10+ Critical Corporate Cyber Security Risks – A Data Driven List [Updated]
Revealing the risk sources that expose your organization to cyber attacks
Just like all of us, companies are under a lot of pressure nowadays.
They have to grow and perform well financially, to please the investors or shareholders.
They have to innovate and keep making new products and building new services to satisfy the customers’ needs.
They have to keep their employees happy and nurture them to become better specialists.
They have to invest in the communities they activate in and be careful about their impact there and on the environment.
And they also have to keep the business going uninterrupted by cyber attacks and other security incidents.
The list could go on, but these are just some of the key challenges that I wanted to outline.
What the news does every day is to point out that companies everywhere are vulnerable. This is true irrespective of their sector, size and resources.
There are two forces at work here, which are pulling in different directions:
- the attackers, who are getting better at faster at making their threats stick
- And the companies, which still struggle with the overload in urgent security tasks.
We’ve all seen this happen, but the PwC Global Economic Crime Survey 2016 confirms it:
Cybercrime climbs to 2nd most reported economic crime affecting 32% of organisations.
Internet-delivered attacks are no longer a thing of the future. They’re an impactful reality, albeit an untouchable and often abstract one.
It would seem that only the those with serious tech skills truly grasp the severity of the issue, but these people can’t fix the problems by themselves. That’s why everyone who works for a company or helps run it should read this article.
Top security threats can impact your company’s growth
Vulnerabilities in your company’s infrastructure can compromise both your current financial situation and endanger its future.
Companies everywhere are looking into potential solutions to their cyber security issues, as The Global State of Information Security® Survey 2017 reveals.
Integration seems to be the objective that CSOs and CIOs are striving towards. Getting all the ducks in a row could paint a clearer picture in terms of security risks and vulnerabilities – and that is, indeed, a must-have.
So amid this turbulent context, companies desperately need to incorporate cyber security measures as a key asset. It’s not just about the tech, it’s about business continuity.
If you are concerned with your company’s safety and prospects, then you’re in the right place. There are solutions to keeping your assets secure. The first step is to acknowledge the existing cyber security risks that expose your organization to malicious hackers.
16 corporate cyber security risks to prepare for
Information security is a topic that you’ll want to place at the top of your business plan for 2017 or any of the years to come. Having a strong plan to protect your organization from cyber attacks is fundamental. So is a recovery plan to help you deal with the aftermath of a potential security breach.
These plans can also become leverage for your company. Investors think highly of those managers who are prepared to deal with every imaginable scenario that the company might experience.
Below you’ll find some pointers to help you create an action plan to strengthen your company’s defences against aggressive cyber criminals and their practices.
1. Failure to cover cyber security basics
The common vulnerabilities and exploits used by attackers in the past year reveal that fundamental cyber security measures are lacking.
Cyber criminals use less than a dozen vulnerabilities to hack into organizations and their systems, because they don’t need more.
- The top 10 external vulnerabilities accounted for nearly 52 percent of all identified external vulnerabilities Thousands of vulnerabilities account for the other 48 percent.
- The top 10 internal vulnerabilities accounted for over 78 percent of all internal vulnerabilities during 2015. All 10 internal vulnerabilities are directly related to outdated patch levels on the target systems.
For example, something as simple as timely patching could have blocked 78% of internal vulnerabilities in the surveyed organizations. And the same goes for external security holes.
Moreover, relying on antivirus as a single security layer and failing to encrypt data is an open invitation for attackers. It just screams: “open for hacking!”
World Wide Web exploits are multiplying aggressively, so protecting your company also entails keeping an eye out for new dangers. It’s not an easy job, I know.
2. Not understanding what generates corporate cyber security risks
Companies often fail to understand “their vulnerability to attack, the value of their critical assets, and the profile or sophistication of potential attackers”. This issue came up at the 2015 World Economic Forum and it will probably still be relevant for a few more years (and, hopefully, not longer).
Security risks are not always obvious. The categories below can provide some guidance for a deliberate effort to map and assess these risks and plan to mitigate them in the long term.
Technology isn’t the only source for security risks. Psychological and sociological aspects are also involved. This is why company culture plays a major role in how it handles and perceives cyber security and its role.
