Have a fear of rising house prices? How about spiders? Or maybe you suffer from astraphobia, the fear of thunder and lightning? These are common concerns which keep the everyday Australian up at night. That’s unless you’re a Chief Information Security Officer (CISO).
According to a recent report by the Ponemon Institute on behalf of Tenable, respondents surveyed believe third-party security risks, attacks involving Internet of Things (IoT) assets and business disruption caused by malware, are the three most worrisome security incidents plaguing CISOs and security professionals in 2019. The same body of research revealed that 60 per cent of organisations represented in this study have suffered two or more business-disrupting cyber events in the last 24 months alone. More than 2,400 IT and IT security practitioners in the US, UK, Germany, Australia, Mexico and Japan were surveyed.
The use of third parties is nothing new — companies have worked with the likes of suppliers, outsourcers and agents for years. What has changed, however, is the frequency and scale of third-party use and how organisations are managing third-parties to address the inherent risks. It’s not surprising that third parties sharing or misuse of information was the highest-rated cybersecurity concern for 64 per cent of respondents, according to the report from Ponemon and Tenable. Reducing the third-party risk is also the top governance priority for 2019.
How can businesses mitigate this risk :focus on ensuring that third-parties have appropriate security practices in place to protect sensitive and confidential data. With initiatives such as Open Banking set to be rolled out, which is dependent on securely connecting personal financial data into third party providers, the security practices of these third-parties will be a key factor in determining its widespread adoption. In today’s climate, consumers aren’t as forgiving as they once were.
IoT is the new Wild West
Security (or lack thereof) of IoT devices is on the mind of the majority of security professionals, with 56 per cent of respondents surveyed by Ponemon and Tenable worried about it in 2019. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations. Unfortunately, most IoT vendors are neglecting their responsibility to provide secure products by forcing end users to be the system administrators of their own cameras, smart lights and fridges. Last year, the Tenable Research team discovered a major software flaw, dubbed Peekaboo, which gives cyber criminals control of certain video surveillance cameras, allowing them to secretly monitor, tamper with and even disable feeds. Even worse, once they’ve hacked the camera, they can access the camera feeds of any other device it’s connected to.
Similar flaws will continue to be exploited while average users remain unaware of the risks they're introducing into their homes and businesses every day. With many IoT devices not secure by design, this has left them vulnerable to being easily and actively exploited with the onus on users to patch. The consequence for lax security practices will extend beyond data being compromised. Some of our most private moments will end up in the hands of cybercriminals.
Although the first reports of malware date back to 1971 with the “Creeper” virus, which displayed a message of “I’M THE CREEPER: CATCH ME IF YOU CAN!” on infected machines, it’s still giving security teams restless nights. Almost half a century has passed since “Creeper,” yet 54 per cent of respondents surveyed by Ponemon singled out a disruption to business processes caused by malware as the most worrisome incident this year. Malware remains a constant threat among organisations. Developers of malware and other malicious code are creating new methods of exploiting systems on a daily basis. Even with anti-virus systems in place, advanced malware can still bypass these solutions and propagate throughout a network. The proliferation of malware presents elevated cyber risk to all organisations. Knowing which areas of your business are secure or exposed allows for more effective measurement of your organisation’s cyber risk.
As businesses gear up to deal with a plethora of security incidents, they need to rely on Cyber Exposure - a discipline to accurately understand, represent and ultimately reduce cyber risk against the rapidly evolving modern attack surface. Doing so will allow security and IT teams to collaborate more effectively and identify and resolve issues, and provides an objective way for the CISO and the business to measure cyber risk and use it for strategic decision making and planning.