The shift towards a work-from-home environment brings new and more complex cyber security challenges. The use of personal computers for business tasks and the loss of enterprise network controls are just two examples of how working remotely can increase security risk.
Many companies struggle every day to secure a remote workforce operating outside their standard security controls. Cybercriminals target remote employees to use their access as a backstage pass to the business’s most sensitive data and systems.
Endpoint security architecture can be broken down into three main elements: Prevention, Detection, and Remediation, where prevention should be considered as the most strategically important defence element.
As advanced threats evolve and data center transformation forces enterprise teams to consolidate security, the need for faster, easier and more determined threat prevention is essential. This is especially true in the remote working context, where we must rely on endpoint controls and detection and remediation are even more challenging.
Here is a list of the cyber security threats that can impact your business.
1 – Email Security
Modern large-scale migration of email to the cloud needs a strategic shift in how to secure this communication channel. Security and risk management leaders must adopt an approach of continuous adaptive risk and trust assessment to protect inboxes from exposure to increasingly sophisticated threats.
By 2023, business compromise attacks will be persistent and evasive leading to large losses due to financial fraud for enterprises, and breaches of client privacy for healthcare and government organizations. Gartner: Fighting Phishing – 2020 Foresight 2020.
Business Email Compromise (BEC)
BEC is an exploit in which an attacker gains access to a business email account and imitates the owner’s identity, in order to defraud the company and its customers or partners. This type of attack is known as “phishing” in Internet terminology.
Often an attacker will create an account with an email address almost identical to the one on the corporate network, relying on the assumed trust between the victim and their email account. In most cases, scammers target employees with access to company finances and attempt to trick them into performing money transfers to bank accounts, when in reality the money ends up in accounts owned by the criminals.
BEC emails are currently the top concern for most enterprises. These phishing emails operate without links and attachments, which are two common red flags of malicious messages. They also leverage the power structures within companies, using the names of key players, customers, and even board members to trick employees into doing things like transferring money or sharing security information.
2 – Authentication
Passwords are an attraction for attackers and are susceptible to a variety of attacks such as phishing, malware, social engineering, and credential stuffing. Research indicates increasing password complexity sometimes may result in less security, due to the weakest link of the security chain — the human factor. Many people cannot remember long or complex passwords, so they tend to write them down.
“Passwordless” vs. Multi-Factor Authentication (MFA)
As companies gradually awaken to the security dangers of relying on easily stolen and shared passwords, alternative security systems have taken the spotlight.
Alternative authentication methods that do not involve passwords are hardware tokens; or biometric sensing of a physical feature belonging to a user, like their fingerprint or facial features.
While these methods all include a different approach to passwordless authentication, they have one thing in common: the user’s authentication data is never stored within the system, as a password would be. It is this crucial element that gives passwordless solutions their security advantage.
Passwords are one of three possible authentication factors. Authentication is generally accomplished by validating one or more of three types of factors: something you know (i.e., a password); something you have (i.e., a hardware token or smartphone); and something you are (i.e., a fingerprint). MFA employs two or more types of authentication factors.
In an MFA solution, a password may not be one of the factors used. MFA has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications.
MFA is certainly better than relying on a password for security, but eliminating passwords altogether would be even better. A password-plus-second-factor policy retains the inherent flaws of passwords; users are still required to memorize and safeguard secrets, so the security risk of password reuse still exists, and the costs of maintaining passwords also remain. In fact, according to researchers at Proofpoint, hackers can even use passwords to bypass the second authentication factor altogether.
3 – Social Engineering
Social engineering is the art of manipulating people so they give up confidential information. The types of information criminals are seeking can vary. When individuals are targeted the criminals are usually trying to trick them into revealing passwords, bank information, or access to computers to secretly install malicious software giving criminals complete control over the computer.
Security perceptions based on training and education
Because of social engineering, employees are often the biggest cybersecurity risk for a business. Of reported incidents, it has been shown that 95% of security breaches are due to social engineering. The strongest firewall and the most sophisticated intrusion detection and prevention software will not stop an individual from disclosing sensitive data via social engineering.