3. Lack of a cyber-security policy
Security standards are a must for any company that does business nowadays and wants to thrive at it. Cyber criminals aren’t only targeting companies in the finance or tech sectors. They’re threatening every single company out there.
The increasing frequency of high-profile security breaches has made C-level management more aware of the matter. This is an important step, but one of many.
External attacks are frequent and the financial costs of external attacks are significant. The 505 enterprises and financial institutions surveyed experienced an average of more than one cyber attack each month and spent an average of almost $3.5 million annually to deal with attacks.
Not prioritizing the cyber security policy as an issue and not getting employees to engage with it is not something that companies nowadays can afford.
This piece of advice shared in an article on Fortune.com is worth pondering on:
Just as companies seek outside expertise for legal and financial matters, they should now be looking for experts in cyber security and data privacy.
As part of their cyber security policy, companies should:
- identify risks related to cyber security
- establish cyber security governance
- develop policies, procedures and oversight processes
- protect company networks and information
- identify and address risks associated with remote access to client information and funds transfer requests
- define and handle risks associated with vendors and other third parties
- be able to detect unauthorized activity.
4. Confusing compliance with cyber security
Another risk businesses have to deal with is the confusion between compliance and a cyber security policy.
Ensuring compliance with company rules is not the equivalent of protecting the company against cyber attacks. Unless the rules integrate a clear focus on security, of course.
Enterprise risk management requires that every manager in the company has access to the parts of the security system that are relevant to them. Security is a company-wide responsibility, as our CEO always says. As a result, managers (and everyone else) should oversee how data flows through the system and know how to protect confidential information from leaking to cyber criminal infrastructure.
Most companies are still not adequately prepared for – or even understand the risks faced: Only 37% of organisations have a cyber incident response plan.
Clearly, there is plenty of work to be done here.
5. The human factor – the weakest link
There are also other factors that can become corporate cyber security risks. They’re the less technological kind.
The human factor plays an important role in how strong (or weak) your company’s information security defenses are.
It turns out that people in higher positions, such as executive and management roles, are less prone to becoming malicious insiders. It’s the lower-level employees who can weaken your security considerably. Be mindful of how you set and monitor their access levels.
As you can see for this recent statistic, privilege abuse is the leading cause for data leakage determined by malicious insiders.
That is one more reason to add a cyber security policy to your company’s approach, beyond a compliance checklist that you may already have in place. Protecting sensitive information is essential, and you need to look inside, as well as outside to map and mitigate potential threats.
6. Bring your own device policy (BYOD) and the cloud
In the quest to providing your employees with better working conditions and a more flexible environment, you may have adopted the “Bring Your Own Device” policy.
But have you considered the corporate cyber security risks you brought on by doing so?
One in five organizations suffered a mobile security breach, primarily driven by malware and malicious WiFi.
Security threats to BYOD impose heavy burdens on organizations’ IT resources (35 percent) and help desk workloads (27 percent).
Despite increasing mobile security threats, data breaches and new regulations, only 30 percent of organizations are increasing security budgets for BYOD in the next 12 months. Meanwhile, 37 percent have no plans to change their security budgets.
The bright side is that awareness on the matter of BYOD policies is increasing. Key decision makers know what they should be focused on preventing:
And we also have a guide for employees who want to still enjoy their BYOD benefits, while keeping their jobs.
As long as we keep the security aspect in mind, there’s plenty that both companies and employees can do to safeguard data and prevent malicious intrusion.
When it comes to mobile devices, password protection is still the go-to solution. I was glad to see that encryption is in the top 3 security measures, but I hope it will grow in popularity in the coming years.
Source: BYOD & Mobile Security 2016
Overall, things seem to be going in the right direction with BYOD security. But, as with everything else, there is much more companies can do about it.
7. Funding, talent and resources constraints
We know that there are plenty of issues to consider when it comes to growing your business, keeping your advantages and planning for growth. So budgets are tight and resources scarce. That’s precisely one of the factors that incur corporate cyber security risks.
Think of this security layer as your company’s immune system. It needs funding and talent to prevent severe losses as a consequence of cyber attacks.
A good approach would be to set reasonable expectations towards this objective and allocate the resources you can afford.
8. No information security training
Employee training and awareness are critical to your company’s safety.
In fact, 50% of companies believe security training for both new and current employees is a priority, according to Dell’s Protecting the organization against the unknown – A new generation of threats.
