Businesses are and increasingly will be, in the firing line of big cyber threats. Kaspersky Lab has announced the end of the Advanced Persistent Threat (APT) as we know it in 2016. Specifically, we believe that attackers will swap ‘Advanced’ and ‘Persistent’ malware for off-the-shelf code that allows them to maximise ROI and stealth techniques (such as ‘fileless’, in-memory only code) to avoid detection.
So no ends to attacks, which means that on no account can businesses become lax in their security. Take the string of large scale data breaches last year, such as TalkTalk and Ashley Madison. It’s clear that there will always be someone out there trying to get their hands on valuable business data.
With the introduction of new EU data legislation this year and the rise of the Internet of Things (IoT), businesses need to be prepared to make changes to cyber-security policies and become aware of the challenges they may face in 2016 and beyond. From being more transparent about data breaches to ensuring that all employees understand cyber-risks, businesses must do a lot more to ensure customer data is safe, and as with most things – prevention is better than cure.
The requirement to declare data breaches
Forthcoming changes to EU data legislation mean that businesses will have to put more stringent security measures in place and notify serious incidents to the relevant national authority. In other words, businesses will need to be completely transparent when a breach does occur. Better still, of course, if they prevent an attack, or at least prevent the theft of data.
The cost implications of this will vary from company to company depending on the measures already in place such as reporting, staffing and how well developed an organisation’s cyber-security strategy already is.
If businesses don’t comply, the financial penalties will be severe, possibly as much as three per cent of their global turnover, so there is a strong incentive to put security safeguards in place to prevent attacks and, if the worst happens, to report incidents. In the long run however, businesses could see these changes save them both time and money in 2016, as security precautions will help mitigate enormous cyber-security risks, including interruption of digital services and even physical damage to critical infrastructure.
The need for digital skills in business
There’s no doubt that people are becoming increasingly connected and cybercriminals more sophisticated. One of the biggest threats to a business’s online security is often human error. Cybercriminals try to find weak points in a corporation’s IT infrastructure and employ the tools necessary to launch an attack. As businesses often see protection against cyber-attacks as a “technical” issue, the human factor of corporate security is often ignored or overlooked. To ensure that this potential for a digital skills gap is resolved, it’s important that in 2016 a security awareness programme is implemented as part of every business’s security strategy.
Ultimately, protecting against corporate attacks comes down to having a security strategy which covers every angle. In terms of employee awareness, this means going further than just telling people what they should and should not do when it comes to using technology in the office or when working remotely, but demonstrating the various everyday scenarios, such as suspicious looking e-mails or passwords written on office sticky notes, that could put the company at risk. Underlying this, it means fostering a security mindset that staff will apply to any situation they may encounter. Employees should feel a sense of responsibility and ownership for their own and the company’s data.
To do this, businesses can use quizzes, cartoons, posters or competitions to help educate staff and reinforce the key message that actions they take could put both themselves and their employer at risk.
The use of the Internet of Things
One thing to keep in mind in 2016 is that although devices are getting smarter, it does not necessarily mean they are more secure. For example, if I work from home, on the same network as an insecure IoT device, there’s a danger that I become the weak link in the security chain of my employer, i.e. my work device is compromised via my home network and I bring the vulnerability into the work place.
Already, organisations have had to face a huge challenge with BYOD. In the early days, for example, devices were typically purchased on an ad hoc basis, rather than being part of an IT-managed process, so IT departments often had to retro-fit security and management of mobile devices.
However, having gone through the process of managing mobile devices, many businesses will be better placed for the year ahead to deal with the management of wearable technology within the workplace. It’s important that they review their business and security strategy in light of Wear Your Own Device (WYOD), rather than letting it creep into the company. They need to assess the benefits it might bring, determine the risks and put in place a strategy to manage it. Wherever devices are used, whatever the technology they’re based on, all mobile endpoints that can connect to your network need to be fully secured.
In order to provide this protection, IT managers need to put together mobile security policies that not only overcome complexity and protect against malware, but also allow for simple human error, loss and theft.
The growth of ransomware
Ransomware attacks have been extremely profitable for cybercriminals over the past few years and are still growing – we think they may even out-pace banking Trojans as a way for cybercriminals to make money. These days, the cryptography implemented by ransomware programs that encrypt the victim’s data is extremely secure, meaning there's little hope of recovering files through a brute-force attack on the encryption itself.
To avoid succumbing to a ransomware attack in 2016, companies should follow strict security policies which include Internet security protection, applying security updates as soon as they become available, user restrictions to prevent them running unknown applications and, perhaps most importantly, employee education. It’s also vital that individuals and businesses backup their data regularly, so that if they do fall victim to a ransomware infection, they don’t lose data. Backups should be made to offline storage, since the data on any storage device connected to the computer at the time of infection will also be encrypted.
Sabotage, extortion and shame
From an array of celebrity nudes to the Sony and Ashley Madison hacks and the HackingTeam dump, the last year has seen an undeniable increase in Doxing, public shaming, and extortion.
Hacktivists, criminals, and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists, and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cybersecurity to feign hacker prowess.
We can only expect this practice to increase exponentially, which is why companies that hold this confidential information should have a solid cyber-security strategy in place to guard against these risks.
It became clear in 2015 that any kind of organisation has valuable data or information and so is vulnerable to cyber-attack – be that small, medium or even very large corporations. To prepare for this year’s inevitable cyber-threats, businesses need to create and deploy a complete security strategy.
This will include everything from assessing the possible dangers to the prevention of ongoing threats, all supported by effective detection and an efficient response. By doing so, they give themselves the best possibility of deploying the greatest defense against future attacks.
David Emm, principal security researcher Kaspersky Lab
Image Credit: Shutterstock / LeoWolfert