable to attack.
9. Verify security on your cloud account. If you store or process data in the cloud, make sure you know the security level and procedures of your cloud provider. Agree on communication procedures in the event of a breach so you can be assured of immediate notification and action.
10. Make regularly scheduled off-line, off-site backups of your data. Cloud back-ups can be helpful, but experts warn that cloud attacks are increasing and that ransomware attacks frequently infect back-ups connected to your network. Should you ever become a victim of cyber attack, either online or through insider attack, safe back-ups will help you restore your data and get back to business.
Why you should take these steps—now
Accomplishing these goals will incur some costs—in both time and money. But those costs pale when compared to the cost of recovery from a cyber attack. If you need any further motivation, just do a bit of your own research on the 2020 cyber security landscape. After reading that horror movie script, you'll sleep a lot better once you have taken every reasonable step to reduce your company's chances of becoming a victim of cyber attack.
If you aren't sure your website is secure, we can help with that. Give us a call at 833-932-3746 or email us at firstname.lastname@example.org. We'll be glad to listen to your concerns and talk about how we can help.