The world of cybersecurity is constantly evolving as hackers adapt their techniques, creating new tools and workarounds to exploit vulnerabilities that most businesses don’t even know exist until it is too late. Companies and security teams are fighting to become more agile and keep up pace.
Data privacy and cybersecurity are not only on the minds of businesses, they are also top of mind for consumers. According to Ketchum’s 4th Annual 2019 Causes Americans Care About study, data privacy and cybersecurity rank second (school safety was #1) on our list of top-16 social issues and charitable causes that consumers feel are most important to personally support.
It is more important than ever for all businesses to stay on top of the latest trends in cybersecurity, to constantly assess your company’s level of preparedness—it is not only critical for your business, it is a priority for your customers, employees, partners, and other stakeholders.
This Cybersecurity Awareness Month is an excellent time to review some of the latest trends, identify gaps in your team and program, and determine what steps your business needs to take to be more resilient…
1. Ransom attacks are on the rise:
Earlier this month, the FBI issued an alert about an increase in ransomware attacks across all sectors, including healthcare, state and local governments, and other infrastructure targets. Specifically, in the healthcare sector where 491 healthcare providers have been the victim of ransomware this year, putting patients’ critical health information at risk. We are also seeing a large number of ransom attacks on municipalities across the country, with reports that 26 percent of cities and counties say they fend off an attack on their networks every hour. Just this past year victims of these attacks included 22 towns, counties and police departments in Texas, city governments of Newark, Atlanta and Baltimore, San Francisco’s transit authority, the Colorado Department of Transportation, and Cleveland’s airport.
“Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remain consistent,” wrote FBI officials. Some of the specific tactics hackers continue to utilize include phishing campaigns, remote desktop vulnerability attacks and software vulnerability attacks to infect organizations.
2. Increasing attacks on utilities and public infrastructure:
According to a recent report from Siemens and the Ponemon Institute, cyberattacks on operational technology involved in running critical utilities are increasing, with potential for severe financial, environmental and infrastructure damage. Utilities provide a critical service for millions of people and governments around the world. However, many operate with outdated technology since upgrades can cause substantial interruption and downtime. These factors have led to a significant opportunity that hackers are increasingly exploiting. For example, Chinese state-backed hackers used a phishing attack on three U.S. energy companies this summer. Posing as National Council of Examiners for Engineering and Surveying (NCEES) employees, the hackers targeted industry employees with emails pretending to deliver professional examination results, utilizing the NCEES logo.
3. Adapting to GDPR:
Now that the EU’s General Data Protection Regulation (GDPR) is in effect, cybersecurity professionals are still working to understand exactly how to interpret the new requirements to comply with stricter data protection mandates. Many companies are having to invest more resources in their initiatives to make data security practices more organized, more transparent and better documented. For example, the “privacy by design” provision means that companies are now required to include data protection from the onset of designing a system, rather than as an add-on. This means that data privacy is now a foundational element at the conception of a new data system.
And because the penalties for non-compliance are serious, the time for companies to act is now.
4. Necessity of user awareness:
Since phishing scams and other hacker attacks leverage vulnerabilities of users, it is more important than ever that companies assess and work to mitigate potential risks that can come from their own user network (employees). When it comes to cybersecurity, having state-of-the art programs and protocols, and an industry-leading cybersecurity team, will not be enough to protect your business. The weakest link in a company’s cybersecurity repertoire is its users.
It’s critical that businesses work to establish a mindset that cybersecurity is a shared responsibility for the entire company. By scheduling regular trainings that highlight cybersecurity best practices broadly across the organization, every employee will be able to better recognize their role as the eyes and ears of the company, knowing how to properly escalate potential issues they see emerge.
5. Security talent crisis:
As hackers become more prevalent and sophisticated, businesses also have to increase their capabilities and expand their teams at an equal pace. The result: an alarming talent gap in cybersecurity personnel that is growing by the day. In fact, recent estimates indicate there could be as many as 3.5 million unfilled positions in the industry by 2021.
In response, we are seeing many large corporations investing more heavily in their cybersecurity talent pipeline and team development. Since women currently only make up 14 percent of the U.S. cybersecurity workforce, companies are encouraging more women applicants and heavily investing in STEM and coding programs for young women. Companies are also making strategic decisions to broaden the criteria when reviewing candidates, by focusing more on qualities that make a candidate trainable as opposed to just candidates with relevant experience.
Companies large and small simply cannot afford NOT to take their cybersecurity seriously, and your stakeholders are holding you accountable. During a cyber event, it will be vital for an organization to communicate information quickly, credibly and transparently. To succeed in doing that, communications teams need to conduct risk assessments, address process gaps and enhance your company’s readiness to communicate early, often and effectively to your most important audiences when needed. It’s no longer a matter of if a company will face this challenge, but when—and companies need to prepare accordingly. Connect with me here if you have any questions.