There's always a new security threat to worry about, whether it's from the latest breach headline or a cyberattack on your business. It's almost impossible to keep track of every factor putting an organization at risk. There is no avoiding the reality that cybercrime, or cyber espionage, will hit. Attackers are employing methods across the spectrum to deliver malware and steal credentials, from old vectors like malvertising, to new ones like appliances connected to the Internet of Things. Every security expert has a different perspective on which threats should be top of mind, and which ones businesses aren't paying enough attention to. Here a few security pros weigh in on the threats they thing are flying under the enterprise security radar.
Becoming a digital bank can transform a traditional banking organization from being a reactive product provider to being a proactive financial advisor. By developing a digital stack that operates in real-time, with the contextual engagement and the interests of the customer placed at the forefront, financial organizations can combine home grown services with those offered by outside organizations. By definition, digital banks will be more agile and instantly responsive, increasing revenue opportunities and decreasing costs. According to the Temenos report, Digital Banking, “A digital bank offers customers contextualized, seamless experiences that transform the customer journey. And becoming a digital bank means delivering a compelling and relevant customer experience through an open, integrated and flexible architecture.” In short, Temenos believes a digital banking solution provides:
Millions of people already get it. They're using chatbots to contact retailers, get recommendations, complete purchases, and much more. Adoption of chatbots is increasing. People are discovering the benefits of chatbots. All of this is good news for entrepreneurs and businesses because pretty much any website or app can be turned into a bot. Now is the perfect time to hop on the bandwagon. Even I've jumped on the bandwagon with my new startup. ... Many consumers know they want to buy some shoes, but might not have a particular item in mind. You can use chatbots to offer product suggestions based on what they want (color, style, brand, etc.) It's not just shoes. You can replace "shoes" with any other item. It could be clothes, groceries, flowers, a book, or a movie. Basically, any product you can think of. For example, tell H&M's Kik chatbot about a piece of clothing you have and they'll build an outfit for you.
“RPA is a transformational tool, not a desktop macro builder. Look for pain points within the organization and identify what needs to change. This isn’t just a cost play; rather, it has to do with mitigating the challenges of growing in a linear fashion by increasing the number of full-time employees. For some, it is about improving speed and quality to differentiate in the market. Others are attracted by the insight and analytics that come from consolidating all transactional data into one database for real-time visibility.” ... “The next step is to analyze the business and map processes at keystroke level. To do so, use experts in RPA, as it is important to drill into the areas where configuration will be complex. Standard operating procedures, training materials and system manuals will be great inputs, but not enough by themselves.”
Although the situation seems to be grim, there is hope nonetheless. Just to give an example: a while ago IKEA released its Trådfri smart lighting platform which apparently has a fairly decent security architecture. At a first glance it might come as a surprise that of all companies, it is IKEA that points the way of the importance to invest in good security design for IoT products. On a second thought, however, IKEA's decision becomes easily comprehensible: by not squeezing the last bit of revenue out of their IoT product, IKEA reduces the risk of their devices being hacked on a large scale which could force the company to do a costly product recall and might damage its image substantially. Thanks to this decision, the world is likely spared from experiencing a Trådfri-botnet with a gazillion IoT light bulbs against which the Mirai-botnet would be a bad joke.
Unfortunately, a common mistake that some organizations make is to treat MDM as a technical issue. While this approach helps an organization quick start its MDM initiative, it leaves most critical problems unattended, and dilutes the overall benefits of the MDM program. A technology-driven approach decreases business confidence in MDM, making it difficult to sustain the solution, thus causing the premature death of the global MDM program. However, a technical solution well integrated with business processes, along with a strong governance program, is the right way to start an MDM program. A business driven approach can ensure the success of MDM program and enable a path for further expansion.
What is the actual cost to your business during a DDoS attack? Is it services deferred or services diverted? That is, are you in a market position where people will come back later to avail of the services? Or will they simply go elsewhere? If you’re in the former position, the “cost” of a DDoS attack is significantly lower than that of the latter case. Be wary of the “reputational harm” hype. It is hard to quantify. Take some time to understand what it means to you. For instance, if you’re a gaming site and you’re hit by DDoS attacks, it could mean the end of your business. If you’re a niche site that caters to ham radio operators in Austria, perhaps not so much. Be cautious of vendors who say the correct answer is to expand your DDoS protection services. That may not be the right answer. Determined attackers clearly have the ability to point more IoT devices at you than most reasonable DDoS protection services can handle.
For the present, and for many years to come, detection and mitigation will remain essential, but they are costly. The more attack surfaces a device has, the more expensive it is to manage. Operating systems such as Windows and Linux offer a large attack surface to the opposition because their function is to be as flexible as possible. As a result, even the Linux kernel contains 15.9 million lines of code (v3.6). Almost all of it is written in C or C++ and, thus, is vulnerable to buffer overrun attacks. We are currently at the point of maximum IoT vulnerability. Five years ago, most embedded systems controllers were built around 8- or 16-bit CPUs, which rarely offered more than a few thousand bytes of RAM. Systems had to be simple, as programmers were forced to make every byte count. Today, a 32-bit CPU with a couple of gigabytes of memory costs only a few pennies more.
First, not all organizations have the capability to fully test IoT devices. The onus is on the manufacturer to keep them secure. With devices having highly customized firmware, updates are difficult and often tied to the firmware. Therefore, service level agreements on security patching have to undergo strict scrutiny before committing your organizations to these devices. If the manufacturer abandons you, you have lost your investment. Second, this also means that there is a need to treat IoT devices the same way we treat personal devices in the enterprise: with caution and away from corporate networks. Deployment of IoT devices necessitate that they are segmented from the corporate network. Additionally, manufacturers need to talk about implementing security by design to all IoT devices as well as the creation of security standards against which we can measure IoT devices.
We will see others adapting and modifying the technique to bring new threats. That’s really part of what I think has changed in doing cybersecurity. Five to 10 years ago, we had people wanting to make a statement and disrupting services. We had hobbyist doing things to see what they could do, and we had nation state actors. Today, while they still exist, I think most organizations can defend from the hobbyist and many of the people wanting to make a statement. It’s very hard to protect yourself from a nation state as an individual company. The cybercrime network has matured and developed very quickly. Much like normal companies that are figuring out how to deliver their services at scale using web technologies, the cybercriminals around the world are doing the same thing, and they’ve built a supply chain that’s very effective.
Quote for the day:
"Most people live with pleasant illusions, but leaders must deal with hard realities." -- Orrin Woodward