Earlier this year, ENISA (the European Union Agency for Network and Information Security) claimed that technology is increasingly vulnerable to attacks. The figures definitely support this claim. There were 6,000 new vulnerabilities identified in 2016, 14,500 in 2017 and so far almost 15,000 in 2018.
It gets worse: ENISA says that the rise in security flaws is inherent to the cyber security landscape. There are several reasons for this. The most obvious is that the increase in Internet-connected devices and applications means there are more things to exploit. This makes cyber crime easier and attracts more crooks.
Another reason is that it’s becoming increasingly expensive and time-consuming for software designers to move onto newer system architecture. They are therefore stuck with outdated systems that contain known vulnerabilities.
Are you ready?
The rise in vulnerabilities might be unavoidable, but there are ways to identify and address flaws before they can be exploited by crooks. Be careful about relying on threat monitoring systems, though: they only flag up known vulnerabilities, and won’t alert you to the many emerging threats.
The IoT (Internet of Things) embeds Internet connectivity into everyday objects. The technology has existed for about a decade but has only been widely used for a few years. As such, it’s still full of vulnerabilities:
- Authentication mechanisms are often flawed, and many users don’t use the built-in security features.
- Data is often sent in cleartext, allowing anybody to read it.
- IoT devices often have mobile and Cloud interfaces, creating additional entry points for crooks.
- It is difficult to know when an IoT device needs to be patched.
Researchers claim that AI will “lead to the expansion of existing threats, the introduction of new threats and a change to the typical character of threats”. The technology could make it easier for crooks to carry out complex attacks and has the potential to automate the discovery of critical software bugs.
AI could be used to abuse Facebook-style algorithmic profiling to revolutionise social engineering.
Ransomware in the Cloud
Ransomware is an established weapon of cyber crooks. It’s injected into an organisation’s systems, where it encrypts the user’s computer files and displays a note demanding a payment for their release.
Unfortunately for crooks, many organisations are now wise to the scam and are ensuring they regularly back up their data. This allows them to simply wipe the infected files and transfer over their backups.
But now it’s the crooks’ turn to retake the initiative. They have begun taking aim at Cloud computing companies, which organisations often use instead of backups. This exposes the common misconception that the Cloud is somehow a safe haven for data. Rather, it is a remote server, the protection of which is out of your control.
Conduct a cyber security audit
You can determine whether your organisation is ready to defend against these and other threats by taking the IT Governance Cyber Security Audit and Review.
It’s designed for public-sector and critical national infrastructure organisations seeking compliance with one of any number of cyber security laws and frameworks. You’ll receive expert guidance from one of our consultants, who will:
- Verify that information processes are in line with security policy criteria and procedural requirements;
- Define and implement processes and techniques to ensure ongoing compliance with security policies, standards, and legal, regulatory and contractual requirements;
- Carry out security compliance audits in accordance with an appropriate methodology, standard or framework;
- Provide an impartial assessment and audit report covering security compliance audits, investigations and information risk management;
- Provide an independent opinion on whether your organisation is meeting information assurance control objectives;
- Develop audit plans and audit regimes that match your organisation’s business needs and risk appetite;
- Identify your organisation’s systemic trends and weaknesses in security;
- Recommend responses to audit findings and appropriate corrective actions;
- Recommend appropriate security controls;
- Assess the management of information risk across the organisation or business unit;
- Recommend efficiencies and cost-effective options to address non-compliance issues and information assurance gaps identified during the audit process; and
- Assess the maturity of an existing information auditing function using cross-government benchmark standards.