Ten Formidable Corporate Security Risks in 2017
For decades, the corporate marketplace has endured threats to its stability and security in the form of workplace violence, public-relations disasters, defective products, and even natural disasters.
Another risk, however, is steadily becoming a bigger threat overall. Technology, in the form of computers, business networks, mobile devices, cloud solutions, and internet access, presents emerging dangers to corporate security and exposes exploitable flaws.
The responsibility of defending a company against cyber attacks falls mostly on executives and managers, but many corporations still do not have clearly defined managerial roles in cyber security. Technological advancements are demanding more attention.
The rising need for personnel with a working knowledge of cyber security has prompted many forward-thinking corporations to fill managerial roles with recently graduated MBAs with a focus in information systems.
“One 2012 survey reported less than two-thirds of responding companies had full-time personnel in key roles responsible for privacy and security, in a manner that was consistent with internationally accepted best practices and standards,” SEC Commissioner Luis A. Aguilar said in a 2014 address to the New York Stock Exchange at the “Cyber Risks and the Boardroom” Conference.
Top Ten Threats
The landscape of cybersecurity has changed dramatically over the past five years as the connectivity of devices, called Internet of Things or IoT, grows wider. New threats are surfacing as old flaws are repaired.
Due to the shift in security shortcomings, the following ten high-risk areas present the most important corporate security concerns in 2017:
Internet of Things devices include smart watches, appliances, inventory control devices, building thermostats, and any device that exchanges data with other devices (via WiFi, Bluetooth, or NFC) and even medical equipment such as heart monitors.
“IoT gear doesn’t exist in isolation, so attackers will seek new ways to compromise other devices that they interact with in an effort to affect their usefulness,” Tim Green, a Network World senior editor, said in his blog article, “RSA 2017: The Internet of Things Security Threat.”
To some degree, login credentials are more secure today than they were in the past due to multi-step authentication measures. But hackers can still access accounts by spoofing a computer’s IP and MAC addresses and bypassing any additional steps.
Despite evolving security measures, however, simple passwords can be cracked by programs that build dictionaries of potential passwords from names, birthdays, and personal interests (most of which are available on social network profiles).
Additionally, IoT devices often have simple default passwords that are never changed, allowing hackers easy access to any system.
3. Mobile Devices
Smartphones, tablets, and netbooks are being used by employees for work purposes, or for personal reasons while connected to a business network. Employees use smartphones to access work email, customer databases, private communications, and financial data, as well as to make purchases on corporate accounts. Criminals can grab sensitive business data from smartphones when they connect to public WiFi.
4. Privileged Users
Despite increased corporate security, some employees, managers, and vendors continue to enjoy high-privilege access to company systems. Hackers have become aware of the weakness and are shifting their focus from cracking systems to stealing credentials with system privileges already in place.
5. Dwell Time
The amount of time that passes between a security breach and the discovery of the breach is called “dwell time.” The longer the dwell time, the more damage that can be done.
“The reason [dwell time] occurs is that we have been, until now, focusing on what to do after a breach has been discovered rather than on prevention alerts early on,” Engadget tech contributor Dianna Labrien said in a 2017 article, “Security Threats for 2017 – What Can Be Done?”
6. Social Engineering
While advances in cyber security have focused on automated system exploits, hackers have redirected their efforts to stealing credentials and information through email, social networks, apps, and even face-to-face interactions.
Social engineering allows hackers to extract personal information through manipulation and deceptive practices. Instead of fighting through multiple layers of security with a computer terminal, hackers can sometimes retrieve the information they’re looking for through conversation and trickery.
7. Malware and Ransomware
Viruses of all sorts continue to plague the Internet, IT expert and Network World senior writer Sharon Florentine said in her “2017 Security Predictions” blog article. Anti-virus software giant Symantec identified about 4,000 ransomware attacks per day in 2016 alone, she said. Ransomware and malware become even more problematic when social engineering is used. Every time a user agrees to download or install files or programs from a webpage, malware is also embedded via social engineering. Antivirus software does not easily detect malware that is voluntarily installed.
Artificial intelligence algorithms have become invaluable. Big Data analytics, or the analysis of massive sets of marketing data, would be difficult to use without algorithms that aggregate and organize information and make it useful to decision makers. Modern algorithms, though, present a few major security risks. Flawed algorithms could result in flawed business decisions, and insecure algorithms are wide open to hackers. Risk management expert Phillimon Zongo of ISACA.org said artificial intelligence presents three predominant cyber threats:
• No standard currently exists for AI security.
• Start-ups concentrate on beating competitors to market rather than on making their algorithm secure.
• Cyber criminals can manipulate the self-learning aspects of an algorithm.
9. Educational Deficiencies
Secure corporate information travels everywhere with employees on unsecured devices. Most corporate employees are woefully undertrained about device security.
The results of poor corporate security training include social engineering, public WiFi hacks into unsecured mobile devices, malware infections, and stolen credentials.
10. Changing Corporate Focus
Corporate mission statements in the past presented only the primary focus of the business (i.e. banking, marketing, retail electronics, groceries). Security was assumed to be included in the natural course of business. Not too long ago, security was confined to a couple of part-time security guards at the doors and a safe for nightly deposits.
Today, modern security measures, including cyber security, must be part of a company’s primary focus. The corporate culture itself has to be steeped in cyber security. For example, a bank should no longer just offer banking to its customers, it should offer “secure” banking with defined security measures.
The best defense against today’s most formidable cyber threats is employee training and restructured security departments. IT professionals need to occupy a more central role in business. Security should become inseparable from the service a company provides.
Cyber security training can no longer be ignored if employees are going to defend themselves against attacks. Proper mobile device security, social engineering awareness, password management, and work-appropriate internet usage must be taught to employees, managers, executives, and vendors.
UAB’s Online MBA Degree Program
The University of Alabama at Birmingham offers an online MBA program with a focus in Management Information Systems that can equip graduates with a valuable understanding of cyber security. Classes combine traditional instruction with modern online technologies. Online courses are completed collaboratively with instructors and other students through computers and/or mobile devices.
Other program concentrations include Finance, Marketing, and Health Services. For more information, visit the University of Alabama at Birmingham’s online MBA website.
• Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus – https://www.sec.gov/News/Speech/Detail/Speech/1370542057946
• RSA 2017: The Internet of Things Security Threat – http://www.networkworld.com/article/3164839/security/rsa-2017-the-internet-of-things-security-threat.html
• Security Threats for 2017 – What Can Be Done? – https://www.engadget.com/2016/12/15/security-threats-for-2017-what-can-be-done/
• Social Engineering Confirmed As Top Information Security Threat – http://www.computerweekly.com/news/4500273577/Social-engineering-confirmed-as-top-information-security-threat
• 2017 Security Predictions – http://www.networkworld.com/article/3145730/security/2017-security-predictions.html#tk.drr_mlt
• The Risk Associated With AI – https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=348
• See Your Company Through The Eyes Of A Hacker – https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker