On average, hackers attack every 29 seconds — that’s 2,244 times every day. And they’re not anywhere close to slowing down. That’s why businesses around the globe need to have a holistic cybersecurity strategy in place.
In 2020, the best thing a business can do is prepare, instead of waiting to respond to a hack, cybersecurity experts maintain. The more a business does before a hacking attempt, the better off it’ll be, if and when that day comes. The last thing corporate leaders want to say about the security of their business is, “could have, would have, should have.”
Businesses shouldn’t assume that they’re only a target if they have intellectual property, said Paul Furtado, senior director analyst for midsize enterprise security at Gartner Inc., a global research and advisory company based in Stamford, Connecticut.
“There’s no IP to making a washer,” he said. “But if you don’t have good cybersecurity, and I can extract customer or employee data, that’s information I can sell on the dark web pretty quickly.”
A full set of personal data — name, address, Social Security number, bank account information and email address — can go for $30 to $100, Furtado said.
There are important cybersecurity trends for businesses to be aware of in 2020. Consider them before you take a closer look at your current IT and cybersecurity strategy.
Ransomware is evolving
As is any business, attackers are looking for their highest return on investment, and the ransomware of 2019 has evolved, said Caleb Freitas, cybersecurity team lead and leader of the incident response team at iV4, an information technology support and consulting firm based in Rochester, N.Y.
New strains are taking full control of networks, stealing company data and compromising the ability of businesses to restore their backups, Freitas said. Some criminal organizations are even threatening to publish the sensitive stolen data to the public internet if the ransom isn’t paid.
These full-scale ransomware attacks make it far less likely that a company can recover critical information without paying the ransom. In addition to the potential costs of ransom and recovery, expanding privacy regulations — such as HIPAA, NY SHIELD, CCPA and GDPR — can result in costly data breach fines, as well, he added.
“A good portion of businesses have paid because it’s easier to restore the system and purge vulnerabilities than to start afresh,” said Idaho-based FBI Special Agent Clark Harshbarger.
Governments, too, are a target as well as businesses, Harshbarger said.
“Ransomware is probably the No. 1 issue in government right now,” said Jeff Weak, chief administrator for the Idaho Office of Information Technology Services.
Because Bitcoin and other cryptocurrency often are used to pay the ransoms, tracing and prosecuting the perpetrators can be difficult, said John Roman, president and chief operating officer of FoxPointe Solutions in New York, an arm of The Bonadio Group that provides cybersecurity and risk-management services.
With the rise of cybersecurity insurance, companies may be more likely to pay a ransom, largely to reduce any downtime the business may face as a result of an attack. Roman, however, does not recommend this approach to companies with which he works.
“They are funding really bad people,” he said.
Fake email, or “phishing,” also is on the rise, as is the more targeted “spear phishing,” Weak said. When agency or business information is available to the public, a hacker can look up the organizational chart and find names to add verisimilitude to the message, he said.
Today’s hackers know how to create an e-mail that may have some familiarity with the person receiving it, Roman said. For example, an e-mail from a large internet retailer around the holidays is something a lot of people would be expecting.
Because people tend to be busy, especially during holiday season, they may open the e-mail and click a link without giving it much thought, and before they know it, their computer has been infected with a virus, he said.
Employees are often the front line of defense against such attacks, and security experts stress the importance of training when it comes to cybersecurity.
For example, Weak teaches staff to look at email headers and hover over names to make sure they resolve to the correct domain and sender.
“Anything that looks out of the ordinary, with urgency, give it a suspicious look and look at it a lot more carefully,” he said.
Phishing attacks are also using artificial intelligence, Furtado said. For example, when people post on social media where they’re going on vacation, AI can find out where they stayed and whom they visited, and create a phishing campaign based on that data, he said.
Cybercriminals thrive on two common weaknesses: The majority of companies don’t fully secure their backups, and they don’t often know where their sensitive data resides.
Backups are the new attack vector for cybercriminals because they are the primary way to counteract a ransomware attack and return the organization to a known good state. Without the ability to recover, the cybercriminals control the attack and your data.
At iV4, Freitas and his colleagues ensure that companies not only have backups in place, but that they are properly secured and regularly tested to ensure that a timely recovery is possible, he said.
