The Top 10 Cybersecurity Threats Your Organization Should Address Right Now
As we continue to operate in a remote and technology-driven world, organizations are increasingly more likely to become victims of cybercrimes. Decreasing this risk starts with awareness. Knowing the biggest threats means you can put protections in place to reduce the chance of your organization becoming a target. Below are the top 10 cybersecurity threats right now.
1. SOCIAL ENGINEERING:
Social engineering is a hacking tactic that tricks users into giving away sensitive information or making security mistakes. It’s considered one of the most dangerous threats because it relies on human error rather than hacking a security system. These threats can come in the form of email impersonation and phishing.
2. THIRD-PARTY EXPOSURE:
A third-party exposure attack is when a cybercriminal hacks a less-protected network that belongs to a third party (independent contractor) with access to a company’s IT environment. As companies continue to work with and expand their network of independent contractors with access to critical systems, the threat of these attacks will grow.
3. CONFIGURATION MISTAKES:
Just like every other company function, IT departments are trying to do more with less due to their inability to fill critical positions. As more responsibilities are placed on fewer IT professionals, it is inevitable that human errors could occur, leaving your organization vulnerable to exploitation. Establish a system of checks and balances and decentralize software installation, configuration and testing responsibilities.
4. POOR CYBER HYGIENE:
Cyber hygiene refers to the regular control habits we all have concerning technology use. Examples of good cyber hygiene practices include using multi-factor authentication, only using protected Wi-Fi networks and routinely changing your passwords. Unfortunately, not many people practice good cyber hygiene. Only 34 percent of Americans say they change their passwords regularly and only 46 percent of IT professionals require two-factor authentication for company accounts. These bad habits make organizations vulnerable to attacks, especially in a remote work environment.
5. CLOUD VULNERABILITIES:
As businesses continue to outsource more services to third-party or cloud providers, risk continues to grow. In the last five years, cloud vulnerabilities have increased by 150 percent. As we continue to rely on cloud technologies for a remote workforce, ensuring selected service providers are proactively protecting systems will be a top priority for IT professionals.
6. MOBILE DEVICE VULNERABILITIES:
As more mobile devices are granted access to company data through phones and tablets, cybercriminals increase their attempts to breach these access points. Hackers are starting to target Mobile Device Management systems, which are connected to the entire mobile device network and allow them to potentially target every employee at the same time.
7. INTERNET OF THINGS:
Around 70 percent of American households have at least one smart device. Since the pandemic caused more people to work from home, attacks on these devices have increased. Between January and June 2021, there were over 1.5 million smart device breaches. Smart devices are incredibly vulnerable to hackers since the average person does not implement complex passwords on them. This area of cyber risk will continue to grow as more consumers incorporate smart devices into their homes and everyday lives
8. RANSOMWARE:
Ransomware attacks are nothing new, but have become increasingly expensive. The average cost of these attacks for 2021 was $1.4 million. There are now Ransomeware-as-a-Service (RaaS) subscriptions, enabling less skilled hackers to orchestrate attacks using pre-developed ransomware tools. These services make ransomware attacks cheaper and easier for cybercriminals to execute, increasing the likelihood and frequency.
9. POOR DATA MANAGEMENT:
New data is created every day and the majority of companies haven’t established classification standards to know what type of data is being collected and where it is being stored. Keeping unnecessary data makes your organization vulnerable to attacks. Some organizations will turn to automated programs to sort their data, but without proper classification standards and reinforcement, the data remains at risk.
10. INADEQUATE POST-ATTACK PROCEDURES:
After companies have been the target of a cybersecurity attack, have they learned the hard lessons and remediated their vulnerabilities? It is only through proper root cause analysis and control reinforcement that companies can be better prepared and reduce the likelihood of a similar attack in the future.
Cybersecurity is a topic that will continue to be relevant as the use of technology grows and hackers continue to get smarter. RKL’s team of information systems experts has decades of experience conducting cybersecurity assessments and helping protect organizations against threats. Contact your RKL advisor or use the form below to learn more or discuss your needs.
Contributed by Michael T. McAllister, CPA.CITP, CISA, Leader of RKL’s IS Assurance Practice. Michael serves clients in a variety of industries through information technology internal audits; IT governance, revaluation and design; and QA/IV&V (Quality Assurance, Independent Verification and Validation) engagements. In addition, Michael provides SOC services for various types of entities, ranging from national service bureaus, financial institutional support entities and data hosting services.