As a leader of your organization, you’re no doubt keep up at night by a routine of risks and threats, both known and unknown. If you’re like most executives, it’s the latter that grind your gears. All the SWOT analyses in the world can’t prepare you for what you don’t know — that is, the “unknown unknowns.” These are the threats you suspect are out there, but can’t see directly, much less understand.
“Unknown unknowns” abound in the world of digital security. This is due in part to the fact that the digital threat landscape evolves daily. The most pressing threats of today won’t be the most pressing threats next month or year; they’ll probably seem quaint by comparison.
Investing in a comprehensive cyber protection program is an essential first step, one that you should already have taken. (If not, get moving — better late than never, as they say.)
But the proliferation of “unknown unknowns” is also due to the deep and persistent knowledge gaps afflicting many organizations. Simply put, you can be a competent executive without being particularly well-versed in digital security issues. Cybersecurity, after all, has long been the purview of highly specialized professionals in whom non-technical decision-makers place near-absolute faith to anticipate and parry threats as they arise.
You can and should continue to rely on these specialized professionals for strategic and day-to-day threat mitigation. In a rapidly evolving threat landscape, you don’t have any other choice.
At the same time, it’s crucial to arm yourself with as much knowledge of the various threat types and vectors as possible — at least, as possible for a non-expert with a dizzying array of other responsibilities.
You’ve gotten this far, all the way to the top of your organization. You’re more than capable of wrapping your mind around the digital threats that could upend your organization and devastate its competitive advantage. Now, it’s time to educate yourself about the cyber-perils you’re facing every day and shore up your defenses accordingly.
- Viruses: Old School, New Threats: Viruses and worms (see below) are nearly as old as computing itself. Since the dawn of the Internet age, malicious developers have taken pleasure from the misfortune of others — injecting aggressive, self-replicating bits of code into computing systems and networks in a bid to cause chaos or gain competitive advantage.
It’s a sordid business, one that continues to this day. Indeed, it’s virtually certain that your organization’s systems or individual devices have been beset by multiple computer viruses this year. Whether they’ve suffered any ill effects is down to the strength of its antivirus protection.
What You Can Do: To that end, invest in a first-rate antimalware suite that regularly updates to incorporate and defend against new threats. Be sure to do your due diligence; not all antimalware suites are alike, however interchangeable they may seem at first blush.
- Worms: Low-Key, High Risk: To laypeople, worms and viruses seem similar: both spread and self-replicate by exploiting failures in victim systems’ security architectures, leaving a trail of destruction in their wake.
It’s important to understand the subtle distinctions between the two, however. Notably, worms are less likely to corrupt or otherwise alter files on victim systems, but they can consume extensive amounts of bandwidth to the extent that they cripple or disable devices or networks they infect. Some of the world’s fastest-spreading malware attacks have been caused by worms.
What You Can Do: Again, antivirus protection is key. So is keeping close watch on common vectors for worms and other malware, such as email. We’ll discuss more about email hygiene a bit later.
- Trojans: Sneaky, But Powerful: A trojan is an unusually insidious piece of malware that mimics legitimate computer programs — tricking the victim into downloading and installing an app that could do them great harm.
Trojans come in a dizzying variety of forms. Some exist solely to steal particular types of information, such as financial data or trade secrets, while others work to conceal the existence of other malware that may surreptitiously work on your system. One small benefit: they generally can’t self-replicate.
What You Can Do: Be very suspicious of files and programs of unknown origin, even if you trust the sender. Antimalware programs don’t always catch bespoke trojans.
- Ransomware: Holding Your Company Hostage, One Device at a Time: Ransomware is an increasingly urgent threat for organizations with dispersed device ecosystems. According to TechTarget, ransomware is “a subset of malware in which the data on a victim’s computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim.”
The nice thing about ransomware is that it’s theoretically possible to recover from: each attack comes with detailed instructions for paying the ransom and releasing the data. However, ransomware is still highly disruptive and can result in extensive data loss; the best defense is a comprehensive backup.
What You Can Do: Back up all your data at regular intervals, both on physical media and in secure cloud storage caches. Your goal should be to take a comprehensive snapshot of your organization’s entire data trove, leaving little for ransomware attacks to deprive you of. Think carefully before paying any ransoms; those who spread ransomware are, after all, criminals, and there’s no honor among thieves.
- Phishing: Still Working After All These Years: Phishing is a type of credential theft that uses email — usually unsolicited — as a vector. The typical phishing email manifests as a request for account information, passwords, or other sensitive data.
Some phishing attempts are patently amateurish and ensnare relatively few victims. Others are quite believable and may have higher success rates (though still low in absolute terms). For higher-value targets, phishing is increasingly supplanted by spearphishing, which we’ll learn more about in a moment.
What You Can Do: Never respond to emailed requests for sensitive information, even if you know and trust the sender. After all, many phishing attacks originate from captive accounts — email addresses whose owners have already been hacked.
- Spearphishing: A Sophisticated Take on an Old Trick: Spearphishing is a more sophisticated type of email-based credential theft, one that targets the potential victim’s weaknesses and exploits their trust.
Whereas traditional phishing generally uses “spray and pray” tactics, targeting hundreds or thousands of addresses at once, spearphishing usually targets one individual (or, at most, a handful of individuals) with access to particularly high-value information, often of a financial nature. Spearphishing is also increasingly common in corporate and nation-state espionage operations; sophisticated hackers use the tactic to relieve companies and government agencies of the data or processes upon which they base their competitive advantage.