Cloud native attacks
“Most people think of hacking as a person accessing a single computer or network. But in 2020, we’re predicting — and starting to see as a trend — cloud native attacks,” said Freitas.
That means if you’re using a cloud service, such as Azure, AWS, Office 365, Dropbox or any other online application, hackers don’t have to be on your network or computer to access and compromise your data.
Instead, they compromise either your login information or cloud misconfigurations, allowing them to damage, delete, copy and hold for ransom data stored in the cloud.
Most commonly, this happens through a social engineering attempt — or false request for credentials. In 2020, IT directors can’t afford to think about only on-premises security. Protecting your data now needs to include every cloud app your company’s users may use, Freitas said.
Traditional on-premises tools, such as firewalls and anti-virus, simply won’t protect a business from these types of attacks, he said.
Instead, companies need to secure online accounts by promoting a single identity across all cloud apps and adopting strategies that eliminate users using cloud apps that are not managed by the IT department.
Business IT and security teams also need to be well versed in securing the configuration of cloud services, such as Azure and AWS, to ensure that a misconfiguration does not leave them vulnerable.
Privacy and industry regulation changes
Various privacy and industry regulation changes are coming, and some are already here. In terms of privacy, New York SHIELD Act security program requirements go into effect this March, and the California Consumer Privacy Act became effective Jan. 1.
For industry regulations, there will be expanded requirements for companies that handle credit card information. Companies that handle sensitive government information will see a cybersecurity certification requirement that’s on the horizon.
In 2020, experts expect to see privacy and industry regulations become even more prominent, meaning they’ll be top of mind for company boards and leadership as well.
“At iV4, we’re working with a variety of companies to continually prepare them for upcoming regulatory changes — but we’re seeing a lot of companies that aren’t ready,” said Freitas. “They serve as a good reminder that it’s important for businesses to keep up with regulation changes, expand compliance and build an overall security program that allows your company to easily comply with and undergo an audit.”
Global view and nation-state attacks
As with cloud native attacks, security experts say they’re expecting more cybersecurity conflicts with other countries in 2020. Because it’s an election year, they expect to see more publicized activity of different nation-states trying to gain information and control of U.S. technology assets.
But not all nation-state sponsored attacks are politically motivated or targeted at elections. More often, these attacks target critical infrastructure, manufacturing industries, municipalities and business of all sizes.
In the past year, the Department of Homeland Security has published multiple bulletins alerting U.S. businesses to increased cyber-attack activities from various nation-state sponsored attackers in Russia, Iran, China and other countries.
What businesses can do
At the end of the day, attackers are becoming more advanced. They’re smarter and faster — and they aren’t the teenagers you see in movies, hacking a system from a laptop in the basement. Today’s hackers are often state-sponsored and financially or politically motivated to target businesses of all sizes, from 10 employees to 10,000. No one is safe, experts warn.
Jeffrey Reinholtz, director of client experience at Innovative Solutions in New York, says certain industries will continue to be more susceptible to cyberattacks in 2020 due to the amount of personal information they deal with on a regular basis. Those industries include health care, manufacturing, financial services, education and government agencies.
So what can your business do to protect itself? Prepare for an attack. The cost of remediation is much higher than the cost of protection, experts said.
“The single biggest thing companies can do to protect themselves is enable two-factor authentication,” said Harshbarger, referring to the process of using a second authentication method such as a text, email or a phone call in addition to a password.
“It’s less convenient, but you’re almost 100 percent less susceptible to email-based attacks because you can validate that you are the owner of the account,” he said.
The most common example of two-factor authentication is using a bank card and pin number at an automated teller machine. Another example could be a password and a one-time verification code sent to a person’s cell phone.
Davis also suggested requiring stronger passwords — the longer, the better. Guidelines showing a series of simple, familiar phrases often are better than having to create passwords with a mix of letters, symbols and numbers, which can be harder for the user to keep straight.
Experts also advise companies to use advanced threat-protection software, which can prevent, detect and respond to new and sophisticated attacks designed to circumvent traditional security solutions, such as antivirus software and firewalls.
They also advocate for the use of security-information and event-management software, which provides real-time analysis of security alerts generated by applications and network hardware.