Staying secure in a dangerous age: Know the threats you face Posted on September 8, 2016 by Tim Burke Fasten your seatbelt. I’m driving into the realm of digital security, which can turn into a rather hairy ride. Despite its challenges, digital security deployment is what stops the hackers, malicious actors, and spies from stealing everything. So let me begin by telling you to stay vigilant, because as the use of digital technologies becomes more pervasive, so do the attempts to exploit it for nefarious purposes. Some numbers, short but far from sweet Here’s a (very) brief overview of what we face, based on a review of events in 2015: Major security vulnerabilities were discovered in more than 75% of popular websites New mobile vulnerabilities increased by over 200% More than 430 million new malware variants were discovered Ransomware increased 35% to an average of nearly 1,000 per day Over 500 million personal records were stolen Spear-phishing campaigns targeting employees increased 55% The number of zero-day attacks jumped 125 3 in-your-face security challenges No question about it: security vulnerabilities are everywhere. But as security defenses become more adept, cyberattack targets tend to shift. Most immediately, we need to pay particular attention to: App attacks. Many apps now include code assembled from third-party libraries as well as code developed in-house – and it’s all vulnerable because those conducting cyberattacks are happy to exploit any hole, regardless of origin, to access the applications at the heart of your business data and processes. What’s more, app attackers have easy access to application exploit toolkits that too often circumvent perimeter, network, and traditional application defenses. It’s no surprise then, that cyberattacks have shifted from servers and operating systems to applications, which are now regarded as the easiest route to accessing sensitive enterprise data. Web attacks. Lack of patching/updating leaves many websites vulnerable – as do insecure plugins, often because these, too, haven’t been updated. Web attacks also come from SQL injection, poorly configured PHP scripts, zero-day threats for which no patches or updates exist, “malvertising,” and ransomware. Social engineering. Arguably, the greatest vulnerability your enterprise faces is people who unwittingly hand over the keys to your digital kingdom. Employees, customers, suppliers – all are susceptible to social engineering exploits: malware campaigns using malware-as-a-service (yes, really), spear-phishing, point-of-sale skimming, online banking Trojans, compromised websites that redirect visitors to still different types of exploits, and tricks no one’s yet recognized. In my next few posts, I’ll drill down into what you can do to defend your business. For now, I leave you with a reminder: digital security is not a product – it’s a process your enterprise depends on.