Clark Hill | Top 10 Cyber and Privacy Topics for 2021September 29, 2020
With cyberattacks becoming more destructive and costly, organizations must be aware of and prepared to respond when an attack occurs. As companies continue to innovate in the automotive industry, the more interconnected the technology and data, the more organizations need to be aware of legal security and privacy requirements. Clark Hill experts Melissa Ventrone, member, and Jeffrey Wells, director of cybersecurity consulting, provided background on the most timely cybersecurity issues and how to address them in your organization.
Cyberattacks are not just an IT problem – they involve people, policy, and technology – and there is a lot at stake. Business interruption, brand reputation, consumer safety, costs related to a security breach, and business loss are all factors that may be impacted by cybersecurity risks.
“About 71% of attacks are financially motivated,” said Wells. “Fifty-five percent of these attacks are coming from cybercriminals.”
Further, businesses are more vulnerable than ever. Amid COVID-19 cyberattacks are up 400%. Businesses must carefully assess their vulnerable assets, security protocols, and risks.
“It’s really understanding what your ecosystem looks like and what your industry is concerned with,” said Ventrone. “[It’s] not just looking at 30 days, 60 days, 90 days, but taking that future look at where your industry is driving to.”
Considering the current landscape, the following topics are of key importance.
Ransomware and Extortion Ware
Ransomware is the act of taking over a system through a phishing campaign, malware, other human interference. In this case, your system becomes encrypted and the hacker demands money for the encryption key. Lately, many cyberattacks have involved a combination of both ransomware and extortion ware, in which the hacker leaks the information they’ve captured while in the system to ensure the organization pays the ransom faster. The FBI has reported a 90% increase in ransomware attacks since COVID-19. And businesses of all sizes are at risk, so training is key to help teams minimize risk.
This involves the psychological manipulation of people into performing actions or divulging confidential information. It can occur across many platforms including voice calls, SMS texting, emails, or targeted spearphishing that appeals to specific circumstances.
Phishing and Spear Phishing
Phishing is an attempt to obtain sensitive information for malicious reasons by masquerading as a trustworthy entity via electronic communications. Emails requesting immediate responses, requiring security updates, and the like point to phishing attempts.
Remote working increases cybersecurity risks. Especially during the COVID-19 pandemic, systems will have to be reevaluated when transitioning back to the office to ensure vulnerabilities posed during remote work don’t carry over to the workplace.
Training and Awareness
The experts emphasized the importance of employees in protecting an organization from cyberattacks. Employees are your weakest link and the first line of defense. It is often the most underfunded security method, but is the best defense for businesses. Training should occur regularly, and be relevant to not only your business but also to employees on a personal level, “helping them understand not just how they’re protecting the organization, but how they’re protecting themselves as well,” according to Ventrone.
Legal Compliance and Data Protection Regulations
This area is particularly complicated because regulations tend to lag behind the development of technology. Ultimately, location and industry dictate compliance requirements.
Data Collection, Aggregation, and Use
“The more data that you collect, the more data people will want,” said Wells. Data has become a critical business asset driving both opportunities and risks. Companies should assess what they collect, what they do with it, who has access, how it’s protected, and more.
The Internet of Things is a network of physical objects that are connected through the internet or to each other. IoT creates complexity as far as maintaining security across connections and maintaining protection among devices.
Supply Chain Risks
Supply chain risks reside in the reliance on vendors. Businesses can require due diligence for vendors by addressing risks and security requirements in contracts. Taking action to require audits, provide procedures, etc. will help reduce or shift the risk from your business.
Protecting Your Organization
Ventrone and Wells’ ultimate takeaways for businesses are that training is the most essential and important approach to cybersecurity. Other helpful tactics include multi-factor authentication, backups from segmented networks – and testing the restoration, password and access control, and the purchasing of cyber insurance. A final helpful tip regarding password strength is for businesses to consider using passphrases instead of single passwords.