Prioritize Now for Proactive Defense
As 2018 saw more massive data breaches, disruptive attacks, and business email compromise, we look ahead at how organizations should be prioritizing security initiatives to combat the current state of cyber security amidst an ever-evolving threat landscape.
Here are five cyber challenges we predict board rooms and security teams will be prioritizing this year.
1. Consumers will become increasingly desensitized to massive data breaches
From to Facebook to Under Armour to Google+, massive data breaches plagued 2018 impacting more than 100M people. How is the public reacting? With nearly one breach per month the general public seems resigned to the fact that insecurity is the price of a global, cyber economy. Credit monitoring is a staple feature provided by financial institutions and retailers and beyond that consumers feel increasingly helpless in the fight to protect PII in a digital world. What’s the implication in the workplace? Desensitized consumers make for desensitized employees. Do your employees see their role in your organization’s cyber defense program? Are they engaged and empowered to actively defend the enterprise?
Recommendation: Employee practices in the workplace continue to be critical components of a comprehensive cyber defense strategy. Training and awareness programs will be a growing trend within progressive organizations looking to proactively combat the cyber malaise backlash caused by the commonplace status of data breach headlines in the news.
2. Business email compromise will continue to grow
According to the FBI, fraud perpetrated via business email compromise (BEC) soared from approximately $5B US in 2017 to $12.5B in 2018. We anticipate the trend will grow to over $20B in 2019. Although phishing is a component to most BEC schemes, social engineering is the predominant strategy to successful compromise. Threats target employees with access to the purse strings and leverage C-level personas to influence transactions. All sectors of the economy continue to be impacted with cases ranging from mortgage settlements to art auctions to corporate accounts payable departments.
Recommendation: Re-evaluate your processes and train employees in highly-targeted roles. Engaging a third party to help identify gaps and inform new measures, such as adding process checks anytime payments are being wired to a new or changed bank account, should be considered.
3. Insider threat programs will grace boardroom agendas but ultimately fall off most priority lists
No stranger to priority forecasts, ‘insider risk’ is on our list this year. While many organizations are still deferring insider threat monitoring and prevention programs, the trusted insider poses enormous risk to an organization. Accordingly, a rise in insider threat programs is most certainly on the horizon. Leading companies will address the immense risks associated with insider threats in a way that fits their corporate culture and risk appetite. We predict the first movers will continue to be large and regulated organizations, with medium-sized organizations following over the next 2 – 5 years.
Recommendation: Develop an incremental approach and focus on the highest-risk roles first. Develop attack use-cases for critical assets and processes. If you haven’t done so already, first establish the program objectives and governance committee. Document roles and rank them based on risk. Evaluate your current capabilities to monitor and audit high-risk roles and alert on anomalous actions and behaviors. User behavior analytics (UBA) tools can help substantially in this regard, as can customized SIEM rules.
Insider threat programs aren’t built overnight. While there are some basic things companies can do to start addressing insider threat risks immediately, don’t be afraid to get help with assessing your unique business needs, and with designing and implementing a comprehensive insider threat program that fits your unique risk profile and corporate culture.
4. Legislators will likely act
Legislators continue to hold hearings after breaches. The US Government is unlikely to pass any significant cyber legislation at the federal level, leading to more states adding additional cyber security and privacy laws. This resulting patchwork will continue to increase costs of compliance, possibly increase cost of breaches via fines and penalties, but likely will yield no appreciable improvement in overall security or decline in the number or impact of incidents.
Recommendation: Proactively engage state and federal representatives, ideally through industry associations, to minimize the burden and duplicity of future regulations while improving the effectiveness and impact of any new laws. Additionally, companies should continue to evaluate the cost of breaches and the benefit of cyber insurance policies in the context of overall investment priorities.
5. Supply chain risks will introduce new threats
From compromised vendor credentials to design flaws and infected software patches, vendors continue to be the weak link in the corporate enterprise security chain. The globalized nature of today’s supply chains coupled with multiple tiers of sub-suppliers, makes it nearly impossible to know for sure what hardware or software is included in products being deployed in your environment. Without a doubt, another major widespread vulnerability, a la Spectre / Meltdown, will be discovered in 2019 and it will impact operations of major companies.
Recommendation: Most industries have common suppliers which means they inherit common risks. To effectively and efficiently measure and mitigate vendor risks, companies will have to team up with their competitors and develop common requirements, contractual language, and acceptance criteria. Of course, consult with counsel to ensure your approach doesn’t cross into anti-trust laws.
What's on your list of priorities this year?
Revolutionary Security works with cyber security stakeholders to develop and execute effective, proactive defense programs that address the cyber landscape of today and the advanced threats of tomorrow. Contact us to discuss your next cyber program.