Cyber-attacks have dominated the headlines in the past decade; wreaking havoc with systems, holding data to ransom, undermining public trust in corporations and governments, and causing untold financial damage.
As security and business leaders prepare for a new year, let’s take a look at the top five cybersecurity threats and priorities they will likely face.
If 2016 was a proof of concept for how elections can be manipulated, 2020 will prove to be an open season for hackers. However, the game will be different. Moving beyond disinformation and influence campaigns, nation-state threat actors have their eye on a bigger prize – our vulnerable election infrastructure. And they’re already busy testing their tools.
Just this past week, Ohio’s Secretary of State announced that during the November elections a Russian organization attempted to probe the state’s election website looking for potential vulnerabilities.
Meanwhile, in Pennsylvania, a bug in a touchscreen voting system caused votes cast in a Northampton County judge’s race to be manipulated. Voters complained that votes that should have gone to the Democrat candidate were switched to the Republican candidate, only reverting after a system reset. Although no evidence of cyber foul play was detected, the incident underscores the vulnerabilities and weak security performance inherent in U.S. election systems.
Online and in-store digital point-of-sale (POS) systems have long been a target for cyber criminals. Come 2020, retailers will continue to be overrun with organized cyber criminals looking to sell credit card data on the dark web.
Today, roughly a quarter of all data breaches in the retail sector occur as a result of vulnerabilities in POS systems. Most of the time, these incidents are entirely preventable. Basic cybersecurity hygiene practices such as patching and updating systems can prevent most attacks. However, implementing these solutions can be a time-consuming and costly process that often involves taking the systems offline, which is not an option for busy retailers and their customers. Furthermore, most retail IT teams operate on a shoestring budget that prioritizes website performance and user experience over software and hardware updates.
Faced with these challenges, many retailers choose to outsource their POS systems to a third-party, reducing the burden on IT. Yet this introduces third-party risk into the equation. BitSight data shows that 60-70% of POS breaches involve a third-party.
But the threat doesn’t stop there. Fourth parties and n-th parties deserve attention as well. The trouble is, companies often aren’t sure how to adequately monitor these fourth parties, so they end up feeling “blind” in the relationship. It may no longer suffice to simply add language in a vendor contract that asserts that everything that applies to a third-party vendor also applies to the vendor’s subcontractors.
As the new year approaches, it’s contingent on retailers to prioritize their POS providers as a critical third-party and move towards continuously monitoring their performance and that of their fourth and nth parties in order to mitigate any risk flowing up to their own organizations.
2020 will not be kind to the oil, gas, utilities and healthcare sectors, each of which is a lucrative target for threat actors and cyber warfare mongers. Based on past performance and the motives of threat actors, a rise in the number of attacks against critical U.S. infrastructure and healthcare organizations is inevitable.
BitSight recently conducted extensive research into the security performance posture within these industries. The results are sobering. Out-of-date systems or unsupported devices, non-secure access points, botnet infections, and other vulnerabilities are rife. To learn more, check out our findings and risk management recommendations for the healthcare and utilities sectors.
If you’ve ever received a suspicious text message that appeared to be from your bank, then you may have been a target of a smishing campaign.
Smishing or social engineering scams occur when cyber criminals target unsuspecting consumers with fraudulent text messages that seek to elicit bank account details or other sensitive information. The topic was recently explored by the Information Security Forum (ISF), which suggests that smishing will become more popular due to a lack of consumer awareness of this form of cyberattack.
“Vishing” campaigns will also be on the rise in 2020. Vishing uses advanced AI technology to impersonate known and trusted voices, such as corporate CEOs, in order to manipulate their unsuspecting targets (often direct reports) into releasing sensitive information or providing access to critical systems.
To prepare for this uptick in vishing, organizations must take time to understand their employee’s psychological vulnerabilities and create a cybersecurity awareness culture. Employees must be vigilant of the creative ways that hackers may use to use them to infiltrate their corporate networks.
A new 2020 Cyber Threat Trends Outlook from Booz Allen Hamilton warns of a major network security threat from drones or unmanned aerial vehicles (UAVs). Equipped with Wi-Fi Pineapple (a leading rogue access tool and penetration testing device), drones are becoming an increasingly popular tool for harvesting credentials, performing man-in-the-middle attacks against employees, and carrying out network reconnaissance close to target networks, reports Info Security Magazine.
Again, employee awareness is a key ingredient for combatting this airborne threat. The old adage “if you see something, say something” can and should be extended to cybersecurity. If a member of security notices a drone or UAV, they should report the citing immediately. Drone detection technology can also be used to protect organizations from cybersecurity threats that are posed by drones.
Breaches can’t be avoided, but organizations can take steps to understand the risk and likelihood of a data breach in 2020 by using tools like BitSight Security Ratings. Only BitSight provides insight into the vulnerabilities facing companies both inside their own networks and across their third-, fourth- and nth-party ecosystem. With this visibility, business and security leaders can make more informed decisions about where to focus stretched IT resources, lock down their gaps in security management, and take charge of their cybersecurity.