The technology world was rocked late last week with the arrival of the “WannaCry” malware payload. “WannaCry” is ransomware: it encrypts files with strong encryption, and then notifies the victim that they can “recover” their files for a payment using Bitcoin (which is an extremely difficult-to-track blockchain-based payment system). While the New York Times has reported that victims in nearly 100 countries have been affected so far by this fast-moving malware, the most significant impact so far has been identified within the U.K.’s National Health Services (NHS), which was forced to reallocate patients to unaffected facilities due to the “WannaCry” outbreak.
Recently, management consulting firm Deloitte identified that cybersecurity insurance, while currently only a small fraction of the overall market of insurance underwriting, is poised to dramatically increase over the next few years, potentially even tripling by 2020. This is backed up by insurance giant Allianz, which has predicted that cybersecurity insurance will increase from its current $1.5-$3 billion in annual premiums to over $20 billion just a few years after that, in 2025.
For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)
Cybercriminals and IT security shouldn't be taken lightly. One breach can cost your company hundreds of thousands of dollars. If you're not sure whether your company needs to upgrade or completely revamp its cybersecurity practices, here are three warning signs that indicate it should:
"One breach can cost your company hundreds or thousands of dollars."
1. You Don't Understand the Target
IBM executive security advisor Diana Kelley, who co-authored the IBM study "Securing the C-suite," has over two decades of cybersecurity experience. Her company has 7,000 IT professionals protecting the organization from outside threats. But even Kelley recognizes that numerous executives, even at the most influential computer institutions such as IBM, don't take IT security as seriously as they should.
There are many types of cybercriminals, and the type of data they're searching for can vary. For example, the Congressional Research Service categorizes hackers into criminals, nation-state warriors, terrorists and "hacktivists," and each has their own objectives when performing cyber attacks.
As a business owner, manager or industry professional, it's critical to understand the common challenges that exist when trying to defend against these cybercriminals.
Security as a Service has rapidly become one of the hottest cybersecurity trends in 2016. The latest shift in this trend though is the cloud-based options that are available, specifically for the managed IT security services industry. This is primarily due the cost-saving benefits associated with cloud security. Even with this shift, however, there still remains many myths about cloud security. Based on an article by David Spark published on CIO.com called 20 of the Greatest Myths of Cloud Security, EiQ has chosen three of these myths that we believe IT security professionals need to forget about immediately in order to overcome the fear of cloud security and start reaping the benefits.
- The cloud is fundamentally less secure (in fact it might be safer!)
- More breaches occur in the cloud
- Maintaining cloud security is just too difficult
Can IT professionals rely on the cloud to keep their data safe and secure like they did floppy disks, compact disks and flash drives? After all, for years those units were staple features of business operations and storage. Each of those items proved their worth, but eventually fell in favor to new technology. This time, it's the cloud.
"It's not a matter of managing IT security as it is ensuring a breach never happens."
The question today is whether IT professionals can trust the cloud to keep their data secure all the time. Data breaches are a major problem, especially in the banking industry, so it's not a matter of managing IT security as it is ensuring a breach never happens.
When it comes to cybersecurity, companies today typically have three options:
- Do nothing or the bare minimum, and hope that cyber attackers don’t find you.
- Keep your current cybersecurity posture as is, without consistent updating or monitoring (and hope cyber attackers don’t find you!).
- Consider EiQ’s hybrid security as a service to identify threats and vulnerabilities, mitigate risk, and achieve compliance.
Let’s look at each of these options.
One need only read the headlines to know how insecure company data and networks are these days. Just a few weeks ago, U.S. health insurer Banner Health informed 3.7 million customers and healthcare providers that their data may have been stolen. This has become a fairly common scenario as healthcare records and private data are traded openly on the black market. Thinking through all of the likely attack vectors, it seems almost impossible for organizations to completely secure their intellectual property, customer data, and other corporate records. For example, employees might not know that malware need not be downloaded in a file or executable but simply through clicking on an infected banner ad or even a link in social media. If an organization has a “bring your own device” to work policy, a mobile phone or tablet infected at home can spread easily malware to the corporate network.