Malware, DDoS attacks and human behavior remain among the top cyber-risks.
In a presentation on the top 10 cybersecurity risks facing organizations at the ISACA EuroCACS conference in Munich, Raef Meeuwisse, director of cybersecurity and data privacy governance at Cyber Simplicity, and ISACA London Chapter external relations director, described the list as enabling the audience to make a "persuasive argument", and that is was about trying to change other people around you.
Saying that cybersecurity is dominating the news, Meeuwisse said: “That is the reason you have to make a compelling case to stakeholders and executives, to understand risks and take correct measures to understand risks as it is not that difficult to substantially reduce risks. Not eliminate them altogether, but reduce them substantially.”
Claiming that he did not consider GDPR to be a top cyber-risk for 2017, he added an 11th risk to his list, which was based on risk scores across various research points including ISACA and the Verizon 2017 DBIR. The 11th was Shadow IT, where he said that the risk is "relatively high and is predicted to increase even further."
He added: “I have visited organizations and whether it is a problem or a massive problem is related to how adaptable and flexible the company is being to needs of the users.”
In 10th was privileged account management, which Meeuwisse said most organizations do not have countermeasures for, but in large organizations the concept of trusted access cannot be monitored, and privileged account usage tends to be a key component in success of most cyber-attacks.
Ninth was passwords and single factor authentication, which is a problem in a lot of legacy systems that are internet facing and are reliant on passwords where people re-use them or use very weak passwords, while in eighth was human error, as executives fail to understand the magnitude of risk.
The seventh spot was for DDoS, which Meeuwisse said “if you think Mirai was the beginning and end, think again as rubbish devices are connected to internet, and will continue to be massively vulnerable.”
He said: “The key thing is a lot of organizations - where websites and even the entire workforce could stop working - don’t have resilience to it, and DDoS attacks increase and bandwidth goes up massively. Mirai proved that with the right attackers and botnet, even DDoS filtering could not cope. Do not expect that DDS will not happen, expect it will happen and expect resilience even if you have DDoS filtering, it will be overwhelmed by attacks.”
In sixth place was "unreliable external technology", such as cloud outages, and Meeuwisse encouraged delegates to get resiliency in place, particularly if critical technology stops working. Fifth was data theft which he acknowledged was "not a technical specific risk, more of an objective" for theft of intellectual property.
The fourth risk was zero-day threats, particularly where there is an assumption where you assume "no defense and nothing you can do’"and your patch cycle is not regular. In third was phishing and smart phishing, but one where you can deploy technology but not eliminate the risk.
The second spot went to web application attacks, which Meeuwisse said was happening all the time and is a primary target. To fix this, he recommended using a secure development lifecycle, putting security requirements in and doing static source code and uptime monitoring to help keep a web app secure.
The first spot, and top risk, was malware including ransomware. He said: “It is still just happening everywhere and continuously evolved. A massive army of criminals are getting past defenses and getting malware and ransomware into organizations.”
In conclusion, Meeuwisse said that there are protections that work, but most organizations don’t have them and as ‘most of us don’t patch within 24 hours’, our risk profile needs to take risks more seriously, particularly with DDoS a major thing going forwards.
“I think this happens largely if you don’t get exec support, you don’t get a persuasive argument,” he said. “The key message is risks from cyber are very significant, highly likely to occur and there are adequate defenses that organizations neglect to put in place.”