Guest Column | January 4, 2016

New Year, New Goal: Protect Your Business And Your Clients From Cyberattacks

By Oscar Marquez, CTO, iSheriff

It has been a year full of both good news and bad news for the global security industry, although, at first glance, it seems that 2015 was filled with only the worst of news.

Incidents of every flavor of cybercrime are increasing. Every sector of business and government has been hit hard by data breaches. There aren’t enough experienced cybersecurity professionals to fill the thousands of job openings. The regulatory, financial, and reputational consequences of negative incidents continue to mount. Cybercriminals are organized, sophisticated, and everywhere.

So what’s the good news? Cybersecurity has gained some long awaited traction and momentum. The more headlines there are about data breaches, the more stakeholders are paying attention. Executives and boards are finally making information security a real priority. Local, state, and federal agencies are also ramping up their efforts, thanks in part to the astonishing breaches at The U.S. Office of Personnel Management (OPM) and the Internal Revenue Service (IRS).

The Federal Trade Commission (FTC) has begun prosecuting negligent companies, which should be reassuring to responsible companies that are reliant on vast networks of supply chain partners and vendors. Increased transparency and disclosure is definitely good news for consumers, who have little insight into the security posture of the enterprises behind the products and services they purchase.

The deployment of EMV chip-and-pin credit card technology is still in early stages, but will hopefully represent the dawn of a more secure era for consumers. Corporate and public campaigns are encouraging better digital citizenship; the increased use of strong passwords, multifactor authentication, and encryption is a good sign.

It’s certainly not yet time to celebrate a job well done. As quickly as new security mechanisms are being developed, cybercriminals are cultivating new techniques to bypass them. The goal is to make it more expensive and more labor-intensive for cybercriminals to gain illicit access, and to secure valuable data so thoroughly, there’s nothing worth stealing once they’ve made their way in.

At iSheriff, we believe there are six prevailing security threats businesses need to prepare for in 2016:

