The PwC Global Economic Crime Survey 2016 unleashed information on the business world that caused severe ripples, and made it obvious – cybercrime is a show stopper. The study showcased how cybercrime has affected as much as 32 percent of enterprises and is the second most-often reported economic crime. Attacks delivered via the Internet are not a part of futuristic conspiracy theories and sci-fi anymore; they’re real, and they’ve caused billions of dollars’ worth of damage to thousands of companies already. Are you ready to combat these cybersecurity risks?
Within 2017, there were two major ransomware attacks (WannaCry and Petya) that shook the global economic engine, rattling vital financial machinery, grounding airlines, delaying medical procedures, and siphoning off funds from corporate accounts. These two forces have worked in tandem and left the global business fraternity in a highly vulnerable shape as far as cybersecurity is concerned.
- Cybercriminals are getting better, growing in numbers, being financed by malicious agents, and maturing at their nefarious technological exploits.
- Enterprises are marred by lack of education on the state of cybersecurity risks, and many vendors are unable to educate businesses on the security suites they need, instead focusing on creating marketing hype and raking in multimillion-dollar security contracts.
If you’re an IT decision maker, or even somebody who works on an enterprise IT team, it’s not a choice: You have to be well-versed on the most critical cybersecurity risks that the modern enterprise faces. Here’s a quick course.
Failure to get the basics of cybersecurity right
The 2016 NTT Group Global Threat Intelligence Report revealed shocking statistics.
- Out of all external cybersecurity vulnerabilities identified, the top 10 accounted for nearly 52 percent of cases.
- Out of all internal cybersecurity vulnerabilities identified, the top 10 accounted for nearly 78 percent of cases.
Now, these statements don’t make for a horror story, but the implications are enough to inspire surprise, if not shock.
This means that cybercriminals only need to target less than a dozen external and internal vulnerabilities to realize their nefarious designs. This also implies that organizations can weed out a major percentage of cybersecurity risks just by plugging the top 10 internal and external vulnerabilities. On the whole, the report captures how enterprises lack even the basic defense framework to fight cybercriminals. The weak cybersecurity practices of these enterprises make them a ticking time bomb, which could explode as soon as cybercriminals want to detonate! Practices such as reliance on operating system firewalls and single antivirus programs are just not enough anymore. The report also revealed that even timely patching of applications could have reduced as much as 78 percent of internal vulnerabilities in most enterprises. Are you listening, Equifax?
Failure to understand corporate cybersecurity risks
Enterprises don’t have a great idea about their vulnerability to cyberattacks, the potential of downtime and data theft, and the sophistication of cybercriminals. This lack of knowledge was a burning topic of discussion in 2015 World Economic Forum and is likely to continue doing so for the next few years. Enterprises need to recognize that cyberattacks extend a lot beyond technology, and involve sociological and psychological aspects. Phishing, social engineering, brand tarnishing, and impersonations have already cost organizations that only took a technological view of the need for cybersecurity. Apart from these, the most critical external threat vectors are distributed denial of service attacks, infrastructure attacks, and domain-based threats.
Lack of security policies
The security policy is entirely missing, or long forgotten and hardly updated in most enterprises. Just like enterprises depend on external expertise for legal, financial, and technical issues, it’s high time they acknowledge the need to seek expert solutions to meet cybersecurity risks. A security policy is a great step forward, and a means to mobilize the entire enterprise workforce toward the shared goal of keeping digital assets secure. Security policies that help in cybersecurity risks identification pave the way for cybersecurity governance, help keep the company’s information and networks secure and provide guidelines for handling data risks while dealing with vendors and third parties.
Abuse of privileges by internal resources
We briefly mentioned nontechnological cybersecurity risks earlier. Unfortunately, an enterprise’s network is as secure as its weakest employee (weak in terms of cybersecurity sensitization). A study conducted and published in the Verizon 2016 Data Breach Investigations Report highlighted several cases of insider privilege misuse, with issues such as access to illicit content, email misuse, installation of unsecured and unlicensed software, mishandling of data, Internet misuse, knowledge abuse, and privileged access abuse. These are cybersecurity risk that many organizations are not aware of. In fact, a strong security policy (discussed earlier) must also incorporate guidelines on internal information handling.
BYOD: Bring your own device (or doom)?
Before anything, here are some stats published in the BYOD & Mobile Security 2016 study.
- BYOD imposes heavy burdens on enterprise IT (35 percent) and helpdesk (27 percent).
- 37 percent of the surveyed organizations had no plans to increase IT security budgets to handle BYOD better.
- Risks such as data loss, malware, download of illicit content, and unauthorized access to systems were acknowledged by a significant percentage of the surveyed enterprises.
Of course, organizations can’t just let go of the advantages of BYOD, but need to adopt the state-of-the-art security means for the same as well. VPNs, multifactor authentication, training around remote usage, etc. are a good starting point.
Lack of cybersecurity sensitization and training
The pace at which the complexity of cyberattacks is growing calls for an equivalent pace and dynamism in the way enterprises deliver security readiness training to employees. In 2016, a PWC report highlighted how phishing was the No. 1 vector of cyberattacks in the year. Coupled with social engineering, the risks of phishing become huge. This is just an example of how enterprises need to invest resources in keeping employees in sync with what’s expected from them in terms of cybersecurity best practices.
Bolster your defenses
It’s time to acknowledge the massive threats that cyberattacks pose for any enterprise, followed by a realization of the most critical cybersecurity risks. Use the practices suggested in this guide to bolster the defenses of your enterprise.
Photo credit: Shutterstock