Cybercrime is on the rise. The number of data breaches in 2017 was staggering and things are likely to get worse. More than 5 million data records are lost or stolen every day, according to the Breach Level Index. Cybercrime is predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, according to Cybersecurity Ventures.
Although the threat landscape is vast and varied, the major threats that face most companies remain the same. Verizon’s 2017 Data Breach Investigations Report states that 88% of breaches last year fell into the same nine patterns it identified back in 2014. Every organization understands the importance of investing in cybersecurity defenses now, but few are taking the time to really assess where that money would be best spent.
Evaluate where the greatest risks lie, assess what can be done about them and you can squeeze more value out of your cybersecurity budget. Let’s examine three areas where there’s ample opportunity for organizations to tighten defenses.
Employee Error and Manipulation
When the Ponemon Institute surveyed 1,000 small and medium-sized business owners, it found that negligent employees or contractors had caused 54% of the data breaches suffered. Without solid employee training and stringent security protocols to shut down the risk of malicious insiders, the danger of data breach remains high. Another recent Ponemon survey of 612 CISOs found that 70% consider the “lack of competent in-house staff” as their top concern in 2018.
Phishing is a huge threat. More than 90% of breaches are attributed to successful phishing campaigns, according to PhishMe. A full 66% of malware installed last year came via malicious email attachments, Verizon reports, and 81% of hacking-related breaches leveraged a weak or stolen password. Social media is also fertile ground for cybercriminals to pose as fellow employees to trick users into handing over credentials.
Filters to weed out phishing emails and malicious websites are important, but they’re not enough. Organizations must set policies, educate staff, and enforce good security hygiene. Take advantage of the security options that are available, train and test employees, and implement automated checks to ensure your security posture is robust.
The growth of HaaS is a real concern for cybersecurity professionals everywhere. Simple scripts, tools and software packages with full customer support can be bought off-the-shelf in the black market for extremely low prices. This means that hackers don’t necessarily need a wealth of experience or skill to launch a cyber attack on your company.
It may be prudent to dip into the dark web yourself and research what’s available. A full 75% of disclosed vulnerabilities appear online before they’re listed in the National Vulnerability Database (NVD), according to Recorded Future. With a median gap of seven days, it’s a race against the cybercriminals, so why give them a head start?
Scan the deep web and popular hacker websites for mentions of your company, so you can discover and shut down breaches immediately. Keeping up to date with the latest HaaS developments will also help you bolster your defenses. It’s always good to know what you’re up against.
Gap Between Development and Security Testing
As more companies pursue a multi-cloud or hybrid cloud strategy, and the pressure to push code out rapidly or even continuously grows, there’s a real need for a solid SecOps regime. The DevOps movement broke down the silos between development and operations to streamline the process and boost quality, now it’s time to stir security into that mix.
New development methodologies have preached the sense of shifting testing left because it’s easier, faster, and cheaper to fix bugs the earlier in the process you find them. The same logic applies to security. Trying to retroactively secure an application is much more difficult, expensive and time-consuming than designing good security from the beginning.
Building automated security checks into your development pipeline, in the same way you build in unit tests, functional tests, or integration tests, is the perfect way to establish and maintain baseline security.
Close that gap and start developing apps from a secure foundation. For industries dealing with compliance, it’s a smart way to ensure that regulations are catered for.
The threat landscape is evolving all the time, so it’s crucial to continually assess where the main threats to your organization lie and act as early as possible to combat them.
About Dr. Rao Papolu
Dr. Rao Papolu is President and Chief Executive Officer of Cavirin Systems, Inc., a provider of continuous security assessment and remediation for hybrid clouds, containers and data centers. Rao is on the Board of Directors of SRA, Inc., a publicly-traded company, and an Advisory Board Member to Solix Technologies. He received his Doctorate degree from Indian Institute of Technology (IIT), Madras. He has published 25 technical papers in various international journals and was a visiting scientist at the University of Michigan (Ann Arbor) and the Institute of Space and Astronautical Science, Japan.