A study conducted by the Ponemon Institute found that in 2018 the average cost of a data breach globally was $3.86 million. IT Governance UK reports that 39 million records were leaked by June this year, a decrease over 2018, perhaps due to the introduction of European Union’s GDPR (General Data Protection Regulation). For small and medium size companies, a breach, an attack, or a data leak can be devastating.
Gartner forecasts a 12.4 per cent increase over last year’s figures in world-wide spending on information security that will reach $124 billion. Gartner also estimates that next year all large enterprises will be asked to report to their board of directors on cybersecurity.
It’s clear that $124 billion is a heavy price for the world to pay for the luxury of connectivity and interconnectivity. As soon as a device (computer, smartphone, TV set, car) is connected to the internet, it is prone to attack. Is this something that the world needs to simply accept? Is there anything we can do about it? Former CISCO CEO John Chambers famously said that “there are only two types of organisations: those that have been hacked and those that don’t know it yet!”.
Experts in the industry across the board agree that the best way to guard against cyberattacks is to prevent them. There are many types of attacks that take place, but three types consistently remain top of the cyberattack playbook. These are:
- Social Engineering
- Malware & Ransomware
- Targeted Attacks
This attack exploits the frequent ‘weakest link’ in the security chain – people. The attacker psychologically manipulates staff members into performing actions or divulging confidential information. These attacks take place over the phone, via email or even face to face. Social engineering is used to gain access to an organisation’s systems. The first step to protecting against these types of attacks is by educating the people within the organisation, increasing awareness of these attacks and exposing their nefarious methods.
Malware and Ransomware
Malware is a piece of software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system; such software is typically referred to as a virus. Malware likes to make its way inside an organisation via email attachments and downloads from shady websites. It is essential to protect against this type of threat with a good antivirus program and staff awareness training.
Ransomware is another type of malicious software designed to deny access to data until a ransom is paid. Most often, ransomware will encrypt the pictures or all the files on a computer and its attached storage devices and will release the decryption key only once the ransom is paid. This attack can be devastating to an individual or an organisation. Usually they use very strong encryption algorithms that cannot be broken. To add insult to injury, attackers often lose the keys, and paying them does not guarantee the problem will be solved.
Government organisations, financial institutions, healthcare, the military, travel companies and political groups are the prime target for attackers. Trend Micro explains that targeted attacks are a type of threat in which bad actors actively pursue and compromise a target entity’s infrastructure while maintaining anonymity. The attackers have a great level of expertise and sufficient resources to conduct their schemes over a prolonged period of time. Often they adapt, adjust and improve their attacks to counter their victim’s defence. In this case, the IT department, the CIO and CISO must constantly be on guard and elevate the level of the organisation’s security.
IT staff negligence – demand vigilance
Attackers often exploit IT staff negligence and poor security measures. What good is an alarm system if the last person leaving the building does not switch it on? It has virtually no value. The same goes for the digital security systems of an organisation. Most software applications and network devices come with default settings that are weak and meant to be changed immediately after installation. The challenge is that organisations grow and so do their networks, applications, and number of devices. It becomes increasingly difficult to keep an eye on everything and make sure there are no security gaps. IT staff must change all the default settings, patch systems, and avoid giving employees more privileges or access credentials than they need. In this way, even if an account is compromised, the damage will be limited and contained.
How can security be improved and how can attacks be prevented? The first step is for management to treat security seriously and assign appropriate budget, training and resources to it. Furthermore, hire a security contractor to perform regular audits and drills and simulate attacks. In this way vulnerabilities will be discovered and resolved before a real attacker finds a weakness. Regularly educate your staff and enforce the security rules and measures in place.
Sebastian Bucur, Security and Software Consultant, DataArt