Crippled services, decades’ worth of lost legal documents, millions of dollars in recovery — that’s the fallout from just one recent high-profile cybersecurity assault: the 2018 ransomware attack on Atlanta.
It was a wakeup call not just for municipalities, but for anyone with valuable assets and a modem. While cyberattacks can cost as little as $30 per month to wage, they cost businesses more than $45 billion in losses last year alone. There's a tremendous emotional toll to cybersecurity threats as well.
“We watch the human effects of this,” Kelley Misata, a member of Women in CyberSecurity (WiCyS) and the founder of Sightline Security, told Built In. “I think one of the hardest parts of security is people feel the pain of it. Victims are left feeling stupid and violated.”
Cybersecurity Threats to Know in 2020
- Phishing and Social Engineering
- IoT Susceptibility
- Cloud Vulnerability
- Third-Party Vulnerabilities
- Internal Attacks
- Data Rights Compliance
So what should organizations watch for? Nothing too fancy, it turns out. Despite a proliferation of transformative technology, cyber-criminals typically rely on the tried and true. According to security professionals we spoke with, they’re not yet leveraging newfangled tech like artificial intelligence and machine learning — a small number of nation state-backed organized syndicates notwithstanding. Nonetheless, traditional methods are continuously evolving and new vulnerabilities emerging.
Here are five major cybersecurity threats that organizations should keep an eye on in 2020.
Phishing and Social Engineering
“What’s new is what’s old,” said Kelvin Coleman, director of the National Cyber Security Alliance. Traditional phishing attacks (when cybercriminals try to obtain sensitive information, like passwords or financial information) are “still extremely prevalent and still extremely effective. If they weren’t, bad actors wouldn't use them.”
Phishing attacks — of both the targeted and broad sweep variety — are among the predominant threats for nonprofits, too, according to Misata. “And many of these nonprofits don't have the alert systems built into their network infrastructures to be able to say, ‘Oh my God, something's going sideways. We better look at it.”
Threats like CEO-fraud spear-phishing and cross-site scripting attacks are both on the rise. In order to combat those incursions and many others, experts say, educational awareness and training is vital.
“An ounce of prevention is worth a pound of cure, so that you can mitigate a significant number of these attacks,” Coleman said. “There's a business case, too. You don't want to be known as the weak link.”
But baseline awareness isn’t enough.
“We have to be much more sophisticated,” said Steve Durbin, managing director of the Information Security Forum.
Companies, he added, must examine the underlying psychology of why a scam link was clicked. They also need to ask this question: Do we value speed over precision?
“We have to be clinical about the way we view the problem rather than assuming people click on things because they're stupid or don’t care,” Durbin said.
Ransomware — malware that encrypts a target’s data until a ransom is paid — has become a more familiar concept in the wake of highly publicized attacks like those on Baltimore and Atlanta. And it remains a major threat.
“Ransomware made the news over the last several years and I think it became very known to the public at large,” Coleman said. “We’ve known about it for a while, but ransomware is still a huge problem for businesses and organizations.”
Ransomware perpetrators typically avoid demanding huge sums of money, increasing the likelihood that victims will pay. But the cybersecurity community’s consensus opinion is “don’t pay,” Coleman said, even though the cost of that approach may be significantly higher. Baltimore’s tab for recovery and system reconstitution, for example, could reach $18 million. The unpaid ransom, $80,000, was a small fraction of that.
“We don't know the full extent that people are paying because, of course, not everyone is going to say they paid,” Coleman said. “There are credibility and liability issues. We know that number is underreported.”
Beyond the financial gain component, Coleman added, cybercriminals might be further motivated by politics or revenge. Nonprofits ranging from food banks to hospitals have been an especially prominent target because they often lack effective cybersecurity resources and institutional security knowledge.
Even though the sector as a whole is making strong improvements, Misata said, “They’re the lowest hanging fruit. With data security and information security, the threat landscape is not something that’s top of mind for nonprofits.”
She cited a particularly troubling example in which a ransomware-stricken nonprofit hospital had to temporarily shutter its emergency room.
“People had to be redirected and some passed away from heart attacks. Whether or not that attack was targeted or just random, they don't know, because you don't have those types of forensics available for those organizations to do a deep dive.”
For those who do pay ransoms, it might not be as simple as calculating the cheaper option.
“The mindset of people I speak with is, ‘We wouldn't know what to do. So we would most likely pay it to make the problem go away,’ versus looking at, What are our options?” Misata said.
Third-Party Vulnerabilities: IoT, the Cloud and the Traditional Supply Chain
There’s a joke in Internet of Things circles that the S in IoT stands for security. (Get it? There’s no S.) Even so, IoT devices number in the billions and continue to multiply. And all types of businesses use them — everything from connected cameras to voice assistants to connected logistics gadgets. Nonetheless, experts say, security standardization has failed to keep pace with adoption.
