Cyber attacks increasingly threaten businesses, and the attack vectors continue to proliferate even as we speak. Here are 22 (and counting) you’ll want to consider right now:

Malware

Malware is any malicious code introduced into a computer system for the purpose of compromising the system’s integrity. Malware can steal or delete system data outright, modify system functionality, hijack systems for the purpose of extracting financial ransom, and even track the activities of system users. Malware attacks, which account for at least 28% of all data breaches¹, can be introduced into a system via:

• The installation of software and system patches by a system user or administrator
• Malicious websites accessed by system users
• Emails containing malicious attachments intended to be downloaded by a system user
• Other forms of hacking

Social engineering

Social engineering is the manipulation of a system user into performing an action that reveals sensitive data stored on the system or otherwise compromises the integrity of the system. Social engineering attacks account for at least 33% of all data breaches. Social engineering attack vectors can include:

• Emails with malicious attachments
• Emails containing links to malicious websites
• Phishing scams (emails requesting, cajoling, or even demanding the user provide sensitive information to the sender, including system login credentials)

Physical theft and loss of enterprise devices

Whether we’re talking about desktops, laptops, tablets, smartphones, hard drives or other devices that contain system data, the rule of thumb is that if it isn’t padlocked, it’s safe to assume it can be lost or stolen. Once stolen (or lost), even if a device is password protected, it’s not necessarily impenetrable. An unlocked device that connects to an enterprise system is no different from an unlocked door to a house.

Abuse of privilege

At least 30% of all data breaches are caused by individuals working from inside an organization. About half are accidental; the other half are intentional abuses of privilege. As Forbes puts it², “If you thought hackers were your biggest security risk, think again. Internal attacks are among the top threats, partially because it’s incredibly easy for people who already have access to sensitive data to abuse it.” Internal attackers can include:

• Disgruntled employees
• Employees who have already been terminated but have not yet relinquished their system credentials
• Employees and other insiders looking for ill-gotten gain (this includes insiders planted by outsiders)

Insider negligence

The other half of data breaches caused by insiders to an organization are inadvertent, including executives and even members of the C-suite. We’re talking human error here, including:

• Weak passwords
• The “coffee-shop problem” (using public networks to run enterprise programs containing sensitive data)
• Sending sensitive information to the wrong recipient
• Sharing system credentials
• Inadvertently downloading malware
• Falling for social engineering attacks
• Failure of an individual or a system administrator to apply software patches and coding/configuration errors (such that information intended to be confidential becomes internet-facing and/or searchable on the web)
• Misconfiguration of devices /badly implemented changes

Use and misuse of personal devices

Many workplaces (including Exela’s own MegaCenters) ban the use of personal data-storing devices. The goal is not to keep employees from spending their work hours checking Facebook, but rather to eliminate an easily controllable security vulnerability. A personal device on which enterprise data is stored might as well be an enterprise device—except that it’s far less secure because the enterprise has far less control over it. And like an enterprise device, when unlocked, it becomes an open door into the enterprise’s systems and data.

Cloud vulnerabilities

If it weren’t for the cloud, using multiple devices, both professional and personal, wouldn’t be nearly as seamless. The cloud allows you to access enterprise data wherever you go on any device that’s capable of accessing the cloud. In fact, many of Exela’s solutions are cloud-enabled for just that reason. But we provide our cloud-enabled solutions with confidence because ours are built “and function in accordance with” the high standards of security noted here. Not all cloud storage comes with that level of encryption or authentication, and so, like the personal devices on which the cloud is accessed, the cloud has the potential to become an open door through which the “bad guys” can enter.

Third party providers

The more third party service providers your enterprise uses, the more opportunities that exist for security gaps and glitches. Whatever systems you connect to theirs become subject to their system vulnerabilities—not just technological but human. This is one reason why a single-provider model is advantageous in digital transformation initiatives.

For each attack vector, there are best practices to avoid breaches. We’ll be discussing those best practices in the weeks ahead, as well as how keeping those bad guys out is a business priority at Exela and other of-the-moment security topics. If you missed the earlier posts in this series on cyber security, you can catch up here on:

• Why security is the transformation you should be talking about
• What we’re really talking about when we’re talking about security
• 21 Staggering Security Statistics Every Business Should Consider

Gotta read it all now? You can download the entire series as a flipping-book here.

A Leap Into The Breach: Leveraging
Cybersecurity to Master Your Domain

In the future, be sure to subscribe to Exela’s quarterly thought leadership publication, PluggedIN for up-to-the-minute news and views on topics that matter to you

1. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
2. https://www.forbes.com/sites/ericbasu/2015/11/05/the-top-5-data-breach-vulnerabilities/#798ca8064d04

Innovation benefits not only businesses but also bad actors. As digital transformation becomes increasingly ubiquitous, more data becomes vulnerable to attack from more points of vulnerability and from more potential attack vectors. In the last year alone¹:

• Web attacks are up by 56% (e.g., breaches introduced from a third party website)
• Supply chain attacks are up by 78% (e.g., breaches introduced through/by vendors and third party service providers)
• Attacks that come from email attachments that are actually office files are up 43%

To minimize the risk of a data breach, businesses need to be as innovative in their approach to security as they are in their approach to digital transformation. Just as digital transformation requires an overarching enterprise-wide strategy, so too does security transformation, including securing the right digital transformation team, the right security team, and ensuring appropriate checks and balances between them. All of that requires much of what an effective digital transformation requires, not the least of which involves embedding the “culture” into the enterprise through:

