Six Top Information Security Risks to Be Aware of in 2019

While companies and individuals embrace innovation, cybercriminals make use of the new backdoors to improve the scope of their hacking.

• May 22, 2019

The global shift towards advanced forms of technology and higher levels of connectivity has created a gap in cybersecurity. While companies and individuals embrace innovation, cybercriminals make use of the new backdoors to improve the scope of their hacking.

1. Data Theft via Third-Party Vendors

Cloud computing has become a global trend. According to LogicMonitor Cloud Vision 2020, 83 percent of company workloads will be in the cloud. As more companies migrate their digital assets to the cloud, more data is entrusted to third-party cloud providers (CSP). While most CSPs provide adequate security controls, open-source components remain a critical threat.

According to a 2019 SNYK report of the state of open source security, there has been a 88% growth in application vulnerabilities during the past couple of years. The most alarming finding was the discovery that 70% of open source maintainers lack the skills to secure their cloud. Thus, despite the rising adoption of open source components by enterprises and SMBs alike, many cloud environments often marinate in vulnerabilities before someone catches on. By then, it’s too late—the data was already stolen and possibly sold in the Dark Web.

Possible mitigation method—companies that adopt cloud computing will benefit from creating a cloud migration strategy. As you create your strategy, you can research possible CSPs and ensure that they provide their clients with comprehensive security controls. Implementing automated monitoring solutions can help promote secure cloud adoption in-house.

2. Loss of Data Due to Shadow IT

Shadow IT refers to information technology systems used within the organization without the knowledge of the IT department. Shadow IT compromises the information of the organization. Shadow IT systems aren’t backed up by the organization and may cause loss of data.

Loss of data has implications on business continuity and the mental health of the employees. When people lose information, they go through the five stages of grief—denial, anger, bargaining, depression, acceptance. It can be heart-breaking to lose the valuable information you worked on. Such a mental state can impact productivity.

Possible mitigation method—the best protection against shadow IT is prevention. Organizations can create data loss prevention (DLP) policies to help educate employees in proper use of company resources. The policies clarify what systems can or can’t be used and for what purposes. Thus, prohibiting the use of shadow IT systems. Organizations may also implement DLP solutions such as DLP software that automate the identification, monitoring, and management of data breaches.

3. Poor Security Policies Compromise Trade Secrets

In a world in which connectivity has become an integral force of national, cultural, organizational, and individual continuity, security policies act as the guiding line that draws a protective circle around business secrets. According to Statista, there are approximately 2.5 billion smartphone users in the world. In the US, 77 percent of the population owns smartphones.

Information security policies help organizations to protect trade secrets. Allowing personnel and collaborators to access the digital resources of the organization via smartphones can promote productivity and business continuity. However, poor policies such as a single factor password may be used by hackers as an entry point to steal the data. Additionally, a stolen smartphone may compromise any sensitive information stored on the device. Often, when trade secrets get exposed, the reputation of the organization gets damaged.

Possible mitigation method—as in the case of shadow IT, prevention of improper use of company resources is often the best defense against losing trade secrets. Creating policies that maintain a standard use of information resources help employees play an active part in protecting the information and the IT infrastructure of the organization.

4. Data Heists Led by Insider Threats

In 2018, 25 percent of known data breaches were caused by social engineering, which is a technique that uses human psychology to trick individuals into divulging authorization information such as passwords. A social engineer may impersonate IT personnel and trick an employee into revealing their password. Other social engineers may use intimidation, blackmail, violence, or kidnapping to extract the information.

On the other side of the social engineering coin lies the intentional insider work. These are employees that deliberately breach the data of the organization, without being coerced into doing the deed. Often, these are disgruntled ex-employees. A survey of 1,000 employees found that one in five stole sensitive and confidential company information.

Possible mitigation method—implementing User Behavior Analytics (UBA) tools to flag unusual user behavior. UBA monitors and analyses many network events generated daily by the company users to identify malicious behavior such as lateral movement and compromised credentials. UBA helps determine whether the threat comes from the inside of the organization or from outside activity.

5. Phishing Schemes Lead to Business Email Compromise (BEC)

A phishing scheme uses media channels such as email, telephone or text messaging to send legitimate-looking messages with the intention to trick individuals into revealing sensitive information such as credit card details and passwords. Phishing schemes often result in identity theft and financial loss.

Phishing schemes can be used to launch a Business Email Compromise (BEC) attack. BEC scams target email accounts of executives or finance employees involved with wire transfer payments through various methods such as phishing attacks. The cybercriminal uses the information to initiate fraudulent transfers on behalf of the organization.

Possible mitigation method—educating employees in methods of cybercrime and appropriate protective measures have been proven helpful in reducing information security risks. Additionally, organizations can also implement security controls such as dual authentication, encryption, and visual cues. Artificial Intelligence (AI) filtering provide advanced filtering techniques for catch BEC criminals such as geolocation tools for senders identification.

6. Fraud Enabled by Compromised Blockchain

Since its introduction in 2008, blockchain technology has seen a steep rise in popularity. Originally used for cryptocurrency, blockchain applications can now be found in many industries and systems. A notable blockchain application is a software program called smart contracts, which facilitate a safe digital exchange without the intervention of a third-party.

The idea behind smart contracts, and blockchain in general, is to enable safe digital exchange via transparency, thus getting rid of middlemen such as banks and brokers. However, current attempts of applications of smart contracts to the protection of intellectual property haven’t been successful. Bugs and errors in smart contracts leave systems open to attacks. A breach in the blockchain technology may lead to unauthorized alteration of a smart contract.

Possible mitigation method—use strong authentication to secure the terms of a contract and store encryption keys in a hardware root of trust. Additionally, blockchain security tools and solutions can help apply a variety of security controls the fit the security needs of the organization.