In the post-Vault7 world, there has been an interesting shift in the cybersecurity landscape. At one time, well-funded, government-backed nation-state threat actors were the only ones capable of carrying out sophisticated cyberattacks. But now, these hacking techniques have trickled down to your average cybercriminal, equipping them with the power to take down enterprise networks, steal data and disrupt supply chains.
Take the WannaCry ransomware attack for example. WikiLeaks leaked a nation-state exploit, and, despite Microsoft releasing a patch shortly thereafter, attackers were able to successfully launch a global, large scale attack.
You might be asking, “How did this happen?” In short, the internet is a big place. Phishing and ransomware kits are for sale on the dark web for dirt cheap -- $100 - $300 a pop. The payout is well worth the cost, incentivizing hackers to spend more on advanced cyberattack kits. And thanks to WikiLeaks, plenty of government hacking tools are readily available online, further propagating the availability of advanced, nation-state cyber-weaponry to the masses.
According to recent research, the average individual data breach cost to organizations is $3.86 million, and the monetary loss as a result of cybersecurity-related incidents are expected to cost companies $6 trillion by 2021. It’s clear that action needs to be taken. So, what can organizations do to protect themselves from cybercriminals equipped with sophisticated, nation-state level tools?
Patch often, scan for vulnerabilities frequently. At the bare minimum, organizations must patch their systems, networks and software. Plenty of businesses and consumers don’t patch because of the idea that updating software introduces software flaws. Why this might be true, the reality is patching rids the software of bugs that hackers may have uncovered ways to exploit, forcing them to find new ways to infiltrate. Going back to the WannaCry example, the patch for the vulnerability that allowed the WannaCry virus to worm its way through networks was available months prior to the global attack. To this day, people still fall victim to the ransomware because nearly two years later, they still have not patched.
Secure your first line of defense. Your staff is your first line of cybersecurity defense. To protect them from malicious activity, your cybersecurity strategy should include processes and controls to monitor behavior and activity, and it should provide early warning and detection of abuse and theft of what matters most to us and cybercriminals: data. Enterprises should take it upon themselves to train their staff, create a culture of cybersecurity and put in layers of protection to defend themselves in case or more commonly when, an employee gets taken advantage of.
Database security: Don’t make rookie mistakes. What we've seen — and continue to see — is companies are accelerating their use of technologies more than they're enabling their teams or hiring specifically skilled people. The latest stream of data exposure news from Rubrik to Gearbest, highlights how modern data repositories, such as Elasticsearch, have created a fundamental conflict in businesses. The use of modern data repositories provides a lot of value from cost savings to business intelligence, to businesses. And yet they also introduce complexities and new skill requirements, leading organizations to accidentally misconfiguring their systems or leaving them blatantly unprotected by not even protecting with a password. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.
Secure all your data, no matter where it lives, not just the high priority data. Security professionals should consider that their highest priority data may not be the most valuable target for cybercriminals. An e-commerce company might consider credit cards as their most critical asset, but a cybercriminal might consider the purchase history of customers and contact information more valuable. Security professionals must take a step back from their organization and realize that they need to secure more than just regulated data.
To avoid being in the next data exposure headline, organizations must prioritize security. This starts by finding and securing all relevant data and frequently patching software. From there, organizations must do their best to mitigate the risk posed by human error by ensuring that systems are not misconfigured and passwords are both utilized and secured. Incorporating security training into the overall security strategy gives organizations an added line of defense.
There is no “end all be all” for defending yourself from cybercriminals — but with a strong security posture and the right tools in place, organizations will be better equipped to avoid falling victim to even the most sophisticated threats.
Terry Ray title recently changed to SVP and Imperva Fellow