With the last quarter of 2016 upon us and 2017 looming large, Jamie Graves, CEO of cyber security company ZoneFox looks at what organisations – including charities – need to do now, and what may be in store during 2017, in terms of cyber security.
- Stay on top of vulnerabilities – Microsoft states that 41.8% of vulnerabilities are given a highly severe rating these days. This is a three-year high! Ensure you’re prioritising and managing your vulnerabilities accordingly.
- Wean your people off Flash – According to Microsoft, 90% of malicious web pages contained Flash. HTML5 is great at streaming video. As such, Flash is no longer necessary and should be removed from systems.
- Prepare for ransomware – Ransomware has become ubiquitous. 61% of exploit payloads are now ransomware, according to MalwareBytes. Keep good backups, monitor your files for encryption activities, and – ideally – employ endpoint protection with application whitelisting or encapsulation.
- Emphasis on detection – Prevention eventually fails. So, put your money on detecting threats or breaches as quickly as possible. 2016 saw several next-generation platforms come into being; machine learning and user behaviour analytics, along with big data, are helping to detect malicious behaviour more efficiently.
- Get a CISO – The Price Waterhouse Cooper Global State of Information Security survey states that, in 2015, 91% of organisations were following a risk-based cyber security framework, but only 54% have a CISO running their cyber security programme. Roughly half of respondents are running security awareness training, conducting threat assessments, or are monitoring cyber intel. There may be a correlation here; a risk-based framework is a great foundation, but less effective without a CISO dedicated to driving the initiatives forward.
Five years ago, the term CISO was not popular, ransomware was only a twinkle in its daddy’s eye, and Flash vulnerabilities were relatively few and far between – but times are changing.
What’s in store for 2017?
It looks as though there will be a number of heavy hitters next year:
- (Further) Proliferation of mobile malware – Mobile malware seems to be growing at an exponential rate. Security researchers at Check Point Software have found upwards of 10 million Android phones infected with auto-rooting malware. The idea that some mobile malware can embed itself in a phone’s bootloader and remain persistent even after factory reset is a scary thought.
- Internet of Things leveraged for attacks – In September 2016, Brian Krebs’s blog, KrebsOnSecurity, went down due to a 620Gb/s(!) Distributed Denial of Service (DDoS) attack carried out by IoT devices. The Mirai malware code – used in the attack on Krebs – has recently been released, which means that attackers will be able to recruit vulnerable IoT devices for similar attacks.
- Emphasis on obtaining, training, and retaining cyber security staff – Over the past few years, much focus has been placed on buying the best tech, hiring consultants and auditors, and putting employees in place to monitor and respond to cyber threats. Unfortunately, there are more positions than there are qualified cyber security analysts. This is a problem. Requirements for employment should be reduced (i.e. no degree required), or employees must maintain certifications and regular training to stay up to date with the latest threat trends and technologies.
- User Behaviour Analysis and Artificial intelligence – AI and UBA may be one of our saving graces next year and leveraging it will provide new means for detecting threats, reducing the need for eyes on glass and allowing the good guys to actively remediate threats as they appear.
Many of the trends of 2016 are going to stick with us and new ones will emerge over the coming months – so it’s important to keep cyber security as a priority.
Half of charities surveyed said they do not have a digital strategy and only 9% said they have been through digital transformation and embedded it
Government, funders and large charities must take urgent action according to new analysis by Lloyds Bank Foundation
Charities are being reminded of the need for secure mobile working policies
The six different classifications are based on an archetype analysis of the income and expenditure types in charities