Title : Cybersecurity Risks for Business

Posted by : Tariq Azmi | 2021-10-11

Cybersecurity Risks for Business

Ransomware & Malware:

According to Cybersecurity Ventures, Ransomware is predicted to hit $11.5 billion in damages.  The current threat volume translates into a new victim every 14 seconds. Ransomware has grown to be one of the biggest problems on the web. The ransom payment is only one part of the impact. The loss of productivity, system downtime, the cost of rebuilding systems and replacing the hardware all impact a company’s ability to survive after an attack.

Practice vigilance, security is everyone’s responsibility

Endpoint attacks:
As more companies move resources into the cloud and rely on remote workstations, the attack surface increases. With more companies creating “bring your own device” policies and adopting SaaS platforms, hackers have more targets to pursue. The challenge is how best to secure these off-premises systems and personal devices. Endpoint attacks are frequently used by cybercriminals to gain access to larger networks. By requiring endpoint devices to meet security standards before being granted network access, enterprises maintain greater control to effectively block cyber threats and attempts. 

Start by having policies of end point protection (Antivirus), policy on who gets access to the network and non-company issued devices.

Phishing and Business Email Compromise continue to be the most popular, low-tech approach cybercriminals use to gain access to networks. Phishing emails look like normal, everyday emails from companies, executives and trusted peers. By clicking on malicious links or providing information on imposter landing pages malware is loaded onto devices allowing cybercriminals to gain access to sensitive networks. With the widespread use of cloud services like Gmail, and Office 365, hackers are becoming more sophisticated with their impersonation and social engineering skills. Cloud services cannot adequately protect your sensitive data.
Adopting additional email security measures with encryption and threat intelligence is a smart way to protect employees from sophisticated email attacks

Supply Chain Attacks
A supply chain attack, also known as a third-party attack, is when a cybercriminal uses the vulnerability of an outside supplier’s security system to gain access to a larger organization’s network. According to the Ponemon Institute, 75% of IT professionals surveyed acknowledged the risk of a breach through a third party is dangerous and increasing. More specifically, 63% of all data breaches can be linked either directly or indirectly to third-party access according to Soha Systems.

Added email security, Policy & Procedure on Vendor management can reduce the vulnerability

IoT Attacks

The use of the Internet of Things (IoT) is growing each day (according to Statista.com, the number of IoT internet-connected devices is expected to reach almost 31 billion). IoT includes everything from laptops and tablets, to routers, webcams, household appliances, smartwatches, medical devices, manufacturing equipment, automobiles and even home security systems. More connected devices mean greater risk. Once controlled by hackers, IoT devices can be used to overload networks, tap into sensitive data or lockdown essential equipment for financial gain.

Adapting & Implementing network separation based on the usage can reduce the risk. For example, segregating the access on the network for Camera system, Guest Wi-Fi, IoT devices, etc.

Insider Threat:
Human error is still one of the primary reasons for the data breach. Any bad day or intentional loophole can bring down a whole organization with millions of stolen data. Report by Verizon in data breach gives strategic insights on cybersecurity trends that the employees directly or indirectly made 34 percent of total attacks.

One way to combat this is to make sure you create more awareness within premises to safeguard data in every way possible.

Social Engineering:
In an attack that uses social engineering, not only the technology is at focus. Social engineering targets the human aspectPhishing is a prominent example of it. Social engineering can occur in any form sensitive information can be gathered - In an email, face to face or even via a phone call.
Social engineering can also be purely reliant on the social aspect. The service employee to "fix your bad WiFi" might not be who you think it is 

Companies usually make appointments with you upfront. It generally makes sense to decline such spontaneous appointments.

Confusing Compliance with Cybersecurity
Another risk businesses have to deal with is the confusion between compliance and a cybersecurity policy. Ensuring compliance with company rules is not the equivalent of protecting the company against cyber-attacks. Unless the rules integrate a clear focus on security.

Enterprise risk management requires that every manager in the company has access to the parts of the security system that are relevant to them. Security is a company-wide responsibility. As a result, managers (and everyone else) should oversee how data flows through the system and know how to protect confidential information from leaking to cybercriminal infrastructure.

Data Governance & Mishandling:

For many enterprise networks, the sheer volume of unneeded data makes cybersecurity monitoring less effective.  If company doesn’t compartmentalize data add to the risk. In other words, everyone from interns to board members can access the same company files. Giving everyone the same access to data increases the number of people who can leak, lose or mishandle information. More importantly, if case of a malware or ransomware the data is compromised easily by not compartmentalizing the access.

Reducing this threat requires good data governance practices, such as deleting any data that is not required to provide their services or meet a regulatory requirement. Deleting unneeded sensitive data in the environment not only reduces the risk of a compromise, but also decreases IT costs by reducing the infrastructure footprint and narrowing the scope for privacy and other regulatory requirements.”

Cloud Security:

With more and more organizations now established on clouds, security measures need to be continuously monitored and updated to safeguard the data from leaks. Although cloud applications such as Google or Microsoft are well equipped with security from their end still, it's the user end that acts as a significant source for erroneous errors, malicious software, and phishing attacks.
Many companies recognize the need for cloud-friendly security infrastructure, but especially as so many have sped up their digital transformation and cloud-migration efforts past the point of planning, organizations have bypassed important cloud security features that leave their cloud-based apps vulnerable.

Lack of a cybersecurity policy

Security standards are a must for any company. Cyber criminals aren’t only targeting companies in the finance or tech sectors. Not prioritizing the cybersecurity policy as an issue and not getting employees to engage with it is not something that companies can afford. 

As part of their cybersecurity policy, companies should:

  • identify risks related to cybersecurity
  • establish cybersecurity governance
  • develop policies, procedures, and oversight processes
  • protect company networks and information
  • identify and address risks associated with remote access to client information and funds transfer requests
  • define and handle risks associated with vendors and other third parties
  • be able to detect unauthorized activity.

Shortage of Cyber Security Professionals

The rate of cybercrime is forcing companies and governments to scramble to hire enough qualified cybersecurity professionals to deal with the growing threat. This shortage is expected to continue with some estimating more than 1 million unfilled positions worldwide, potentially growing to 3.5 million by the end of the year.
Recruiting the right person with the right education and experience is very important. In efforts of saving money in the short term and hiring a general IT person could hurt in the long term. If budget doesn’t allow a long-term full time employee then at least get outside consultant or security groups do an network assessments.


Inadequate Patch Management

The purpose of a patch is to eliminate a “hole” or vulnerability in software or hardware programs. Manufacturers release patches to address vulnerabilities in their operating systems, software, and other technologies. Patches are essential to the security of your business — yet, patching largely gets ignored both by users and IT security teams. Often, there are other more pressing IT responsibilities to manage. Regardless of the reason, a lot of technology remains unpatched, leaving businesses and their data vulnerable to even the most basic of cybersecurity threats.

Lack of a recovery plan

Being prepared for a security attack means to have a thorough plan. This plan should include what can happen & how to prevent the cyber-attack, but also how to minimize the damage does happen. Unfortunately, the statistics reveal that companies are not ready to deal with such critical situations.
This is topic that should be discussed and addressed. This cannot be a reactive approach.

Lack of Security training

Employee training and awareness are critical to your company’s safety. In fact, 50% of companies believe security training for both new and current employees is a priority.   

Few topics to cover in the security training can be

  • Reasons for and importance of cybersecurity training
  • Phishing and online scams
  • Locking computers
  • Password management
  • How to manage mobile devices
  • Relevant examples of situations