How companies can fight against cyber threats

YARMOUTH, Maine—As 2019 closes, 2020 is full of new possibilities and opportunities. While it's a time for growth, change and newness, cyber criminals are lurking in the background ready to strike. The threats that these criminals have planned for the new year have already been months in the making and are far from cookie cutter. Therefore, companies must be alert and ready.

“Defending a company against them [cyber threats and crimes] requires a broad approach,” Christian Nascimento, vice president, Product & Premise Services, Comcast and member of Security Industry Association's (SIA) Cybersecurity Advisory Board, explained to Security Systems News (SNN). “A business needs to ensure that they are thinking about cybersecurity as a fundamental component of their infrastructure.”

Top threats

With cybersecurity at the forefront of business operations, there are distinct cyber threats that businesses need to be aware of and educated about to properly identify and defend against.

“Phishing and ransomware will never go away,” Min Kyriannis, head, Technology Business Development, Jaros, Baum & Bolles, and member of SIA's Cybersecurity Advisory Board, said. This is probably because, as Tiffany Pressler, senior manager, HID Global and SIA's Cybersecurity Advisory Board member, identified, “they [phishing and ransomware] are easy and effective, and pay criminals in spades.” Expect these types of threats to continue to evolve, as both are beginning to use artificial intelligence (AI).

“AI makes the threats more insidious and craftier,” Pressler explained. “For example, we've seen how AI has been used to mimic a CEO's voice. The power of AI combined with bad intentions is frightening because of the dynamic capability to become the virtual doppelganger of any targeted individual — copying language and mannerisms, along with contextual information gained from internal reconnaissance that often go hand-in-hand with these sophisticated attacks.”

Another threat to be on alert for is “attacks on mobile devices, now that more vulnerabilities are being uncovered,” Kyriannis said.

While cell phone manufacturers, operating system developers and providers are doing all they can to harden devices, Pressler said that the reality is, mobile devices are a sieve of information. She identified Simjacker as an example. “This major vulnerability, identified in summer of 2019, allows virtually any cell phone in the world to be tracked and spied upon completely unbeknownst to the victim,” she said, adding that this vulnerability exists due to legacy technology embedded in the SIM card of each device.

Stemming from mobile attacks is the concern of IoT devices — from refrigerators and fish tanks to critical devices, like pacemakers and infusion pumps. “Many [IoT devices] have very rudimentary security protections, often relying on password management as their sole protection,” Pressler said, noting that if shows such as Mr. Robot or reading common daily headlines of hacker sophistication haven't proven that passwords alone are not sufficient, then prepare for your IoT device to become an easy target in 2020.

Also, in discussion for quite some time are attacks on critical infrastructure as well as attacks directed towards cloud services, Kyriannis said.

Meant as a warning, these identified cyberthreats should not cause panic or a scared mentality, but rather, encourage proper action to be taken. “Become aware, not paranoid (although a little paranoia never hurt anyone in cybersecurity),” Pressler candidly said.

The first course of action is education; it's impossible to take action if it's unknown what to take action against. “We need to make cybersecurity awareness as ubiquitous as 'Stop, Drop and Roll' or “Stranger Danger,” said Pressler. “Take time to understand the problem and how unintentional behaviors may be enabling it.”

Setting the stage to fight against cyber threats

Companies need to realize they have many systems that are not accounted for. “The best thing for an organization to do is conduct a due diligence of all the systems they have within the business and develop and prioritize systems that would need to be serviced, maintained and remedied of any vulnerabilities,” Kyriannis advised.

Once due diligence is conducted, under the notion that every company is a unique institution with different APIs connecting to each other, “companies need to assess how much risk they're willing to take,” Pressler added. “Companies diligent in understanding what systems and services they have in place with good security policies and procedures are in a better place than companies that are not.”

“This practice not only allows businesses to assess their inventory of smart devices, but it also shows where the gaps are located and gives a tool to remediate,” said Kyriannis.

With systems and gaps identified, a gap analysis of all systems and all devices that access the network should be done. “This study should also include a physical security assessment to understand if there are any vulnerable areas where anyone can just walk in and inadvertently compromise the company,” Kyriannis said.

At this point, companies can hire an objective third party to do a supplemental assessment, especially if system and gap identification was done in-house. Again, being extremely candid, “IT people are notoriously arrogant; I can tell you because I am one of them!” Pressler said. Take a step back a realize that “even the U.S. government, with its deep pockets and unlimited resources has been hacked! This is not about pride, but about risk reduction. We [companies] have to be open to letting someone else expose our secrets so the bad guys don't!”

Due diligence and third-party feedback, should a company choose to take part, will “allow a company to gauge where they are and begin planning on things that they need to do to protect and create security layers,” said Kyriannis.

It is also extremely critical and crucial to create a plan to address the weakest link in a security system. Pressler identified people as the most common failure point.

“We all get distracted, tired, lazy or stressed, or maybe we just want to be helpful,” she explained, “but these traits are what cybercriminals manipulate to trick people into breaking policies.”

Companies should motivate employees to take an active part in cybersecurity. Human resource departments devote extraordinary time and resources to the management of people, Pressler pointed out, so companies should leverage those skills and processes to work in their favor when it comes to cybersecurity. Pressler offered some suggestions:

• Gamify cybersecurity. Create a game to educate staff about policies or encourage behaviors that support such policies. Making the game a fun, interactive, group effort and experience will more likely produce longer-term success and compliance.
• Reward employees who point out vulnerabilities before the bad guys have a chance to discover them. Create an internal “bug bounty” program, giving employees incentives to be an active participant in reducing risk and hardening company assets.
• Educate employees on how to stay secure away from the office, especially while traveling on company business.

“Whether it is software to prevent malware attack or making sure that hardware and IoT devices (e.g., cameras) are security and not vulnerable to hacking or cyberattack, cybersecurity needs to be top of mind for all,” Nascimento concluded.