Many employees will readily fall for phishing scams, will click on malicious links on websites, will download and run documents or software that turn out to contain malware, or will fall victim to business email compromise (BEC) scams. These threats can end up losing companies a lot of money or ruin reputations.
Educating employees on cyber risks is a key step, but this does require resources and the full participation of every employee. This may sometimes be difficult, as employees who have “always” done things a certain way may be reluctant to change. However, it is vital employees understand the risks that poor cyber-security practices present.
Creating a culture of awareness means constantly and consistently highlighting cyber-security within the workplace from day one. It’s not enough to run a one-off seminar on the importance of password protection.
Testing end-users through automated attack simulations; providing quality security awareness training, and recording actionable reporting metrics.
4 – Data Security
Data security is not simply a technology issue. Effective data security may require a data security governance framework to provide a data-centric blueprint that identifies and classifies datasets across all enterprise computing assets and defines data security policies.
Implementing A Data Security Governance Framework
Security and risk management leaders should develop a data security governance framework that mitigates the risks caused by security threats, data residency, and privacy issues while recognizing the importance of data security as a business driver.
Once the business strategy and risk tolerance are assessed, a framework can be created as a guide to prioritize technology investments. The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance.
Value, risk and control constitute the core of IT governance. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations.
KBE Information Security helps in introducing the adoption of the Control Objectives for Information and related Technology (COBIT) for addressing this challenge. COBIT is a comprehensive set of resources containing all the information organizations need to adopt an IT governance and control framework. Implementation is based on several factors, including the size of the organization.
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. Each business goal is linked to one or more IT goals which, in turn, are linked to one or more IT processes. In this way, a full cascade is built which shows how IT processes enable the achievement of IT goals which, in turn, enable the achievement of business goals.
Management needs to ensure that an internal control system or framework is in place such that IT supports the business processes. All organizations need to plan how they use data so that it’s handled consistently throughout the business, to support business outcomes.
5 – Bring Your Own Device Culture
With the proliferation of modern technology and increasing adoption of workplace mobility practices, the change from company-provided devices to employees bringing their own devices is influencing the cyber-security policies of most organizations.
Risk of data leakage and exposure to vulnerabilities
Bring Your Own Device Culture (BYOD) is an increasingly popular practice that many businesses are embracing. If employees bring in their own devices they can also take them home, or when travelling.
This allows them to work from anywhere without having to rely on and learn multiple devices and platforms. It also can reduce hardware costs for businesses. However, allowing employees to bring their own devices to work can present its own problems.
Some businesses embrace BYOD without fully considering the security risks that it may present. Employees’ personal devices are unlikely to have the same level of security as corporate devices and may be significantly easier for hackers to compromise. Companies that allow BYOD should ensure they have a strict BYOD policy in place, and ensure all employees follow these policies.
BYOD security risks are enormous. These devices often reduce company control over corporate data. Company data is, therefore, more exposed to attacks. When employees download unsecure personal applications or connect to unsecured Wi-Fi access points, serious security loopholes are opened.
Furthermore, since these devices are often not monitored or managed for security compliance, the chances of attackers infringing on the stored data are high.
Tactics such as only allowing access to company networks through a virtual private network (VPN), and ensuring employees implement MFA on all their accounts are definitely helpful steps that should be included in such a policy.
White Paper - Top 5 Cyber Security Challenges - KBE Information Security
Send download link to:
Cyber Security Services in Toronto and Mississauga, Ontario
Here at KBE we strongly believe that mere knowledge is not enough to win today’s challenges. Knowledge needs to be combined with values such as responsibility, courage, sincerity, imagination, dedication and resilience in order to develop the best solutions. This is our promise! This is KBE, a global leader in cybersecurity helping companies and organizations minimize cyber-attacks and threats. Learn more about Cyber Evolutions Services or book a free consultation with KBE experts and protect your business.