As the plague of cybersecurity attacks continue to grow in scale and complexity, experts such as Donald Toon from the UK’s National Crime Agency, warn that it’s no longer a matter of if, but when, the next significant cybersecurity attack will happen. Thus, he concludes, businesses need to start building their resilience now, if they want to avoid and mitigate the serious financial and reputational consequences it can bring.
We’ve taken a look at the cyber activities over the past 12 months that have impacted businesses worldwide and concluded a few possible reasons why this is the time business like yours need to take extra care.
Cyber activities that have impacted business
Table of Contents
Oil prices might be diving, but there is a new oil – data. Big data is huge in terms of volume and in terms of financial possibilities it can provide to a business. The enormous scale of the consequence of the 2013 Yahoo data breach, followed by the 2016 Uber breach and the 2017 Equifax data violation, only demonstrates that data is indeed a valuable target for cyber adversaries.
No wonder, predictions are that hackers familiar with both its market value and importance for businesses are likely to continue to target companies that gather, store and process data, be it proprietary or customers’ information.
However, the Information Security Forum, in their 2018 Global Security Threat Outlook, also points to other possible reasons why we might see a hike in these very particular types of cybercrime activities. With the new legislative changes such as GDPR (which privacy standards are being exported worldwide), companies would have to pay enormous fines if they failed to protect their customers from data breaches.
The administrative fines for GDPR infringement are ranging from 4% of the global turnover to €20,000,000. If hackers were able to prove a company had not implemented all the security measures needed to avoid a cyber attack by conducting one, in a realistic scenario, it would not only bring the business continuity to a halt but also effectively erase the company from the business map with fines it will have to pay to continue to operate.
Crime – as – a Service
Based on the available information of white-hat-hackers’ earnings, people employed legally to find system vulnerabilities can assume that criminals and states who are engaging in cyber wars must approach white hat hackers with even better compensation to drag them into the dark side. The money incentive has a powerful effect on expanding the virtual criminal underground that welcomes “individual criminal entrepreneurs” who are advancing their tools and malicious wares to sell them as services on the dark web. It is predicted that this type of criminal activity will expand to new markets and eventually commoditize activities globally in a not so distant future.
Weak supply chain management
2017 was not only the year of ransomware but also a year of some significant examples of supply chain attacks. Last year was especially difficult for managed service providers (MSPs) that remotely manage customers ‘ IT infrastructure, which registered a large number of security incidents causing disclosure of commercially sensitive information about them and their clients.
Two software companies – MeDoc and CCleaner had their products compromised, which resulted in their customers’ infrastructure being infected with malware upon downloading the software/ updates. The attacks expose the perils of outsourcing various elements of a business’s infrastructure to MSPs, having links to thousands of customers worldwide, are an attractive target for the hackers. The examples of the 2017 supply chain attacks revealed that malicious actors orchestrate supply chain attacks to use them as a stepping stone to the intended end target. Thus it is vital for businesses who rely on third-parties to work whenever it is possible only with companies that either can provide NCSC certificates or can demonstrate their strong security posture.
The increase of the Internet of Things (IoT) devices
As communication channels are growing in numbers, so is the ubiquity of the IoT devices that can provide them. Although the market seems to be in favor of tech gadgets, it is also true that because of the fast-paced mode of manufacturing of these devices, many are sold to customers with inbuilt vulnerabilities that could be the source of potential security risks if connected to the network in your company. With many unsecured devices, their vulnerabilities will likely remain the target of hackers, who can exploit them without the user’s knowledge, to conduct cybersecurity attacks with long term negative consequences for the business, such as DDoS.