Cybercrime is on the rise, enabled by the ever-expanding application portfolio of enterprises everywhere, but the limited expasion of the IT Security team. Many firms still lack adequate security measures or employee security training and remain unaware of any vulnerabilities these malevolent parties can use against them. As a result, it's becoming more and more common to hear about enterprises being victimized by financially motivated attacks that cause both fiscal and reputational damage.
A recent study published by the Ponemon Institute shows a significant increase in companies' average cost per compromised record and average cost of handling an incident. Unfortunately, almost every company still considers security to be a cost that must be limited. Many small and medium sized organizations lack comprehensive security strategies, which makes it massively expensive to handle the cleanup costs of incidents. And it doesn't matter if your firm is in retail, healthcare or even defense — without a comprehensive security strategy, you're unsafe. Here's a closer look at the recent influx of data breaches and what you can do to protect your firm from falling victim to them.
Cybercrimes are committed in a multitude of methods. Some cybercriminals exploit known vulnerabilities in popular applications or Microsoft, Adobe or Oracle software; others rely on the availability of crimeware kits, which facilitate their work. In these cases, attacks succeed because targeted organizations lack efficient patch management systems, meaning that they run outdated (and often flawed) software. Other times, hackers make use of zero-day exploits, taking advantage of new or previously unknown application flaws to gain access to critical systems. This is usually the case for long-term cyberespionage operations.
Web attacks are other popular form of cybercrime. These attacks occur when hackers exploit vulnerabilities in popular applications or use stolen credentials to impersonate users who have access to the targeted platforms. According to research from the Infosec Institute, the trade and utilities industries have suffered the greatest number of web attacks. The same research shows that web attacks against such content management systems as Joomla!, WordPress and Drupal have been used in distributed denial-of-service (DDoS) campaigns.
You probably recall the names of retailers who have been breached in the not-so-distant past. These firms were victims of third-party security breaches, and they're not the only ones. The retail industry is especially hot for hackers, for reasons that include high volumes of sensitive customer data and firms' inabilities to totally govern vendor security. But more and more, data breaches are popping up like chicken pox on the reputations of firms in other industries.
Take healthcare, for instance, where medical records and the systems that manage them are privileged targets for cybercriminals. Earlier this year, the US hospital group Community Health Systems was a victim of Heartbleed — a flaw that resulted in the compromise of approximately 4.5 million patients' data. Cybercrime in the healthcare industry can dramatically impact patients because of the sensitive nature of the data disclosed.
Not even the defense industry is safe: In September 2014, a report published by the Senate Armed Services Committee (SASC) revealed that a group of Chinese hackers compromised the systems of several defense contractors working for the US Transportation Command (TRANSCOM). According the analysis, more than 20 of the TRANSCOM data breaches exposed highly confidential data. According to SASC chairman Senator Carl Levin, "The security of our military operations is what's at stake."
What can be done? Security experts recommend that all firms improve security awareness training among employees in order to catch a breach in the early statges, updating authentication processes, and enable automatic updates for any application or software used to enforce security policies and monitor suspicious activities.
For third-party security specifically, firms should insert security requirements into their contracts with third parties so that security is at the forefront with partners and suppliers. If the third party is supplying software, that software should be tested in order to confirm that it meets with the company's security policy. Finally, access given to third parties and employees should be comersurate with the needs of their role: the social media specialist does not need admin credentials to the Enterprise Resource Management system.
Photo Source: Flickr