You only need to know everything.
Phishing threats, VPN capacities, hardware inventories, onboarding employees, offloading systems, malware scans, content management system upgrades, webinar troubleshooting – it’s a lot in a normal year, much less one where workforces moved to Work From Home (WFH) in the span of a few weeks.
You put your organization on your back, and you got a lot done in an hour of crisis. You should be proud. Unfortunately, that probably means you didn’t have a lot of time to read up on IT security in 2020. But that’s OK. We’ve compiled some of the top security trends and stories from the past year, along with thoughts on what might come next.
The coronavirus (COVID-19) pandemic introduced new vulnerabilities during the quick WFH transition. The scale of the increase, however, remains staggering: according to new findings from cloud security solutions provider Barracuda, email attacks went up 667% during the early stages of the pandemic.
From January to April, some 907,000 spam messages, 737 malware incidents and 48,000 malicious URLs were detected by Interpol’s private sector partners — all related to the coronavirus.
The pandemic was ideal fodder for phishing attacks in large part because of the novelty of the situation. It introduced confusion and disrupted routines. It would be easy for someone to be tricked into opening an email that looks like Centers for Disease Control (CDC) guidance, for example, because the circumstances are unprecedented, and the proper course of action isn’t immediately obvious to all employees.
For small businesses, the threat is particularly pronounced. Small business owners who can’t afford to work with a dedicated IT security professional should look into an affordable Cyber Security Solution.
Phishing, vishing and smishing attacks will continue to evolve, and it’s safe to say that bad actors will always use current events as a springboard for launching them. As coronavirus vaccines roll out, false vaccination information, probably posed as coming from your organization, is likely to be proliferated. But the specifics of the eventual form these attacks take are less important than their cause.
47% of employees cited distraction as the main reason they fell for a phishing scam while working from home. Emphasize to your team members the importance of paying close attention to what they’re doing while online or using email.
As shifting WFH scenarios play out in various industries, the distractions that lead to successful phishing attempts will always be present. With vishing and smishing attacks targeting employees via phone calls and text messages, respectively, the attempts will only increase in number. It’s how your team members respond to them that will define your organization’s success on this front.
Even as teams gradually return to the office, new fronts will open in the war against phishing. It’s worth considering the possibility of a disconnection between employees who return to the office and those who continue working remotely. Workforces may return to the office in a staggered manner, and at-risk groups may stay remote on an ongoing basis. That leads to unique vulnerabilities. Consider the following scenario:
Employee A returns to work at the office. They work directly with employee B, who continues to work remotely. A cybercriminal, impersonating Employee A, asks employee B for credentials, stating that they’ve run into technical issues after returning to the office, or that they left a device at home. The reverse scenario, with a phisher impersonating a remote employee in need of assistance, is also conceivable.
There is even the possibility that cybercriminals may send emails asking employees to provide credentials as part of a “re-onboarding” to the physical office space. Make sure your team understands your actual procedures so that they won’t be taken in by fake ones.
Internet of Things (IoT) Security
The definition of the Internet of Things has evolved to include a wide variety of devices and connected objects across a range of applications and industries. The explosion of IoT-connected technology has created massive vulnerabilities. How extensive? Try 98% unencrypted traffic across all IoT devices.
Additionally, more than half of all IoT devices are vulnerable to medium- or high-severity attacks. That leaves organizations in all kinds of industries exposed to cyberthreats.
What do these threats look like? Malware, human error and DDoS attacks are the most common, and the risk of these occurrences is no longer theoretical. Eighty percent of healthcare organizations using IoT devices have suffered an IoT-related security breach, a particularly unnerving statistic when considering the essential role those devices play in providing health services and the highly sensitive information processed by these organizations.
With the current gaping holes in IoT security, one thing is clear: there is a massive opportunity for improvement, and it will take many forms. From AI-powered security solutions to new forms of authentication, securing IoT infrastructure will be a top priority for all types of organizations in 2021.
Part of the problem is that manufacturers are creating and releasing new IoT devices faster than security professionals and organizations can develop and implement security protocols. As an IT professional, you should make clear to your organization that they need to run IoT-connected devices by you and your team before making purchasing decisions.
Unless you can control the types of devices purchased and gain a complete understanding of the type and number of IoT devices used by your organization, you won’t be able to secure them.
Change on that front has to start with organizational leadership committing to better IoT hygiene. Legislation enforcing that type of decision-making, or, indeed, actively regulating the production of IoT devices to ensure they adhere to standardized security protocols, will likely come at some point. Still, cybercriminals aren’t waiting for the green light from the government to make moves, and neither should you. Get proactive about IoT security by emphasizing its criticality to leadership. A complete review of your IoT infrastructure is likely a good first step.
In addressing IoT security concerns, don’t miss the forest for the trees. Ensuring IoT devices are secure won’t help you organization much if your website isn’t protected against malware.
To make a comparison across industries, password-related problems are to IT security what tire blowouts are to automotive mechanics: a largely preventable issue that could be avoided with proper care and maintenance, which continues to be a problem in spite of all the good advice in the world.
“I didn’t change my password in time.”
“I went on vacation and forgot my password.”
“I entered the wrong password too many times, and now I’m locked out of my computer.”
You’ve heard all this and more. And as long as you continue to use password-based authentication, you’ll have employees rolling into the shop with similar blowouts.
There are also security issues associated with passwords, largely because many employees use very similar passwords in a sort of system to make them easier to remember. That means that if a bad actor learns one of their passwords, they have a good chance of figuring out the others, especially if the only difference is a progressing series of numbers at the end of the password.
Passwordless authentication is increasingly popular among IT security teams, and it can take a variety of forms. Device fingerprinting, which involves an internal media access control address or another number stored in a device’s digital firmware configuration, is one such option. Biometric authentication, such as requiring a user’s fingerprints or using facial recognition technology, is another.
What’s the right option? The one that you are most confident in implementing effectively and that the largest percentage of your organization is comfortable with. Change can be difficult, and biometric authentication can prove controversial. Couching the proposed changes in terms of making everyone safer from security intrusions and protecting the organization’s bottom line could help. And bringing up previous breaches and security issues related to password-based authentication will reinforce the need for change among decision-makers.
If you’re looking to switch over to passwordless authentication in 2021, a transition back to a physical office space could be the ideal opportunity. While it might be difficult to manage both the transition itself and the authentication switchover, it could be less jarring and disruptive for employees to do everything at once. Think of it as an opportunity to lay a foundation for continuity going forward.
The idea of not using traditional passwords may seem strange to employees at first. However, passwordless authentication is like going to continue to increase in popularity and improve in terms of accessibility and ease-of-use, so it makes sense to at least begin researching new authentication options now, if only to stay ahead of the curve.
Explore More of the Latest IT Security Trends
In the world of IT security, learning never stops. To remain static is to fall behind, and keeping up with the latest industry trends will help you perform better in your role every day.
With that in mind, are you caught up on cloud access security brokers? What about avoiding ransomware exposure? Have you looked into network printer best practices? Are you familiar with the ins and outs of vulnerability management? And did you learn how to harden your WordPress installation yet?
Better grab a coffee. You only need to know everything.