The specialists’ recommendation is to take a quick look at the most common file types that cyber attackers use to penetrate your system. This will tell you what types of actionable advice you could include in your employees’ trainings on cyber security.
The human filter can be a strength as well as a serious weakness. Educate your employees, and they might thank you for it. This training can be valuable for their private lives as well.
9. Lack of a recovery plan
Being prepared for a security attack means to have a thorough plan. This plan should include what can happen to prevent the cyber attack, but also how to minimize the damage if is takes place.
Unfortunately, the statistics reveal that companies are not ready to deal with such critical situations:
Observing the trend of incidents supported since 2013, there has been little improvement in preparedness In 2015 there was a slight increase in organizations that were unprepared and had no formal plan to respond to incidents
Over the last three years, an average of 77 percent of organizations fall into this category, leaving only 23 percent having some capability to effectively respond.
If 77% of organizations lack a recovery plan, then maybe their resources would be better spent on preventive measures. This way, companies can detect the attack in its early stages, and the threats can be isolated and managed more effectively.
But that doesn’t eliminate the need for a recovery plan. There’s no doubt that such a plan is critical for your response time and for resuming business activities. In fact, we can recommend 10 steps to critical steps to take after a data security breach that can have a real positive impact on building the plan and recovery process.
10. Constantly evolving risks
There is one risk that you can’t do much about: the polymorphism and stealthiness specific to current malware.
Polymorphic malware is harmful, destructive or intrusive computer software such as a virus, worm, Trojan or spyware. Its key asset is that it can change constantly, making it difficult for anti-malware programs to detect it. That is why you should take into account that your company might need an extra layer of protection, on top of the antivirus solution.
Your first line of defense should be a product that can act proactively to identify malware. It should be able to block access to malicious servers and stop data leakage. Part of this preventive layer’s role is to also keep your system protected by patching vulnerabilities fast.
As cyber risks increase and cyber attacks become more aggressive, more extreme measures may become the norm. Such tactics include shutting down network segments or disconnecting specific computers from the Internet.
As this article by Deloitte points out:
This may require a vastly different mindset than today’s perimeter defense approach to security and privacy, where the answer is sometimes to build even higher castle walls and deeper moats.
One more thing to consider here is that cyber criminals have strong, fully automated systems that they use. Automation is crucial in your organization as well, given the sheer volume of threats that CIOs and CSOs have to deal with.
You’ll need a solution that scans incoming and outgoing Internet traffic to identify threats. It should also keep them from infiltrating the system.
You know what? A traffic filtering product may be just what you need.
As one CEO pointed out in CFO Signals – What North America’s top finance executives are thinking – and doing:
Criminals are all automated to the teeth and the only way for companies to counter that is to be automated to the teeth as well to find those vulnerabilities…the bad guys only have to find one hole. We have to find them all.
11. Aging infrastructure
As you know, cyber security is not all about software. Hardware can be a major issue as well.
This is especially true since the lifecycle of devices is becoming increasingly shorter nowadays.
If the hardware you use doesn’t allow you to install the newest patches for the software on it, then this breeds trouble. If you use certain types of software that require older versions of plugins, such as Java, than that can also cause security issues.
When purchasing new hardware, consider how many updates it will be able to support. Carefully monitor all devices as they age and deteriorate.
It’s not about having the latest gadgets, it’s about ensuring that you can run the latest versions of the software you need.
12. Corporate inflexibility
We all know that the bigger a company is, the slower it moves.
While this is not time nor the place to debate the causes behind this, its impact on your data security is a key discussion topic.
The issue with a company’s lack of flexibility is that, if a breach happens, it will take a lot longer than recommended to contain and mitigate it.
While lower-level managers scramble to get approvals from their seniors and external experts on board, attackers will be hard at work. They’ll take advantage of this time to exfiltrate gigabytes of confidential data from your network.
Time is critical when dealing with a data breach or any kind of cyber attack. Don’t waste it!
That’s why having a plan in place to deal with such situations is fundamental. This is especially relevant since most organizations strongly agree that detecting external cyber threats is extremely difficult.
Don’t let bureaucracy slow you down when fighting for your company’s data.
13. Lack of accountability
On a similar note, another contributing factor to your company’s exposure to cyber threats is the lack of accountability. This is a cultural issue that often permeates corporations. But it can happen to smaller companies too.
