Data and information are power. From private companies and enterprises to government agencies, schools, health care organizations and non-profit foundations, every type of business or institution regards its data as its greatest treasure. That treasure can contain personally identifiable information (PII) such as names, addresses, birth dates, social security numbers, and medical records, as well as intellectual property—including patents, trademarks, financial information, and more.
With this in mind it's safe to assume that organizations are highly interested in protecting their data; after all, it's at constant risk. If it's valuable to the organization, it will surely be valuable to malicious actors, whether to be sold on the black market, used for market advantage, leveraged to ruin reputations, or just because.
To protect ourselves against risks, we should first know what they are, and understand them. While every organization has an abundance of risks (including competitive, economic, operational and strategic risks), they tend to put less focus on security risks. This is unfortunate, as security risks could impact and heighten other risks: loss of data can impact reputations and cause operational issues such as downtime, not to mention the substantial financial losses organizations suffer due to data breaches.
We mentioned security risks when we talked about risk assessment and risk management, and how we use the two to lead better-informed decision-making when understanding and mitigating security risks. Additionally, we went over what constitutes a risk in cybersecurity, but we're now due for a deeper dive into the security risks that plague the current threat landscape.
- The 7 most popular security risks across all organizations
The 7 most popular security risks across all organizations
Before we explore today's most common security risks, let's reiterate what a security risk actually is. Security risk is the likelihood of financial, operational and reputational damage resulting from the failure of an organization's IT systems as a result of a cyber incident, such as a data breach or other type of cyber crime.
We can recognize several sources of security risks. These can be:
- Insider threats, such as competitors engaging spies among your own team members, disgruntled employees, or simple human error
- Outsider threats, such as cyber criminals, hacktivists, and nation states
- Third-party providers and suppliers
Data breaches and cyber attacks can be perpetuated for different reasons. These can include financial gain by selling the data on the black market, identity theft, disruption of services, activism, or even as the result of sheer negligence. While there are a number of reasons for them and different organizations face different risks, there are some that affect all industries and organizations of all sizes.
Last week, we ran a poll on our Twitter account to see what our followers have to say about the most prolific security risk they've encountered at their workplace, and in general. Here are the results:
As per our results as well as current news and research, we've compiled a list of the 7 most common security risks that all organizations should be aware of:
1. No backup and recovery plan
Surprisingly or not, our followers did say that the lack of a backup and recovery plan is the number one risk for organizations today. Statistics support this claim, too: a survey of SMEs by Riverbank IT Management found that 46% of SMEs don't have a backup and recovery plan, and for those that do have it, 23% have never actually tested it.
Recovery plans are designed to protect organizations in times of disaster, including security incidents and data breaches. A backup and recovery plan focuses on the policies and procedures organizations should follow in certain scenarios to protect their most valuable assets and systems and reduce downtime, financial impact and reputational loss.
While every organization will have a unique backup and recovery plan, the objectives are the same across the board.
To be truly prepared for a cyber attack, having a plan in place is crucial. This means knowing how to contain the attack as well as knowing how to minimize the damage it would entail. There are several components to a successful backup and recovery plan:
- Objectives of the plan
- Actions to implement before, during and after the incident
- Network diagram of the organization
- Knowledge of critical assets and systems, including the impact of an outage and maximum outage time allowable for each of the assets
- Risk analysis and identification
Additionally, periodic testing of the backup and recovery plan is important. Doing so provides confidence in the organization's ability to recover from a security breach and helps to ensure that it meets its needs continuously.
2. Mobile security
Many companies are shifting their focus to employees working remotely, and as with any great shift in operations, new risks are involved. Even before this new dawn of remote work, a great number of users have been making the move from large screens to mobile devices, accessing organization's networks from different devices.
More and more, critical tasks are being performed with mobile devices, and more sensitive data is accessed through them.
Mobile malware is also on the rise, with a report showing that vulnerabilities have been found in 38% of mobile apps for iOS and in 43% of Android apps. This means that users need to build greater awareness around mobile security and its ever-present threat.
Thankfully, we have a fully dedicated Mobile Security 101 post that provides an overview of the most common mobile security threats and how to protect yourself against them. Among the threats covered are:
- Public WiFi
- Phishing attacks
- Data leaks
- Malicious apps
- Stolen and lost devices
- Unencrypted data
Good cybersecurity hygiene should apply to the use of mobile devices. We highly recommend you check out, or re-visit, our post sharing practical tips on staying diligent and protecting your devices against these common threats.
3. Insider threats
According to a recent study, 57% of all data breaches weren't caused by malicious outside attackers, ransomware, nation states or hacktivists, but by insider threats within an organization. And when talking about insider threats it's important to note that the intent behind these threats isn't always malicious—negligent employees clicking on a wrong link, or carelessly divulging sensitive information, can also be the cause. Human error remains the top cause for data breaches, and it's clear that organizations should maintain focus on the inside of the premises as much as on the outside.
Insider threats can be difficult to detect. When someone already has access to sensitive information, it isn't easy to see the intent behind their interaction with that data. The same goes for tech-savvy employees; they're able to cover their tracks and can remain undetected for months or even years. Therefore, watching for indicators of compromise is crucial. These can be:
- Unusual or suspicious behaviour
- Data transmission to outside channels
- Unusual access requests
- Increase of individuals gaining access to sensitive information
- Increased bandwidth usage
- Downloading large amounts of data
Besides keeping an eye out for IoCs of insider threats, organizations should also invest in security awareness training, monitor user access to critical information and their login activity, and keep a log management solution in place.
