Digital security is a constantly evolving business practice in today’s technology-based world, and there’s always something more to learn. We recently asked some industry leaders in the IT and technology field to answer this question:
In your opinion, what’s the one largest threat to data security for businesses?
Here are some of the responses we received:
Michael Sentonas, VP and Global Chief Technology Officer at Security Connected for McAfee
Among the top predictions is an expected increase of attacks on Internet of Things (IoT) devices as we move our lives to the cloud, more impactful ransomware attacks on mobile platforms, and a balanced public debate on data retention and privacy as the government struggles to define ‘ fair and authorised’ access to personal information.
The top 5 security issues predicted to take precedence in Australia in 2015 are as follows:
- Attacks on Internet of Things (IoT) devices – Increasing proliferation of IoT devices in environments such as health care could provide malicious parties access to personal data even more valuable than credit card data.
- Data privacy will remain under attack as governments and businesses continue to grapple with defining what is “fair and authorised” access to personal information.
- Ransomware targeting mobile devices is on the rise as phones and tablets hosting personal data make for attractive targets to malware authors – including examples of recent threats from cyber-criminals masquerading as legitimate and trusted Australian companies.
- Mobile device threats are expected to grow rapidly as new mobile technology expands the attack surface and little is done to stop app-store abuse.
- Point of sale (POS) attacks will remain lucrative, and a significant upturn in consumer adoption of digital payment systems on mobile devices will see cyber-criminals looking to exploit the new attack surfaces.
Luke Percy-Dove, Independent Security Consultant and Counter-Terrorism Security Advisor with Matryx Consulting
The greatest risk to business from a digital security perspective is undoubtedly accidental loss. While instances of hacking and the like get all the attention, in reality business is far more likely to be exposed to accidental loss over anything else.
Accidental loss can be attributed to a range of scenarios, but ultimately it will be a result of poor planning and a lack of systems and processes.
Gary Gardiner, ANZ Director of Engineering, Fortinet
Fortinet’s 2014 survey of Australian CIOs showed that 88% of CIOs and IT decision-makers (ITDMs) considered the increasing frequency and complexity of threats, as well as the new demands of emerging technology like the Internet of Things (IoT) and biometrics, pose the biggest challenge to ITDMs to keep their organisations secure.
The rising volume/complexity of advanced persistent threats (APT), DDoS attacks and other cyber threats, and the demands of emerging technology trends like Internet of Things and biometrics, are the most prevalent drivers making ITDMs’ jobs more challenging.
Of course, there is challenge to balance the pressures of the boardroom with limited resources while still working on new business initiatives. 53% of all ITDMs surveyed have slowed down or cancelled a new application, service, or other initiative because of cyber-security fears. The figure is 63% among those reporting a very high level of boardroom pressure and scrutiny around IT security. Mobility related applications and strategies are the biggest sticking points, with cloud also scoring high.
Lachlan Jarvis, Investigator
From companies the size of Apple to small entities employing only a secretary, every business in operation today is exposed to the same main internal data security risk – lack of preparedness.
That most business people are reactive and not proactive when it comes to risk is a trite observation, but the extent of this kind of deficiency in the data sphere leaves informed observers bewildered. There is either a real lack of awareness of the problems that can arise, or an unwillingness to spend time reverse-engineering these issues and determining how they can be prevented.
Employers are stuck in a laissez-faire 20th century mindset towards employees, whereas they should be taking active steps to ensure they are ready to respond forcefully at the drop of a hat when a data breach occurs. A failure to do so can potentially be catastrophic.
Graham Pearson, Vice President of Okta, APAC
I believe the single biggest digital security threat to be, if not managed adequately, enterprise mobility. The BYOD trend is seeing enterprises enable employees to access workplace applications from their personal devices, and this presents security concerns because in the event that the employee’s device is lost or stolen/they leave the company and their access isn’t revoked, it means the privacy of the business information is compromised.
For this reason, companies such as Okta are developing specific Mobility Management solutions to ensure the privacy of business information is secured.
Matt Miller, Director – Field Systems Engineering A/NZ at F5 Networks
DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of businesses around the world, and show no sign of abating. DDoS attacks are an IT professionals’ nightmare – they can knock out applications that generate revenue and facilitate communications or, even more fundamentally, take down entire networks.
In 2015, we can expect to see more politically and financially motivated cyber attacks take place in a targeted approach. This means that hackers are going to be more particular about the intellectual property their victims have to offer, and they will not differentiate between government organisations or multinational corporations.
The entire realm of cyber terrorism will expand to include government bodies, enterprises, and even down to individuals. With the level and complexity of these attacks, no individual or organisation is safe from a cyber threat due in part to the way we work and play.
Moreover, a hacker’s target audience will evolve to include individuals due to how readily information is available. High-net-worth individuals can be easily identified through a vista of social media channels that allow hackers to ascertain certain online patterns and the cyber behaviours of these individuals.
Such attacks have moved up the network stack over time, climbing from network attacks in the 1990s to session attacks and application layer attacks today. Now, application attacks at layer 7 represent approximately half of all attacks. We’re also seeing attacks go even further, into business logic, which often exists as a layer above the OSI model.
So how do we protect our business, applications, and content, and keep them running in the face of attacks?
Start taking your I.T security very seriously. If you haven’t already adopted a multi-layered approach to security then you should definitely implement a defence-in-depth strategy. Your IT department needs to ensure that they are providing the necessary network level protection mechanisms, monitoring, email filtering, Security Information and Event Management (SIEM) and awareness training. Most importantly start budgeting for next financial year. Funding should be set aside in budgets for Penetration Testing to be undertaken (annually at a minimum) and staff awareness training. Penetration Testing is the most effective way of testing the security of a network and the impact of awareness training.