As cyberattacks become more frequent and sophisticated, RSM advisors discuss how to protect your organization against 2016’s emerging cyberthreats.
INSIGHT ARTICLE | January 20, 2016
As companies become increasingly reliant on technology to improve efficiency, productivity and mobility, vulnerabilities to cyberattacks are growing. While breaches at large organizations make headlines, no organization is too small to be a valuable target, and most companies will likely suffer a cybercrime at some point. Criminals and attack methods are evolving and becoming more sophisticated, so organizations and individuals must fully understand emerging threats and proactively plan to protect themselves.
Security and privacy advisors at RSM US LLP, a national accounting, tax and consulting firm, have developed a list of five cybersecurity items that will likely emerge as significant threats to individuals and organizations in 2016. The five predictions are:
1. Cybercriminals will not just go after bits and pieces of data, as has been common practice in the past. Instead, cybercriminals will increasingly seek to build entire profiles from data collected and sell it as entire identities for monetization or for nation states to use for their targeted attacks.
This means cybercriminals are no longer going after just credit cards, health care data or even personally identifiable information (PII). They are building a complete victim profile and then selling it to the highest bidder. A complete profile could include traditional information forms (bank account data, credit card data and health information), but also social media information, past residence addresses, dependent information and more.
This threat calls for increased controls necessary to protect traditionally stolen information, as well as safeguards consumers must take to ensure they do not provide too much information through social media. It also brings into question the publication of traditional public information such as property tax, permitting and other public records.
2. The “Internet of things” is still growing as seemingly everything (vehicles, appliances, children’s toys, safety systems and others) a business or consumer purchases is “Internet ready.” Unfortunately, we continue to read about these systems being broken into and either remotely controlled in disturbing ways or used to gather information on businesses or families without their knowledge.
In general, most of these systems have a portal hosted by the product’s manufacturer or provider, or one of their business partners, and have relatively weak authentication controls that require only a username and password. For example, the next time you see your Internet-connected intelligent thermostat adjust the temperature in your home, ask yourself if it changed the temperature because it was needed or did someone break into the portal account and now is experimenting with your thermostat?
Best practice security measures for the portals are to use similar security controls equivalent to online banking and credit card portals with multifactor authentication, forced password changes and account lockout.
3. Cybercriminals will continue to use social engineering to facilitate their system breach efforts. Postmortem breach reviews indicate that many successful breaches are dependent on attacking the organization’s employees, customers or business partners through social engineering efforts.
People will likely be the weak link in security in the foreseeable future; and efforts to improve social engineering defenses must be implemented. Many organizations have security awareness programs and RSM advisors say they are slowly seeing improvement in the responses to their social engineering testing, but there is still room for improvement.
To improve security awareness, RSM advisors recommend conducting social engineering training and testing more than once a year, and then validating the effectiveness of the training through testing.
4. Health care information has more value per stolen record than most other forms of data theft (bank account, credit card, PII). Health care information is often tied to a social security number, and it is difficult to get a new number issued that does not tie back to the original number. It simply isn’t as easy as getting a new credit card.
RSM advisors anticipate more breaches will occur in the health care industry in 2016, as more eligible professionals and hospitals move to electronic health record systems. As the industry continues this transition, an increase in hacking events will occur due to medical data being shared via electronic exchanges.
5. System security configuration issues continue to be a common source of security incidents and potential breaches. RSM continues to see too many weak security implementations for servers, workstations and other network devices during testing. New systems should be implemented using a National Institute of Standards and Technology (NIST) security reference or other guidelines to create a “base” image. That base image should then be used as a starting point when new systems are implemented.
A short list of common “wall of shame” security issues (practices not to do) follow:
a. Using default administrative credentials. Most default credentials can be Googled.
b. Improper administrator password usage. Many companies use the same local administrator password on all workstations and servers.
c. Storing passwords insecurely. While conducting security testing for clients, RSM advisors find passwords on workstation shares, in text files, work documents and file names, and written on the side of monitors and keyboards.
d. Running services on servers with administrative rights. If the service is compromised, the attacker would have administrative rights in the system.
e. Weak passwords. Too often vendors use the same credentials on all of their customer systems.
All forms of data have value to cybercriminals, and hackers are using new methods and continually attempting to access sensitive information. Ignoring, or not properly addressing, security vulnerabilities can leave companies and individuals exposed to a breach with significant financial and reputational consequences. Understanding and addressing these emerging threats is critical to protecting your information, and reducing the potential for a data breach in the coming year.