Organisations are being overrun with vulnerabilities. For an idea of how rapidly the problem is growing: there were 6,000 new vulnerabilities identified in 2016, 15,500 in 2017 and so far more than 16,000 in 2018.
This growth is partly because Internet-connected devices and applications are much more widespread than they were a few years ago. But it’s not just a case of ‘more networks means more vulnerabilities’, according to ENISA (the European Union Agency for Network and Information Security).
Rather, volume of network-connected devices has made it more expensive and time-consuming for software designers to move onto newer system architecture. Most of the time, organisations decide that it’s not worth upgrading their systems, so designers are stuck with outdated systems that contain known vulnerabilities.
Getting ahead of the game
Until organisations overhaul their approach to network design, the problem with vulnerabilities will only get worse. Key to this is recognising emerging trends and getting ahead of the game.
Here are some of the biggest trends that you need to look out for:
The IoT (Internet of Things) embeds Internet connectivity into everyday objects. The technology has existed for about a decade but has only been widely used for a few years. As such, it’s still full of vulnerabilities:
- Authentication mechanisms are often flawed, and many users don’t use the built-in security features.
- Data is often sent in cleartext, allowing anybody to read it.
- IoT devices often have mobile and Cloud interfaces, creating additional entry points for crooks.
- It is difficult to know when an IoT device needs to be patched.
Researchers claim that AI will “lead to the expansion of existing threats, the introduction of new threats and a change to the typical character of threats”. The technology could make it easier for crooks to carry out complex attacks and has the potential to automate the discovery of critical software bugs.
AI could be used to abuse Facebook-style algorithmic profiling to revolutionise social engineering.
3. Ransomware in the Cloud
Ransomware is an established weapon of cyber crooks. It’s injected into an organisation’s systems, where it encrypts the user’s computer files and displays a note demanding a payment for their release.
Unfortunately for crooks, many organisations are now wise to the scam and are ensuring they regularly back up their data. This allows them to simply wipe the infected files and transfer over their backups.
But now it’s the crooks’ turn to retake the initiative. They have begun taking aim at Cloud computing companies, which organisations often use instead of backups. This exposes the common misconception that the Cloud is somehow a safe haven for data. Rather, it is a remote server, the protection of which is out of your control.
Conduct a cyber security audit
You can determine whether your organisation is ready to defend against these and other threats by taking the IT Governance Cyber Security Audit and Review.
It’s designed for public-sector and critical national infrastructure organisations seeking compliance with one of any number of cyber security laws and frameworks. You’ll receive expert guidance from one of our consultants, who will:
- Verify that information processes are in line with security policy criteria and procedural requirements;
- Define and implement processes and techniques to ensure ongoing compliance with security policies, standards, and legal, regulatory and contractual requirements;
- Carry out security compliance audits in accordance with an appropriate methodology, standard or framework;
- Provide an impartial assessment and audit report covering security compliance audits, investigations and information risk management;
- Provide an independent opinion on whether your organisation is meeting information assurance control objectives;
- Develop audit plans and audit regimes that match your organisation’s business needs and risk appetite;
- Identify your organisation’s systemic trends and weaknesses in security;
- Recommend responses to audit findings and appropriate corrective actions;
- Recommend appropriate security controls;
- Assess the management of information risk across the organisation or business unit;
- Recommend efficiencies and cost-effective options to address non-compliance issues and information assurance gaps identified during the audit process; and
- Assess the maturity of an existing information auditing function using cross-government benchmark standards.