Thanks to educational initiatives and technological advances, businesses and individuals enjoy more protection than ever against cyberthreats. But criminals are equally diligent about breaching those defenses, warn experts, who pointed out some emerging and trending cybersecurity threats.
Defenses like firewalls and multi-factor authentications are like “building a wall in front of your house or business,” according to Jennifer Mazzanti, chief executive officer of eMazzanti Technologies. “But if someone can drop the equivalent of a drone from the air, those defenses don’t matter.”
She warns that low-cost social engineering threats like mass email blasts, with virus-laden hyperlinks or other malicious baggage, “can easily be aimed at 500 or more targets at a time, so criminals can get a good return on their minimal investment even if they only snare a few victims. It’s a numbers game.”
In 2020 and beyond, she expects to see data mining attacks, since “the sale of personal data is big, like we saw in [a 2017] Ancestry.com breach. And of course cybercriminals have been going after credit card companies too; not just for identity theft, but also to resell the personal information to other companies. For example, when businesses buy lists of ‘qualified business contacts’ they assume the source is on the up-and-up, but do you really know where they got the data from?”
Some emerging threats stem from “the growing convergence of information and operational technologies,” according to Dave Weinstein, who previously served as New Jersey’s chief technology officer and now is the chief security officer at Claroty, a cybersecurity company. “The industrial control systems that automate our manufacturing sector and run much of our critical infrastructure, from power generation plants to wastewater treatment facilitates, are increasingly connected with internet-facing business networks,” he warned. “This connectivity yields enormous business advantages in terms of efficiency, productivity, and reliability, but it also exposes a vulnerable ecosystem to remote cyber threats.”
As businesses and cities continue to embrace “smart” and interoperable technologies, “owners and operators of this infrastructure must be mindful of how digital transformation impacts risk,” added Weinstein. “Especially as it relates to critical infrastructure, there is a commensurate consideration for mitigating cyber threats.”
The highest-risk sectors, include “lifeline services” like energy, water, and agriculture, Weinstein said. “Transportation, telecommunications, and financial services are a close second.” And although large corporations have historically been prime targets, “small businesses are taking on greater risk” as they depend more and more on digital, networked technologies.”
The advance of the Internet-of-Things — the interconnection of computing devices embedded in everyday objects — also means more opportunities for hackers and other cybercriminals. “The proliferation of these devices, especially in the industrial world, vastly complicates things for security practitioners,” according to Weinstein. “Not only is it difficult to keep an up-to-date inventory of all of these devices, but they require continuous monitoring to ensure that hackers are not using them to maneuver about a network. There is great promise in the Internet of Things, but users should be aware of the risk and, at a minimum, consider the security features of the devices, such as their ability to be easily patched when a vulnerability is discovered.”
Federal laws, like the Computer Fraud and Abuse Act, attempt to address cybercrime. “But the biggest problem is enforcement,” according to David Opderbeck, a law professor at Seton Hall University School of Law and co-director of the university’s Gibbons Institute of Law, Science & Technology. “A lot of the bad actors are overseas — sometimes even a government — and U.S. authorities may not be able to pursue them.”
Businesses need to have a plan in place before a breach, he added, “including who in the organization gets notified. To keep additional sensitive information out of the public domain, a company may want to speak with legal counsel, who may be able to assess attorney-client privilege.”
If a company gets breached, state and federal law may have notification requirements, he said. “Also, it may be useful, or required, to work with the FBI, but a business owner may not be comfortable sharing all of their information with federal agents; and there could be questions about whether the government has to keep quiet about the results of its investigations.”
Opderbeck’s cybersecurity tips include training employees in best practices, and taking steps to secure and track personally identifiable information and other sensitive data. “Know what it is, where it is, and consider encrypting it to keep it safer,” he said. “Also, investigate your third-party vendors and other partners. Find out about your vendors’ security practices, since they could be a weak link; and review your contracts with them, since they may address liability and other issues.”
An expanding threat
Cybercriminals aren’t just going after laptops and desktops, said Bill Blum, president of Alpine Business Systems Inc.
“Today, your smartphone has everything on it, including your contacts, a camera and a microphone,” he said. “So some sophisticated cybercriminals are developing text massaging hacks that can infect your phone when you simply click on the text. The good news is that an attack like this is usually expensive to develop, so they only go after selected individuals.”
Still, the cyberthreat landscape “is changing every day,” cautioned ADP’s senior director of security advocacy Kim Albarella.
She highlighted two significant shifts: advances in phishing and social engineering attacks, and the growing number of Internet of Things-enabled devices.
“Just a few years ago, phishing was relatively easy to identify,” Albarella explained. “You could look for bad spelling, fuzzy logos and requests to send money to foreign princes. The complexity and sophistication of phishing has made huge strides in a relatively short timeframe, though, and will continue to refine and become harder to detect going forward.”
Fraudsters will be able to use “automated technologies, deep-fake videos, voice recordings, social media and stolen data to build synthetic identities that act and behave like real people,” she warned. “All with the intent of building trust and then exploiting it for their gain.”
The expansion of the Internet of Things, or devices that are connected to the internet, is a double-edged sword, Albarella added. “In the cybersecurity industry, protection around IoT devices is discussed often, but there is limited discussion happening within smaller businesses or at an individual level in people’s personal lives. Not long ago, we only had to worry about our internet-connected computer, then we had a connected phone and now our entire house, including refrigerators, coffee makers, doorbells, and smoke alarms; and even our bodies — connected organs, pacemakers and medical testing— can be connected to the internet. While connectivity makes life much easier to monitor and makes business communication more efficient, it makes it harder to protect our data across all these devices.”
Part of the challenge is that “the data that these devices collect is very personal and all of that data is stored in the cloud, but “the companies creating these devices are designing them with user experience in mind, not user security,” she said. “With that in mind, there will be increased potential for fraudsters to exploit IoT devices and access corporate networks, install malware or use them to create DDoS [distributed denial-of-service] attacks,” which overwhelm a target or its surrounding infrastructure with a flood of Internet traffic.