One might think that banking apps are SSL encrypted by default or that “123456” password is used by people who never heard of malware and think that antivirus software is a type of antibiotic. Wrong.
The reality we are living in has talking fridges and toasters counting number of breakfast and ordering online a new loaf of bread without even informing the owner. It is full of fancy devices connected to IoT which “talk to each other”. Everything sounds cool and convenient but have you ever updated any of the softwares of your home devices connected to the Internet? Once you start realising how many cyber attacks are committed on daily basis and that only one fourth of mobile apps available on the market use any encryption (and 20% of those who do, do it wrong), a red light should turn on in your head (based on the HP Fortify report on application security). Especially if you outsourced your app development at a low cost to an agency which has no time to implement any security measures. Or if you are using a cloud solution in your company but never had enough time, tools and resources to invest in securing it properly.
Cybersecurity can’t be “an IT challenge;” its effects are too broad and costly.
Maybe you think your company is not under the threat, but here again, think twice… In 2016 PayPal rolled out a new transaction external plug-in for its Polish customers which was asking all user for his username and login to PayPal account (more in this article written in Polish) and collecting them on its own servers. Once PayPal realised its mistake, they removed the plug-in but nevertheless, both reputation and security of some accounts were broken. Another example, also from Polish market, regards malware served by a PR agency servicing IBM. This one was particularly malicious because it redirected visitors from over 250 banks and financial institutions and even those users who were checking the “green lock” were scammed (read more on IBM’s website).
Even if your company is very cautious when comes to installing any plug-ins, there is always a human factor involved. Internet is full of examples of “professional” e-mails which instead of keeping all recipients in BCC included them under CC. Inventing a “fool-proof” solution is a challenge for anyone but there are many available ways helping to prevent those unfortunate hitches.
Data is toxic asset and needs to be treated cautiously. Many organisations are downplaying the risk due to omissions, cost cuts, ignorance or lack of resources, not realising how valuable data is and how damaging a data breach would be. Some believe they can completely protect themselves against a data breach, or at least that their legal and public relations teams can minimize the damage if they fail. On the top of that, taking an example of Cisco, which is advertising themselves as a company investing tools and resources in advanced security, the average median of a time to detection a treat oscillates around 10 hours. How much does it take at your organisation?
Last but not least, it’s worth mentioning that ISO raised some concerns around the topic (read more on ISO’s blog):
Looking to the future, it is clear that our world faces many challenges that cut across national borders. Climate change, water scarcity, cyber security and large-scale migration are just some of the issues we face today that require integrated, international action.
There is definitely a need for a standardization and guidance. ISO announced some changes coming to their ISO/IEC 27032 procedure which focuses explicitly on cyber security. Nevertheless nothing has been made official yet, so don’t spend your day thinking this is set in stone.
For anyone willing to read more on the topic I highly recommend Cisco and Hewlett Packard reports on cyber risks and inviting kreuzwerker expert for an in-house workshop for your teams tackling security and data protection topics.