The recent HBO breach is now known to be much, much worse than the Sony content hack of 2014 or the more recent, financially motivated theft and premature release of Netflix’ Orange is the New Black episodes. Even more disturbing than the volume and value of the HBO data exfiltrated is the hacker’s motives remain unclear. It’s possible major damage to HBO’s internal operations is the goal.
Jimmy Sanders, head of information security at Netflix DVD, underscores that content producers and all other organizations face the same fundamental problem in today’s threat climate: identify your most valuable information assets and protect them in the best way possible.
Top Critical Security Risks Currently Threatening Businesses
Here are the critical threats Sanders and others are highlighting for business leaders and security executives today:
1. Manage Third-Party Risk
Leverage security standards like ISO 27001 to define what “security best practices” means for your organization. Then audit your key third-party vendors based on those expectations. The more risk a vendor presents, the more comprehensive the audit needs to be.
2. Help Your Clients Stay Secure
Now is the time to move beyond password authentication to provide clients with a deeper level of trust. You need to truly understand the needs and views of your client base to provide the right layers and models of security to balance user experience with risk mitigation. Options include everything from multifactor authentication to captchas to online security awareness education.
3. Be Prepared for Attackers Wielding Government-Created Cyber Weapons
WannaCry ransomware is the perfect example of what will continue to happen as cyber weapons created for nation state level attacks are directed at your defenses, whether for financial or political ends. Few organizations have the budget or the expertise to counter these threats, but a holistic approach to controls, including vulnerability management, will minimize the damage and prioritize protecting what is most valuable.
4. Defend Against Attacks That Breach Your Perimeter
Social engineering attacks will continue to escalate in frequency and effectiveness, leaving organizations vulnerable despite investments in firewalls, antivirus and so on. How would your business respond to a social engineering test? Once a threat is loose on your network and systems, are you able to identify it and quickly lock it down? A major emerging trend and investment focus is on strategies and controls for threat detection and response, to limit the damage once a breach has occurred.
5. Proactively Secure Your Applications and Data During Development
Too few organizations focus on secure development. Frameworks like the OWASP Application Security Verification Standard (ASVS), application penetration tests, and application threat modeling are crucial in determining and mitigating the risk that an application presents.
6. Outsource Critical Security Skills
Security talent is scarce and expensive, leading more and more firms to explore the benefits of a virtual CISO to help with managing security efforts, driving the planning and implementation of policies and procedures, and otherwise ensuring they have a solid, cost-effective information security program.
7. Prioritize Cloud Security
Cloud services are a growing target for hackers and remain a major security concern for enterprises alongside the increased use of mobility and SaaS. Now is the time to get a handle on the risk that cloud services present to your organization, and develop guidelines, policies and procedures to address those risks.
8. Beware the Internet of Things
The recent Mirai botnet targeting Internet of Things (IoT) devices underscores the vast and poorly understood threat that IoT vulnerabilities present. PCs, servers, laptops, printers, routers, switches, process control devices, kiosks, phones and tablets, sensors and “single-purpose” devices like environmental monitors can all be springboards for attacks. Assessing your environment and mitigating current vulnerabilities is a first step toward limiting the growing threat that IoT devices present to nearly every company. (EDIT: We now offer IoT-specific security assessments to serve this growing need.)
To talk with an expert about some options and approaches that will make your organization more secure, resilient and mature, contact Pivot Point Security.