  1. There Will Be More POS Device Breaches. With the holiday season wrapping up, we can expect more headlines about credit card information being pilfered in bulk. The ongoing problems with lax security configuration, weak passwords, and third-party access vulnerabilities we’ve seen the last few years will converge with the messy rollout of EMV card terminals. Despite the increased security promised by EMV standards, hackers will find plenty of opportunities to exploit rushed deployments, customer and cashier confusion, and aging point of sale (POS) systems yet to be replaced. In the U.S., about 12 million POS terminals need to be upgraded to be EMV compliant, but only 40 percent were expected to be ready by the end of 2015. Considering that a significant percentage (approximately 40 percent) of data breaches over the last two years were related to POS system compromises, this threat is still significant. It’s worth noting here that EMV technology does little to protect online transactions; online fraud increased in Europe after EMV adoption.
  2. Devices That Come And Go Off The Network. This, coupled with the ongoing bring your own device (BYOD) trend will continue to confound security managers who know it’s imperative to secure all endpoints, but lack the proper tools to do so effectively. Without proper tools, administrators are left to choose between over-restricting access and reducing user functionality. Fortunately, the pervasive scope of this challenge is driving rapid growth in the endpoint security market, which is expected to be worth more than $17 billion within five years. Companies must be diligent about creating and enforcing BYOD policies that include a verification capability. Engaging the whole organization in secure BYOD campaigns can help promote a culture of responsibility and awareness.
  3. Companies Of All Sizes And Types Will Have To Deal With Breaches And Lost Data Issues. Breaches at major, global organizations will continue to make headlines, but cybercriminals are ingenious when it comes to finding the path of least resistance in pursuit of low-hanging fruit. As enterprise security programs improve, many bad actors will look for fresh opportunities to ambush unsuspecting targets with their cunning schemes. While many hackers and cybercriminals focus on name-brand networks, many others hone their craft and try new approaches with smaller business. No business can afford to let its guard down! Small businesses that assume they can’t possibly be on anyone’s radar should remember that many attacks are automated; if you (or any of your vendors or employees) have left a virtual door open, the hackers’ bots will find it and exploit it. Small to midsize businesses are particularly vulnerable — for many, the financial and reputational costs incurred in the aftermath of a breach would be enough to wipe them out permanently. Kaspersky Labs estimates that on average, each cyber attack on an SMB costs $38,000.
  4. Ransomware Will Continue To Evolve And Become Increasingly Complicated. We continue to be shocked at the amount of ransomware attacks where the “victim” actually pays the ransom. The FBI said it received 992 CryptoWall complaints from April 2014 to June 2015, representing total losses of $18 million — and that is just reported cases. Because criminals are finding this scheme lucrative, hackers will continue to work on producing virus variants that are harder to detect and decrypt. Ransomware depends on human error; it is usually activated by a user clicking on a link in a phishing email. Encryption of sensitive data combined with regular back-ups onto external devices or cloud services are an excellent defense against these schemes. If you have a current copy of your data or website, business can continue with minimal disruption. Paying the ransom does not, after all, guarantee full restoration of your data or website. It’s important to note that mobile devices can also be overtaken by ransomware, and often the accompanying threat is to ruin one’s reputation.
  5. The Trend Towards Cloud-Based Security Services Will Enable A Shift Towards True Integration. This shift will be of fundamental importance in delivering complete visibility across the organization’s security position — something that simply isn’t possible with today’s fragmentary approach. The CISO will continue to demand best of breed solutions for the organization, and a move towards open APIs and integration frameworks will enable this to be achieved without today’s critical visibility compromises. Traditional security approaches are no longer sufficient; infrastructure complexity, the dissolution of the network perimeter, the mobile workforce, and interconnected supply chains create enormous new challenges. Businesses of all sizes need a solution to match their particular problems and goals. Integration, automation and flexibility are imperative as IT teams strive to maximize efficiency and effectiveness with limited resources in the face of rapidly shifting threats.
  6. The Emergence Of Smart, Integrated, Cloud-Based Security Services Will Enable A Transformation From An Alert-Centric To An Intelligence-Centric Approach To Security. Cloud-based security enhances visibility by spotting anomalies and correlating events across millions of end users. Using the power of Big Data, we can move away from managing a daily deluge of alerts. Beyond the obvious efficiencies of integration (no more silos, fewer vendors), running advanced analytics is more effective when security infrastructure components can talk to each other. Analyzing interdependent activity and automatically enforcing policies across all endpoints and contexts drives an intelligence-based approach to security. Visualization tools and dashboards render the intelligence more accessible, and make it easier to spot attacks and vulnerabilities. Global cloud-based services can provide broad reach across all components of the extended, distributed enterprise infrastructure and beyond.

It’s impossible for businesses to avoid every serious incident. We should all accept a starkly realistic view of risk and the probability of being breached. But this doesn’t mean we should accept defeat. Focus on making businesses a less-appealing target. Don’t leave valuable, enticing data unencrypted. Don’t leave any back doors open to hackers. Investigate security solutions that provide a big picture, integrated view of the digital landscape. Cybersecurity that matches a company’s needs and resources is available.

The stakes are higher than ever before. Businesses depend heavily on data and digital functions, and these valuable assets are constantly under attack. As they prepare for 2016, organizations of all sizes need to be aware of the important trends that have emerged or shifted in the past year. It’s important to take time to thoroughly assess your clients’ ability to defend their data, networks, employees, and customers. Every business should resolve to strengthen cybersecurity capabilities over the next year.

Oscar Marquez is the Chief Technology Officer of iSheriff, with overall responsibility for world-wide sales, support and the development and delivery of the company's world-class cloud security products. He was an early pioneer in Web and Email cloud security services and the development of near-zero latency global data center infrastructures. Marquez has more than 20 years of experience in the security and technology industries, including senior executive and technical roles with M86 Security, Tier-3, Ubizen, NetiQ, Siemens Nixdorf and Novell. He holds a BA in Computer Science from the University of Barcelona.