“A lot of these devices aren't intended to have any kind of patching,” said Sai Honig, a New Zealand-based security specialist and WiCyS member. “You buy it, you use it. So there's not really an accepted standard on how we maintain the security around it.”
Lawmakers are beginning to propose and pass more IoT-focused security legislation. This past March, the U.S. Congress introduced the The Internet of Things Cybersecurity Improvement Act. And last year, California became the first state to pass IoT cybersecurity laws. There’s also plenty of chatter around so-called security by design guidelines. But those developments still don’t fully mitigate the threat.
“That's not going to get away from the challenge we have, which is that IOT devices have been out there in the wild for very many years,” Durbin said. “Many were never secure, and many are still very active. That's going to present some real challenges to organizations and enterprises as we look across corporate real estate.”
Another potential third-party vulnerability stems from cloud ubiquity. Even though the cloud can be and often is a secure environment, companies shouldn’t consider it out of sight, out of mind.
“As we migrate to cloud-based environments, enterprises still retain responsibility for the integrity, confidentiality and availability of that data,” Durbin said. “Yet all too often, particularly with smaller enterprises, there is some assumption that because I've outsourced my data in the cloud with Amazon or Google, it must be secure. But we know it depends very much on the security posture that you've adopted.”
Here’s the thing, Durbin added: Most organizations aren’t able to audit the effectiveness of a cloud provider. To that end, he said, expect to see a continuing trend toward hybrid environments — at least among a select group of “pretty advanced” organizations.
Companies have always faced some degree of exposure through the traditional, vendor-lined supply chain, but the prevailing gig economy adds a new wrinkle. Contract workers often don’t have full security induction, but companies still grant them access to sensitive data — knowingly or not.
The question is: Whom do you trust?
“Executives within an organization will harp on about the need for trust, but they need to demonstrate that in how they contract employees,” Durbin said. “How do you protect critical information from an insider, because nobody walks into the office with a badge that reads, ‘Hey, I'm an insider.’”
Which leads us to...
Internal Attacks and Vulnerabilities
Businesses now know that some of the most dangerous calls come from inside the house — yet they’re still getting hit. Nearly three-quarters of organizations that took part in a recent Crowd Research Partners study said they have “appropriate controls” to prevent internal attacks. And yet, more than half admitted they’d fallen prey to at least one such attack in the previous 12 months.
“The issue of how you manage the insider is a really challenging one,” Durbin said.
Coleman pointed to a recent and “extraordinarily dangerous” high-profile insider attack at Twitter by two former employees who were spying for Saudi Arabia.
“It’s probably the scariest to me because with other threats, you can at least control for what you don't know, build defenses, and try to mitigate against that challenge,” Coleman said. “But insider threats depend on how people are feeling and what their motivations are.”
Insider threats aren’t always headline grabbers, though. A company is far more likely to be hamstring by internal sloppiness than maliciousness, Durbin noted, whether it’s falling for a phishing attempt or failing to patch code.
“And there's a third category, which are the people who know they're doing things wrong but think there's a good reason for it, like business expediency.”
Instead of instituting the newest cybersecurity stack, he said, it’s more important to shore up institutional rigor.
“Sometimes companies are so quick to use the latest and greatest, and they haven't really mastered the security protocols in educating their team on how to minimize careless mistakes.”
Data Rights and Compliance
Momentum appears to be gradually building for the implementation of more stringent data-protection safeguards thanks in part to the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). That’s great news for the broader cybersecurity picture, but it also creates a state of flux, because practices may not be uniformly compliant.
A shifting regulatory landscape means that many companies must decide whether or not to meet the strictest requirements.
“It makes for an interesting environment,” Honig said. “How do you prepare for some of this stuff?”
And the interconnected nature of the business environment means regulations have a broad reach. GDPR rules, for example, apply to even non-EU-based companies if they offer services to the EU or monitor behavior of data subjects in the EU.
“We're in the age of globalization, whether we like it or not,” Honig said, pointing to the ever-embattled relationship between the United States and Chinese 5G development powerhouse Huawei. “Companies know they need to prepare for big changes that are coming, but they don't know which way the wind is blowing because of political shifts.”
Those realities, coupled with pressure applied by insurers, mean company heads must closely monitor liability issues. Plus, those affected by data breaches are hardly litigation-shy these days.
“When a major breach happens, a slew of class-action suits tend to follow,” Durbin said. “So some insurance costs will go up, and directors and officers will become more and more involved.”
The sheer and ever-growing number of threats and vulnerabilities can be overwhelming. In light of that, organizations should be mindful of not nuking a mosquito when a simple hand slap will do. It's all about using available resources to find the most effective security for your particular situation, Misata said. One size definitely doesn’t fit all.
“We help them step back and say, ‘There's a ton of options. How do you know you’re being trained on the right thing at the right time? Let us help you identify what your needs are.’”