By James A. Martin
Nasty new ransomware tactics. SIMjacking. Increased attacks on government and healthcare organizations.
Welcome to 2020 — a year that’s expected to be ripe with threats to enterprise resilience. Sungard AS’ Senior Manager of Security Consulting Asher de Metz shared his predictions for the top cybersecurity and operational resilience challenges this year, with suggestions for how organizations can reduce the risks.
The cybersecurity skills gap will grow
The current cybersecurity workforce consists of 2.8 million people worldwide. But an additional 4.07 million professionals are needed to close the cybersecurity skills gap, and 65% of organizations report a shortage of security talent.
Simply put, there aren’t nearly enough skilled people to fill all the cybersecurity jobs. And a lack of cybersecurity skills makes companies more vulnerable to threats, de Metz says.
“I visited a client recently, set up my laptop, and within five minutes, I was able to hack into their system,” he explains. “I see this with a lot of clients. They’re too easy to hack, often because they don’t have the cybersecurity skills they need.”
Hackers increasingly target government and healthcare
Government is the sector that criminal hackers target the most, followed by healthcare. In 2020, we can expect rising attacks against organizations in both sectors, says de Metz.
Compared to for-profit organizations, government entities typically have smaller budgets and fewer workers skilled in cybersecurity, de Metz notes. At the same time, cities and municipalities have numerous operations that are essential to their citizens, which makes them attractive targets. Last year’s ransomware attacks on Baltimore, Maryland, Pensacola, Florida, and 22 cities across Texas (all at the same time) are but a few examples of the disturbing trend.
In 2020, we’ll also see a growing number of cyberattacks on healthcare organizations.
Relying heavily on confidential information and as more healthcare organizations move toward digitalization and data sharing, the number of potential attack vectors will increase. About 39% of healthcare organizations were hit daily or weekly by hackers last year, research shows. And one study finds that ransomware attacks on healthcare organizations will quadruple from 2017 to 2021.
Ransomware will get nastier
Speaking of the devil: Last year was full of ransomware horror stories, with the city of Baltimore hit particularly hard. In 2020, ransomware will continue to be a big challenge for organizations — even though more than 90% of attacks are preventable, according to Gartner. And ransomware will continue to evolve, with criminal hackers releasing a company’s sensitive data to its competitors, among other tactics.
“We’re seeing threat actors telling organizations they must pay them to get their data back — or else they’ll release the data on the dark web, give it to a competitor or even send it to a regulatory body, which may expose a company’s leaders to charges of malfeasance,” de Metz explains.
For example, the creators of the Maze ransomware don’t simply demand a ransom from victims — they also threaten to display stolen files on the dark web exfiltrated from their victims’ hacked servers. The Maze perpetrators gained notoriety in late 2019 when they posted data supposedly stolen from the city of Pensacola, Fla., in an effort to pressure the city to pay a ransom.
Two-factor authentication to be less secure
Two-factor authentication has largely relied upon verifying identities with user passcodes (the first factor) and mobile phone numbers (the second factor). But leave it to bad actors to spoil this party, too — with SIMjacking, also known as SIM card hijacking or SIM swapping.
In a SIMjacking, a criminal convinces a wireless carrier to switch a victim’s phone number to a SIM card the hacker controls. With a successful SIMjacking, criminals can hit pay dirt, given the large amount of personal information often stored on smartphones. The practice received a lot of attention in 2019 when Twitter CEO Jack Dorsey was hacked via SIMjacking.
“Just a few years ago, most people felt that two-factor authentication was pretty secure,” de Metz says. “But with SIMjacking, a lot of organizations realize that using a mobile phone as a way to authenticate, while easy and inexpensive to implement, may no longer be secure enough.”
Biometrics, such as facial recognition scanning, have become another popular form of authentication. But it’s not bulletproof. Google’s Pixel 4 smartphone comes with facial recognition that unlocks the phone even if the user’s eyes are closed, which means someone could potentially access your smartphone’s data while you’re asleep.
“As technology evolves and we think we’ve found new solutions to problems, new problems we hadn’t thought of before are created,” de Metz says.
IoT devices will be hacked
Internet of Things (IoT) endpoints will continue to take on more complex chores for organizations in delivery vehicles, drones, smart city infrastructure, and more. But the development and release of IoT products is moving faster than the security innovations needed to protect them. As a result, in 2020 and beyond, IoT sensors will provide a larger attack surface that will be relatively easy to hack and give bad actors more power to cause serious damage.
“Imagine what can happen if someone hijacks a connected vehicle while it’s on the road,” de Metz says. It’s a real possibility: A recent report from nonprofit group Consumer Watchdog found that all the major 2020 cars in the U.S. feature internet-connected safety systems that leave the cars vulnerable to fleet-wide attacks.
How to reduce the risks to your organization’s resilience
- Take care of the basics. Too often, organizations aren’t willing to invest the appropriate amount of financial and human resources into fundamental security controls, such as multifactor authentication. As a result, they can be more easily exposed to data breaches — not to mention huge regulatory fines in the era of GDPR and the new California data privacy law, says de Metz.
- Train employees but don’t give them too much power. “Set up multifactor authentication for employees and train them in basic security, but don’t rely on them to always know what to do,” de Metz advises. “And don’t give too much power to the IT staff. They make mistakes too, so it’s not a good idea to give every IT person administrative privileges for every single user account.”
Organizations should also consider deploying multifactor authentication tools, such as the Ping Identity platform that Sungard AS uses, which can make identity verification easy but more secure than two-factor authentication methods that use smartphones.
- Don’t assume insurance will cover your losses. In some cases, organizations don’t spend adequately on cybersecurity because they believe cyber-risk insurance has them covered, de Metz says.
But such insurance comes with plenty of loopholes. For example, an attack on your organization from a country hostile to the U.S. may be considered a warlike action, which is often excluded from coverage. Also, such insurance often doesn’t help offset losses from brand damage or the impact from the release of proprietary information.
- Never use default credentials when setting up routers, IoT devices, or other equipment, as they’ll be too easy to hack, de Metz advises. And always make sure firmware is up to date, even though updating can mean downtime for the device.
- Make security skills a board issue. Business and tech leaders must make the lack of in-house cybersecurity skills a “board issue,” de Metz says. “Change doesn’t often happen unless you get the board of directors to care about it. Bring up the issue at quarterly board meetings. Provide metrics around cybersecurity that show the organization’s needs and vulnerabilities.”
- Get outside help if needed. If hiring cybersecurity professionals isn’t a viable option because of the expense or the highly competitive talent market, consider plugging the skills gap with help from solutions providers and partners, de Metz says.
If you want more specific advice on how your particular organization can harden its defenses against these threats and reduce risk, our Information Security Consulting team can help.
James A. Martin has written about security and other technology topics for CSO, CIO, Computerworld, PC World, and others.