We've gone into detail on insider threats recently, so to learn more about each indicator of compromise, and ways to detect and protect yourself against dangers that come from within, we recommend reading that in-depth post.
4. Social engineering
Ah, social engineering. As humans, we're susceptible to manipulation and attackers have used psychological tricks to get the best of us since the beginning of time. We're not able to avoid this risk merely by applying protection software and watching for indicators of compromise.
No one can truly predict human behavior in every approaching moment. All it takes is one click on a link with a lucrative offer that doesn't appear too good to be true—and you could be facing a devastating data breach.
Malicious attackers are always finding new ways to trick individuals into divulging their private data and granting them access to critical areas. We all know about phishing, but there are a number of other types of social engineering attacks we recognize:
- Spear phishing
- Quid pro quo
As social engineering exploits basic human behaviour and plays on the susceptibility of the human mind, it's hard to find foolproof ways to combat it. Even the most tech-savvy of users can fall victim to a lucrative spear phishing email, tailored specifically for them.
You can never be too paranoid when it comes to cybersecurity. Be skeptical, and alert, at all times—even if the email appears to come from an address you communicate with often, such as a third party supplier or the support team from a solution you frequently use. Always verify the sender as a person of trust.
To heighten awareness across your entire organization and to ensure that your employees are well equipped to spot these attacks, a healthy cybersecurity culture is your strongest foundation. Visit our post on social engineering attacks for a closer look.
Ransomware is one of the scariest security risks out there. Truthfully, we don't know anyone who wouldn't be scared to find themselves in a situation where their sensitive and private information has fallen into the hands of malicious attackers demanding a ransom for its return. And even if you agree to pay it, can you trust that your data will be returned to you?
Ransomware is a type of malware that infects a computer or network, encrypts the files or denies access to them, and demands a ransom in return. The malware doesn't delete the files, they are present in the system, but inaccessible without the decryption key. And guess who has the decryption key? The criminals behind it, and they are willing to give it to you—if you pay the ransom.
If you refuse to pay the ransom the files might be deleted forever. And because the data often contains information like health, financial, customer or intellectual records, it's easy to see why many organizations do pay the ransom. But when it comes to protecting against ransomware, the most important best practice to uphold is not paying the ransom—ever!
Thankfully, we won't leave it at just that. As with many of these security risks, we do have a post that's fully dedicated to ransomware for a detailed exploration of this risk and how you can protect yourself from it.
6. Cloud security
As more organizations gravitate toward the cloud for data storage and services, malicious attackers are following suit and finding ways to penetrate cloud computing environments. Security is often cited as one of the most substantial roadblocks for cloud computing utilization.
Some of the biggest security vulnerabilities found in cloud computing are misconfigurations, poor access control, shared tenancy, and supply chain vulnerabilities. Cloud security should be everyone's responsibility, as we often see organizations using the cloud that's maintained by someone else, while remaining seated in the back seat and not taking control over their own infrastructure.
To combat common cloud security vulnerabilities, there are several ways in which organizations can be prepared. Here are some of the most notable:
- Limit access to the cloud using the Zero-Trust model
- Audit access logs to identify exposed data
- Disable protocols that use weak authentication
- Use 2FA and MFA
- Encrypt data in rest and in transit
- Apply malware protection to IaaS environments
7. Patch management
Who remembers WannaCry? The WannaCry ransomware was literally a global cyber pandemic that took place in May 2017 and spread by exploiting a critical vulnerability in the Windows OS known as Eternal Blue. Interestingly, a patch for EternalBlue had been released by Microsoft in March of that same year. And frighteningly, it still managed to infect 230,000 computers, showing us a devastating lack of patch management, the results of which are still evident three years later.
While zero-day exploits are a scary reality, we should never forget that attackers will try to exploit CVEs, known vulnerabilities in popular software, and rely on the fact that many forget or simply ignore the importance of applying available patches for them. The most straight-to-the-point solution to this is having a patch management plan in place, as well as a patching schedule to make sure all network software is up-to-date on patches and versions.
This might all seem a logical step in ensuring good security posture, but organizations often turn to patch management only after their system has been compromised. One need only look toward WannaCry, and Petya which occurred a few months later, to find incidents that support this.
It's true that updating software can be a pain. It can cause operation disruption, can force other parts of the system to break, and can result in a slowing down of service. Additionally, some software might no longer be supported, with no patches issued by developers. But when we consider the devastating disruption a data breach can cause, updating software is the more practical option.
In the case of unsupported software, it's easier in the long run to replace it with a newer one, despite it not being ideal. Patching vulnerable software goes beyond enterprise and SMB security; private users should also ensure that all of their software as well as their OS are up to date, and can even schedule these updates to be performed automatically with the release of each new version.
Some security risks are industry-specific, or even contained to a specific location, but there are many that threaten all organizations regardless of industry or size. The first step in the right direction toward creating a cybersecurity risk profile for your organization is actually knowing and understanding the risks that it can face on the daily, and tailoring the protection and mitigation strategies needed for maximum effectiveness.
Another security risk that is worth mentioning is the shadow infrastructure and the unseen assets organizations own. Using SurfaceBrowser™ you will be able to explore the public surface area of any company through a single interface and detect any exposed assets. Contact us to learn more.