Building a culture where employees are not afraid to take on responsibilities is crucial for successfully dealing with cyber attacks.
Being able to trust your employees and colleagues is key in moments when the pressure is high and the stakes are even higher. You need to have designated people in your company who can make the right decisions when the time comes.
I have to insist that these critical employees be well trained and capable of acting in the company’s best interest in the event of a cyber breach.
As with all important things, this isn’t something that can be arranged on the spot. Preparations are in order and the sooner you start them, the sooner you’ll see the improvements. Empowering people has that positive effect.
14. Difficulty in integrating data sources
The amount of data flowing through an organization could overwhelm anyone, no matter how experienced that person is.
There are just too many information sources to handle: details about employees, partners, contractors, service providers, customers, etc.
But integrating these data sources is crucial if you want to have a clear overview of the internal and external risks for your organization.
For example, CIOs and CISOs work with multiple products, each with its own dashboard, and they have to correlate a lot of data to get a clear image of the vulnerabilities in their organizations.
A focus on data sharing policies and identity management comes to mind. As it turns out, these are some of the primary security services that companies turn to:
Try to single out the most important things you want to look at. Choose security platforms that will also help you mitigate risks and block attacks, not only help you identify these risks and attacks. A CIO’s or CSO’s toolbox is never complete without such a platform.
15. Holding on to a reactive mindset
Unfortunately, this is a mistake that most organizations still make.
While trying to pull together as many resources possible and constantly prioritizing what to do next, decision makers often focus only on the reactive side of information security. This perspective is still commonplace, but the current state of affairs clearly shows that it’s not a viable strategy anymore.
Investing in proactive cyber security may benefit you in aspects you’re already familiar with, but in new ways as well. Here are some of the benefits:
- Proactive information security can help you mitigate risks before they turn into security breaches;
- It enables you to comply with legal requirements (such as the EU GPRD);
- It helps strengthen the customers’ trust in the organization;
- It proves to investors, shareholders and other stakeholders that the organization’s management has a clear vision and is prepared to deal with cyber risks and attacks;
- It helps build trust within the organization, among employees, who can rest assured that the company can resume to business as usual after a cyber attack happens.
When you decide to plan ahead for your business’s cyber security, you set your own priorities.
If, instead, you stick to the reactive way of doing things, the attackers will set your agenda. I’m sure you already know how powerless it can make you feel when someone else calls the shots on critical matters.
What’s more, being proactive about information security is cheaper. So you can stick to your budget and keep your company’s data safe at the same time. Even EUROPOL highlighted this in their latest Internet Organised Crime Threat Assessment (2016 edition):
When it comes to addressing volume crimes, investing resources in prevention activities may be more eﬀective than investigation of individual incidents.
The good news is that there’s an industry-wide movements away from reactive solutions and toward preventive measures. And the statistics related to cyber security spending show it:
16. Disconnect between spending and implementation
Another big risk for organizations comes from a disparity between cyber security spending and how the tools and services are actually used.
It’s not uncommon for companies to purchase security solutions and not install or use them for months. Many things get in the way, as CSOs and CIOs are often burdened with too many tasks.
Implementing all these solutions takes time and resources (especially the human kind), which IT/cyber security departments often lack. What’s more, some of these solutions are complex and have a learning curve, and time is something that cyber security specialists often don’t have.
As a result, spending money on information security products and services does not guarantee they’ll be used to their full potential.
On the other hand, most organizations still don’t have enough resources to ensure a decent level of protection.
A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. Only 42 percent of respondents believe their company has the tools to mitigate external threats.
The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats.
We should all keep in mind that the reality on the ground is more complex than what we assume. And that’s why we still have a long way to go in terms of keeping data safe from external and internal threats alike.
It takes time and involvement to strengthen your company’s defenses against cyber security risks. However, this process can help your organization maintain shareholder value and even achieve new performance peaks.
It may take some time to create a cyber security policy, train your employees and implement it in all the branches of your company. But the results are worth it! Being thoroughly prepared for the worst case scenario can be a competitive advantage.
You’ve already taken the first step by reading this article. Now act on what you’ve learned.
This article was initially written by Andra Zaharia in March 2015 and was updated by the same author in October 2016.