• stakeholder buy-in
• necessary capital investment
• some level of organizational fluidity

Based on our own experience as a digital transformation partner to over 4,000 businesses across the globe, as well as our constant monitoring of the digital and security transformation landscape, we’ve come up with the following best practices for getting security right in your digital transformation:

Assemble the proper team

Before you can even begin to assess the potential risks involved in digital transformation you need to be able to assess the inherent risks as well as the laws with which you’ll have to be compliant. That means assembling the right team, including the following (some of whom may overlap, depending on organizational structure):

• A senior level information security officer
• Legal counsel or other experts capable of outlining compliance requirements
• A team (or teams) reporting to the top information security officer to:
  • monitor compliance, including staying abreast of changes to laws, rules, and regulations
  • respond to security breach incidents
  • respond to the consequences of breach-incidents (including interacting with end-users)

All of these team members should be embedded into your enterprise’s overarching business strategy, looping them in at every level of decision-making and execution.

Taking inventory and assessing the risks

With the proper team assembled, it’s crucial to take an inventory of:

• All key processes
• All systems that deliver key processes
• All data delivered to, delivered by, stored in, and processed via those systems
• All such data that is sensitive, proprietary, or otherwise subject to regulation
• The laws, rules, and regulations applicable to that data
• Existing vulnerabilities
• Potential vulnerabilities
• Industry-specific vulnerabilities

Creating policies and plans to address the vulnerabilities

This may include coming up with new ways of authenticating system-user credentials, policies regarding enterprise- as well as personal-devices, policies regarding security clearance for employees and others on the premises, and policies regarding use of networks and social media. Despite that one of the aims of digital transformation is a breaking down of information silos, it’s also critical to put protocols into effect that ensure any information made “accessible” as a result will be accessible only by those with a need, or permission, to know it.

Training and educating…everyone from employees to the chief executive

Some experts estimate that as many as 95% of all data breaches² are the result of human error. But that percentage includes error at the coding level at all levels of supply chain. Others place the percentage at closer to somewhere between 40%³ and 50%⁴, where the error is limited to user-interaction with the system in question. Whatever the percentage, the reality is that if you were to ask 10 employees what they might be doing that puts enterprise data at risk, at least half might not have any idea—that is, unless you provide them with training/education on system and data security. This includes general training/education about security, why it’s required, and what’s at stake when it’s compromised, as well as specific topics that address of-the-moment security risks. At this moment, that might include:

• How to identify phishing schemes
• How to identify unsafe websites and links
• How to recognize malicious email attachments
• Proper password management (including requiring strong passwords and periodic password updates)
• Proper device and workstation security
• Social media awareness

Laying down and enforcing security-focused protocols

Where training and education fail, protocols—especially those that are consistently enforced and periodically reiterated—can pick up the slack. For example, protocols regarding:

• Using public networks
• What to do if a device is lost or stolen
• What can and can’t be shared on social media
• What to do when sensitive information is requested by email or otherwise
• Multi-step authentication processes disclosing sensitive data or access to databases containing the same
• The use or ban from use of non-enterprise devices while on enterprise premises
• The taking of photographs and screenshots on enterprise premises
• The tracking and return of enterprise-issued devices and badges and other credentials upon termination of employment

Create a strong response plan

System and data security requires a response plan in the event of a breach. An effective response plan can significantly mitigate the damages of a breach. Such a plan would include:

• A means for identifying new risks and vulnerabilities and a protocol for conveying them throughout the enterprise and to third parties who need to know
• A means for detecting breaches long before the average detection time of 100 days
• A protocol for responding to detected breaches, including:
  • isolating affected system segments
  • shutting down access to those segments and the data accessible within
  • notification of whomever needs to be notified under applicable law (from end user to law-enforcement to forensics experts to attorneys)
  • A protocol for post-incident procedures, including documenting the incident and collecting data to improve future responses and update security protocols to meet current risks
  • A post-incident public relations/marketing response
  • Embedding the response plan into the related business processes
  • “Fire-drills” that reinforce the plan essentials in the minds of the key players

Keeping the “bad guys” out involves a combination of prevention, detection, action, and agility. Make sure your enterprise has all of these covered.

In the weeks ahead, we’ll be diving in to explore how system and data security dovetail with data privacy and all the laws and regulations with which your digital transformation provider should be compliant. We’ll also explore those security matters you’ll want to consider when choosing your digital transformation partner. If you missed the earlier posts in this series on cyber security, you can catch up here on:

• Why security is the transformation you should be talking about
• What we’re really talking about when we’re talking about security
• 21 Staggering Security Statistics Every Business Should Consider
• How the Bad Guys Get In: Cyber Attack Vectors

Gotta read it all now? You can download the entire series as a flipping-book here.

A Leap Into The Breach: Leveraging
Cybersecurity to Master Your Domain

In the future, be sure to subscribe to Exela’s quarterly thought leadership publication, PluggedIN for up-to-the-minute news and views on topics that matter to you.

1. https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-en.pdf
2. https://fraudwatchinternational.com/security-awareness/what-is-cyber-security-awareness-training/
3. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
4. https://atlasps.com/2019/02/data-breaches-caused-by-human-error-major-cybersecurity-threat-2019/