105 28.02.2019

2019 is well underway and cybersecurity is once again in the minds of experts and organizations. The good news – this is no longer a distant topic, but instead companies are now actively working on improving their security. The bad news – the threats are evolving more and more posing even more difficult challenges.

And to top it all off, there’s still a very serious lack of cybersecurity professionals out there. A study by (ISC)2 says there’s a global gap of almost 3 million cybersecurity job openings. This means that there’s a severe lack of specialists to work on the security of companies, leaving them a lot more vulnerable to cyberattacks.

And sadly 43% of the companies don’t offer adequate cybersecurity trainings for their existing staff. Universities also lag behind in providing up-to-date security degrees.

Emerging threats

And while the corporate world struggles with cybersecurity, hackers seem to enjoy quite a comfortable lead in the race. They still use plenty of their classic tools like DDoS, ransomware, phishing attacks and so on. But they also work hard on new vectors. Some of them have already started taking shape:

Cryptojacking

The rise of cryptocurrencies created a way for people to get digital money simply by allowing their PCs to be part of the blockchain and crunch numbers. Sounds good, but in order to make an actual, decent profit, you need quite the computing power. So, instead of investing thousands and thousands in computers, why not simply use someone else’s PC? Preferably without them knowing, so you don’t have to share?

This is where cryptojacking comes in. It involves infecting computers with malware to use their resources for mining cryptocurrencies. Often this malware is configured to be dormant for most of the time, only fully using the resources when the PC is left alone. Hence, it’s not always easy to spot that you’re a victim, unless you experience odd behavior from your computers.

Mobile malware

These days people get more work done on their mobile devices than ever before. These devices are treasure troves of company and personal data. They are also quite powerful, putting to shame computers from a few years ago. And most people don’t really view them as vulnerable as a PC, so they neglect their security.

Then there’s the fact that many manufacturers don’t really put that much effort in keeping their mobile devices updated. They often just stop any and all updates after 12-18 months and the devices are left behind despite still being actively used by thousands, or in some cases millions, of people. All of this makes them a prime target for hackers. And this is why they should be a priority for organizations, as well. Don’t forget about the mobile devices when you work on your cybersecurity strategy.

Cross-site scripting

That’s another point of interest for hackers. They attack vulnerable sites and try to inject code and use it to steal cookies and other identification data. With enough patience and a bit of extra trickery, hackers can even use these attacks to completely hijack a site without needing any credentials for it.

They can also redirect clients and users to copycat sites and use them for phishing as another attack layer. And since there are always a lot of bugs and vulnerabilities in code and platforms, XSS attacks are always possible and shouldn’t be neglected.

Internet of Things

The severe vulnerability of IoT devices is nothing new. Still, many companies neglect it as a risk because they think they aren’t using any IoT devices. One of the reasons is that the IoT is generally described as sensors, home thermostats and so on. In reality, the IoT is pretty much everything, including switches, routers, connected printers, security cameras. Basically any device which has an internet connection is in the IoT.

And companies keep adding a lot more connected devices to their day-to-day operations. As a result, IoT security must always be a priority.

Employees

We end with the same topic we began. Employees, sadly, are one of the major cybersecurity risks for any organization. Most employees don’t realize they are a risk and a lot of companies underestimate that, too. They think that if Joe doesn’t have access to the admin panel, they don’t need to teach him basic cybersecurity protocols and actions. As a result, Joe becomes an easy phishing target. For experienced hackers, that often is enough to gain access to a lot more than what the company expects.

This is why organizations should proactively include employees on all levels in their cybersecurity strategy. Sadly, all of this won’t make your company 100% safe. Nothing will. But it will make it a lot more difficult target for hackers, buying you time to react when you’re under attack.