What You Can Do: Use a sophisticated spam filter that can detect variations in sender patterns, and never respond to emailed requests for sensitive information. If you suspect that a trusted account has been compromised, call the account owner directly, then notify your corporate IT team.
- Supply Chain Attacks: Out of Your Control?
A Bloomberg story on a potential “hardware hack” targeting Chinese-made devices got the cybersecurity world tittering in late 2018. While subsequent updates walked back some of the most sensational claims and cast doubt on others, the hack nevertheless illuminates the complexity — and attendant vulnerability — of the modern supply chain.
It’s only a matter of time before an even more egregious hardware hack makes the news. In the meantime, supply chain software hacks are ubiquitous. Some of the decade’s most devastating cyberattacks used insecure third-party vendors as vectors; in 2013, for instance, retail giant Target was crippled by a data breach originating with a regional HVAC vendor.
What You Can Do:Hold your suppliers to the same high standards that you hold your internal teams. If your organization follows a particular security protocol, mandate that your vendors do so as well — or refuse to work with them until they do. If your organization doesn’t have that sort of leverage, look to vendors that tout their attention to cybersecurity detail.
- Zero-Day Exploits: Truly Unknown Unknowns: Even the name sounds scary. And, in truth, zero-day exploits are very concerning. They’re essentially the poster child for “unknown unknowns” — security flaws wired into operating systems and platform software from day one. Until they’re discovered and exploited by malicious actors (or, in fortunate cases, white hat hackers), their existence remains under wraps.
What You Can Do: Patch your operating systems and other platform software as soon as vulnerabilities are discovered. Regularly update software, too; often, patches are included in regular updates. Respond to particularly egregious zero-day exploits by changing your software vendor altogether.
- Cryptojacking: Making Money for Someone Else: Cryptojacking sounds cool, but it’s as disruptive for its victims as it is profitable for its perpetrators. Basically, cryptojackers hack into victim systems and harness their computing power to mine cryptocurrency, an ever-more time-, bandwidth-, and energy-intensive task. The greater your system’s power, the more attractive it is to cryptojackers.
What You Can Do: No bones about it: cryptojacking is a complex beast. For more on how to defend your organization against those who’d exploit its computing resources to their own ends, read this excellent primer from CSO Online.
- Nation-State Attacks: They’ll Get What They Want, One Way or Another: Although nation-state attacks can take many different forms and utilize any of the vectors described above, they’re worth calling out separately for their sophistication and persistence. U.S. intelligence agencies describe nation-state and organized crime actors as “advanced persistent threats,” or APTs, for precisely this reason. It’s not much of an exaggeration to say that, if and when a nation-state actor targets your computer systems or networks, it’s going to get what it wants.
What You Can Do: This isn’t to say you shouldn’t take steps to defend against nation-state attacks (and attacks from organized crime syndicates working hand-in-glove with nation-state actors). Cybersecurity insurance is an effective mitigator, and investing in top-of-the-line cyber protection that provides reliable backstops for lost data is a must as well.
- Cross-Site Scripting: A Developer Special: Cross-site scripting is a development-stage bug that can play havoc with the online experience and expose systems and devices to serious data breaches. In a typical cross-site scripting attack, hackers insert malicious code into website code, allowing unauthorized access and exploitation. Although XSS, as it’s known, is no longer seen as the threat for users of the public Internet, it remains a significant and pernicious vulnerability.
What You Can Do: Defenses against XSS attacks tend to be technical and opportunistic. The most common is contextual output encoding, which stymies the effectiveness of the typical XSS attack. Other tactics include enhancing cookie security, disabling scripts (selectively or otherwise), and taking defensive measures to validate non-trusted HTML output.
In any case, you’ll want to interface directly with your cybersecurity team to strategize about how to reduce your vulnerability to XSS attack and take commonsense measures to mitigate the damage if and when such an attack occurs.
Digital Security Is Never Done
We’ve covered quite a lot of ground here. If there’s one final point to make about cybersecurity, it’s this: the work is never done.
Put another way, shoring up your company’s defenses against common and not-so-common threats and threat vectors is a task with no defined endpoint. You’re never going to be able to hang up your hat at the end of the day and say, “Well, that’s a wrap — I don’t have to worry about digital security anymore.”
Cyber threats will always lurk out there, just beyond the horizon. Now that you’ve had a chance to learn about many, you’ll no doubt find yourself in a better position to protect and defend your organization against them.
But you’ll also have to contend with those pesky “unknown unknowns.” Those won’t disappear anytime soon; if anything, they’ll grow more numerous, sophisticated, and esoteric. Imagine playing Whac-a-Mole on a board the size of your living room and you’ll begin to understand the enormity of the task — though that may still understate things.
Still, knowledge is your best ally in the fight against cyber threats. Here’s to arming yourself as best you can, and to taking concrete steps to address potential weaknesses in your security posture before they do real harm your organization.
Have you read?
# Best Music Schools In The World For 2019.
# Best Fashion Schools In The World For 2019.
# Best Business Schools In The World For 2019.
# World’s Best Hospitality And Hotel Management Schools, 2019.
# Best Law Schools In The World, 2019.