Nasty new ransomware tactics. SIMjacking. Increased attacks on government and healthcare organizations.
Welcome to 2020 — a year that’s expected to be ripe with threats to enterprise resilience. Sungard AS’ Senior Manager of Security Consulting Asher de Metz shared his predictions for the top cybersecurity and operational resilience challenges this year, with suggestions for how organizations can reduce the risks.
The current cybersecurity workforce consists of 2.8 million people worldwide. But an additional 4.07 million professionals are needed to close the cybersecurity skills gap, and 65% of organizations report a shortage of security talent.
Simply put, there aren’t nearly enough skilled people to fill all the cybersecurity jobs. And a lack of cybersecurity skills makes companies more vulnerable to threats, de Metz says.
“I visited a client recently, set up my laptop, and within five minutes, I was able to hack into their system,” he explains. “I see this with a lot of clients. They’re too easy to hack, often because they don’t have the cybersecurity skills they need.”
Government is the sector that criminal hackers target the most, followed by healthcare. In 2020, we can expect rising attacks against organizations in both sectors, says de Metz.
Compared to for-profit organizations, government entities typically have smaller budgets and fewer workers skilled in cybersecurity, de Metz notes. At the same time, cities and municipalities have numerous operations that are essential to their citizens, which makes them attractive targets. Last year’s ransomware attacks on Baltimore, Maryland, Pensacola, Florida, and 22 cities across Texas (all at the same time) are but a few examples of the disturbing trend.
In 2020, we’ll also see a growing number of cyberattacks on healthcare organizations.
Relying heavily on confidential information and as more healthcare organizations move toward digitalization and data sharing, the number of potential attack vectors will increase. About 39% of healthcare organizations were hit daily or weekly by hackers last year, research shows. And one study finds that ransomware attacks on healthcare organizations will quadruple from 2017 to 2021.
Speaking of the devil: Last year was full of ransomware horror stories, with the city of Baltimore hit particularly hard. In 2020, ransomware will continue to be a big challenge for organizations — even though more than 90% of attacks are preventable, according to Gartner. And ransomware will continue to evolve, with criminal hackers releasing a company’s sensitive data to its competitors, among other tactics.
“We’re seeing threat actors telling organizations they must pay them to get their data back — or else they’ll release the data on the dark web, give it to a competitor or even send it to a regulatory body, which may expose a company’s leaders to charges of malfeasance,” de Metz explains.
For example, the creators of the Maze ransomware don’t simply demand a ransom from victims — they also threaten to display stolen files on the dark web exfiltrated from their victims’ hacked servers. The Maze perpetrators gained notoriety in late 2019 when they posted data supposedly stolen from the city of Pensacola, Fla., in an effort to pressure the city to pay a ransom.
Two-factor authentication has largely relied upon verifying identities with user passcodes (the first factor) and mobile phone numbers (the second factor). But leave it to bad actors to spoil this party, too — with SIMjacking, also known as SIM card hijacking or SIM swapping.
In a SIMjacking, a criminal convinces a wireless carrier to switch a victim’s phone number to a SIM card the hacker controls. With a successful SIMjacking, criminals can hit pay dirt, given the large amount of personal information often stored on smartphones. The practice received a lot of attention in 2019 when Twitter CEO Jack Dorsey was hacked via SIMjacking.
“Just a few years ago, most people felt that two-factor authentication was pretty secure,” de Metz says. “But with SIMjacking, a lot of organizations realize that using a mobile phone as a way to authenticate, while easy and inexpensive to implement, may no longer be secure enough.”
Biometrics, such as facial recognition scanning, have become another popular form of authentication. But it’s not bulletproof. Google’s Pixel 4 smartphone comes with facial recognition that unlocks the phone even if the user’s eyes are closed, which means someone could potentially access your smartphone’s data while you’re asleep.
“As technology evolves and we think we’ve found new solutions to problems, new problems we hadn’t thought of before are created,” de Metz says.
Internet of Things (IoT) endpoints will continue to take on more complex chores for organizations in delivery vehicles, drones, smart city infrastructure, and more. But the development and release of IoT products is moving faster than the security innovations needed to protect them. As a result, in 2020 and beyond, IoT sensors will provide a larger attack surface that will be relatively easy to hack and give bad actors more power to cause serious damage.
“Imagine what can happen if someone hijacks a connected vehicle while it’s on the road,” de Metz says. It’s a real possibility: A recent report from nonprofit group Consumer Watchdog found that all the major 2020 cars in the U.S. feature internet-connected safety systems that leave the cars vulnerable to fleet-wide attacks.
Organizations should also consider deploying multifactor authentication tools, such as the Ping Identity platform that Sungard AS uses, which can make identity verification easy but more secure than two-factor authentication methods that use smartphones.
But such insurance comes with plenty of loopholes. For example, an attack on your organization from a country hostile to the U.S. may be considered a warlike action, which is often excluded from coverage. Also, such insurance often doesn’t help offset losses from brand damage or the impact from the release of proprietary information.
If you want more specific advice on how your particular organization can harden its defenses against these threats and reduce risk, our Information Security Consulting team can help.
James A. Martin has written about security and other technology topics for CSO, CIO, Computerworld, PC World, and others.