Source Code: What matters in tech, in your inbox every morning
Sign up for Protocol's newsletters to get insights on the people, power and politics of tech.
What’s the biggest cybersecurity risk businesses aren’t taking seriously enough?
Encryption, asset management system security and third-party vulnerabilities top the list of areas executives should be watching.
Senior Vice President and Chief Technology Officer at McAfee
One of the biggest cybersecurity risks that businesses aren't taking seriously enough today is the threat quantum computing poses to encryption. Encryption is the primary technology protecting critical data for organizations across the public and private sectors, often over untrusted networks such as the internet. We anticipate that quantum computing will be able to break key encryption algorithms such as RSA, which is used ubiquitously in the protocols and standards upon which organizations rely.
But while this appears to be an issue for tomorrow, it is actually an issue for industry today because it is possible for malicious actors to siphon off and store encrypted data, and then decrypt it as quantum computing becomes practical.
Industry needs to start working more quickly on a post-quantum ecosystem, and businesses need to assess their systems and make it possible for them to quickly implement quantum safe encryption as soon as it becomes available.
Summer Craze Fowler
Chief Information Officer at Argo AI
Agnostic of a particular threat or technology, there are two critical things that organizations fail to do: The first is to have a cyber security program that reflects the risk profile of the company leadership and has been effectively communicated across the company. Without an understanding of the organization's appetite and tolerance for risks, cyber security programs are left to make their own determination of where to invest resources. This often leads to cybersecurity programs that are totally misaligned with the goals and needs of the organization. The best way to assure alignment is to have cyber security representation at the table during normal business discussions.
The second major risk is that organizations often overlook asset management. Understanding the landscape of people, processes, information, technology, facilities and external dependencies is fundamental to any security program. Seeing a complete picture allows for prioritization of resources. Comprehensive asset management leads to much better prevention, detection, response and recovery for any cyber event or incident.
Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society
I think the answer differs depending on the size of the business. But everyone needs to be concerned about the cybersecurity of third-party vendors, not just their own security. So many high-profile breaches of companies originated with the hacking of a vendor that had a business partnership with the company. This is something that midsize and large companies already think about, but small businesses may be having a hard enough time just with their own security to think about third parties' security, too.
But even if you're a small business, anyone your business has a contract with, if they're going to get access to sensitive data about your company or your clients, you need to be talking to them about their security and contracting for that.
Chief Technology Officer, Security at Gigamon
The biggest risk that I feel businesses aren't taking seriously right now (likelihood and impact) is sophisticated ransomware. There are three areas where every business should focus on this (1) reviewing and exercising their incident response plan (2) reviewing and working through contacts for their cyber security (and ransomware) insurance and (3) reviewing and testing their backup and recovery strategy.
Most organizations I interact with do not do comprehensive threat modeling and with the continued rise of more sophisticated threats like Samsam, Ryuk and Fin6 — it's not just script kiddies doing ransomware anymore.
Managing Director and North America Lead at Accenture Security
The sizable number of vendor relationships that most organizations have poses a significant risk to their ability to defend their business. Cybercriminals understand that even if an organization has strong security, its suppliers may not.
In Accenture's Third Annual State of Cyber Resilience study, we take a close look at how organizations are prioritizing security, the effectiveness of those efforts and the impact of new security-related investments. In the 4,600+ organizations surveyed, we found that an alarming 40% of breaches are coming through vendors and third parties. It's a situation that has created a new battleground for organizations even before they've mastered the fight in their own backyard.
With cyber threat groups becoming more patient and skilled, it's not just an organization's supply chain that is victimized. Extended supply chains made up of smaller suppliers are particularly ripe targets, as they often lack robust cybersecurity defenses.
Given the large percentage of supply chain breaches, organizations need to ensure their cyber defenses stretch beyond their own walls. We strongly recommend boosting collaboration with business partners to share knowledge of threats and leveraging external cyber intelligence reporting to gain a greater understanding of which supply chain links are most vulnerable to attack.
Director of Strategic Threat at Darktrace
The short answer is that the sheer scale and scope of cyber-attacks is the risk not being taken seriously enough.
Small to medium institutions — whether companies, cities and municipalities, or federal agencies — need to stop hiding behind the myth that their company or town is not worth the time or effort for a cyberattacker. The scale, sophistication and speed of cyberthreat – enabled by automation, a robust black market and open-source tools — has totally changed cyberattackers' calculus. Rather than targeting companies based on their size, industry, assets or market share, cyberactors are now going after the vulnerabilities, wherever and whatever they are. Today, every company is being targeted. Organizations need to take the risk seriously and identify the team and technologies that should be in place.
For large companies with robust security programs, the risk is more about whether their security approach, resource allocation, and technologies are evolving at pace with the attackers. The outlook is especially bleak when it comes to attracting and keeping cybersecurity professionals. Luckily the speed of technological change, especially the application of artificial intelligence, is saving time for human teams and creating new areas of security value. Security teams need to evaluate and adopt these new technologies, or they run the same risk as small and medium business that have not prioritized cybersecurity. It's not enough to merely keep up with attackers, businesses need to be one step ahead.
Author and Instructor at SANS Institute
Taking into consideration and preparing for the unknowns. Organizations need to be better at predicting what is realistically in their risk profile, not just the latest development in the media. A blinky box or a piece of software is not going to save the company from cybersecurity mishaps.
Businesses are looking for an easy way out — this does not exist in cybersecurity. Each industry, each business, each employee has their own individual risks, there is no "one size fits all" security plan available. Everyone from C-suite, to managers, to technical support need to be aware of what may occur and to try their best to mitigate it. This mitigation may be in the form of training.
Perhaps a better understanding of current, future as well as past threats could be used to determine the likelihood of cybersecurity occurrences in their particular industry. Reviewing the security plan and using tabletop scenarios to assess the plan to make changes or updates can is also a recommendation.
Throwing money at specific piece of expensive technology is wasteful. Encouraging employees to learn the about the technologies available while also allowing them to test and experiment on their own infrastructure is money well spent. Each business is different and will need different implementation. Employees who can learn the fundamentals, learn the risks, implement ideas, learn from the bad ones are more likely to have a better understanding of overall cybersecurity in their environment.