Key Things to Know From HPE's 2016 Cyber Risk Report
The reality is that every business – big or small – should prepare for a cyber attack. It’s not a matter of if hackers will strike, but instead when it will happen.
If you think you’re immune, you better think again. Companies like Ashley Madison, Target, Anthem, Sony, Experian, Scottrade and even government agencies like the CIA, IRS and FBI were victims of a cyber attack. If they can be bested, so can you.
So, how could you possibly prepare yourself for such an attack and defend your data – data that is assumed to be secure already?
You can do that by looking at past attacks, how hackers are evolving and what new measures they might use in the future.
What Does HPE’s Cyber Risk Report Tell Us?
According to the report, 2015 was the Year of Collateral Damage. This is because hackers are no longer just interested in credit or payment information, they are also after sensitive data that could “change someone’s life forever.”
Here are four key points from the security report that you should definitely know.
In a Cyber Attack, Collateral Damage Happens
Many of those affected by an attack may not even be involved with the company or target. The Ashley Madison breach influenced the lives of many people, including those who had information stored on the company’s internal network because of someone else. This means that people who had no direct contact with the company or their database were also affected. The implications for this are far-reaching.
The amount of people affected by a cyber attack is exponential, especially when it comes to large agencies like the IRS that have a great deal of personal data stored away.
Security Patches Don’t Always Solve the Problem
Another big reveal of the report is that the industry as a whole didn’t learn anything about patching security vulnerabilities. On average, patching known issues took too long, and even when updates were rolled out there was never a guarantee it would secure things for good.
For instance, the report states that “29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.”
Even after these vulnerabilities had been patched and supposedly taken care of, hackers still found a way to exacerbate the problem. In addition to the compromised data, think of all that time and money that were wasted on those security patches.
One of the first things you learn when you get certified in information security is that performing regular ISO 27001 security audits can help you limit the possibility of a wide-scale breach. In addition, adhering to ISO 27001 security standards will ensure you don’t face any legal fines or criminal prosecution after a breach.
Companies need to be doing this and they need to ensure they are complying with related laws and regulations. The consequences for not doing so are far-reaching and could do a lot more financial damage than a breach would all by itself.
Political Pressures and Overreaching Regulations Are Complicating Things
Lawmakers often pass legislation in the wake of difficult or violent events with the guise that it will solve all our problems. Unfortunately, even well-intended laws have some unforeseen and nasty consequences.
Recent laws have set aside the fundamental rights of privacy and due process to bolster security. This has led to a decrease in cybersecurity innovation, and an increase in vulnerable systems. Government agencies have even requested backdoor access to encrypted networks like we saw with Apple and the San Bernardino terrorism case.
Backdoors such as the one the government is requesting from Apple are a huge security risk that could be detrimental to the system and company in question. There’s no way to guarantee access won’t fall into the wrong hands, and if that were to happen unscrupulous individuals would have full access to data that would otherwise remain secure.
All of this is before we even factor into the equation how government agencies and officials would use these backdoors, which could also be harmful.
Hackers Have Shifted Focus to Mobile
Thanks to mobile devices we remain connected to the world at large, and the Internet at all times. This is great in terms of convenience, but not so great when it comes to security.
The perimeter or scale of a network is much larger now, in part thanks to the mobile devices we carry in our pockets. Many companies and brands offer mobile applications, which tap into a greater network. Attackers have realized this is a vulnerable source and have shifted their focus to directly breach applications as opposed to focusing on a more secure network.
Recent attacks have shown that this shift provides one of the easiest ways to access sensitive data, even that stored on an enterprise network.
Therefore, security experts must understand the balance between convenience and interconnectivity, which means locking down these alternate access points as much as possible.
Security Basics 101
A lot of this could be solved by following basic security measures. For instance, network breaches through mobile apps wouldn’t happen if these channels were more secure.
Furthermore, there are ways to bolster security, even when you’re using SaaS tools that have their data largely stored in the cloud.
So, even though this security report paints a grim picture for the future of the industry, there’s a lot to be learned from it. By studying some of these points in greater detail, you should be able to prepare your network for future attacks.
Edited by Peter Bernstein