As threats continue to evolve, cyber-security has to find new ways to stay ahead of hackers and malicious software. At the end of 2021 and the beginning of 2022 we are seeing a wave of new technological advancements, such as AI and biometrics systems, integrated at every level of business processes. Cyber-security needs in 2022 will push companies to search for ways to better safeguard highly-sensitive data, and, customer trust.
Traditional defensive tactics are no longer enough and regulatory bodies have been engaging with cyber-security tech startups to stay on the bleeding edge of protecting against adversaries in this rapidly changing landscape.
Keeping up with Changing Data Protection Laws
One of the results of a different approach in adopting tech like AI, automation and threat hunting saw tighter laws on privacy enacted in the European Union. The data protection package adopted in May 2016 brought the European Zone one step closer to the digital age with a set of standardized data protection rights across the EU regardless of where consumer data is processed.
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016 replaced the Data Protection Directive 95/46/ec in 2018 as the primary law regulating how companies protect EU citizens' personal data. Businesses that are already in compliance with the Directive must ensure that they are also compliant with the new requirements of the GDPR. Companies that fail to achieve GDPR compliance before the deadline are subject to stiff penalties and fines.
The baseline set of standards for companies that handle EU citizens’ data has been one step in the right direction to safeguard the processing and movement of citizens’ personal data. A uniform data security law on all EU members is the more logical way to achieve the greatest potential impact on security operations for companies by:
· Requiring the consent of subjects for data processing
· Anonymizing collected data to protect privacy
· Providing data breach notifications
· Safely handling the transfer of data across borders
· Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Getting it Right with the Cloud
In addition to stricter data protection regulations, some companies are flocking to the cloud as means to better secure their data and process continuity. While the cloud is a versatile and useful technology, it is not a universal solution to existing (and expectant) security threats.
Whether it’s private, public, hybrid or a mix of various cloud computing models, there are security doubts. Companies often prefer to keep their data on local servers. Even with managed service providers, it is difficult for companies to assume that the cloud provider will handle all security aspects over the data. All this creates challenges for businesses that are looking to translate their security posture to the cloud environment.
As more companies migrate from offline storage to full cloud-based processing, computing and storage – obtaining third-party reports, such as SOC 2, that attest to the security of the cloud organisations is of the utmost importance.
Adapting to Evolving Threats
The result of increasing and more sophisticated hacking attacks has compromised both user security, and privacy. By exploiting vulnerabilities in existing authentication methods, hackers easily gain access to user inboxes and receive information on deposits, withdrawals and wallet balances on their registered exchanges.
Emails and SMS have been at the centre of a lot of two-factor hacks, most recently as a way to hijack Telegram accounts, intercepting software tokens and setting up last-minute call-forwarding arrangements to intercept codes in transit. The security threat is bigger than people think with nearly one-third of Bitcoin trading platforms becoming the victim of a targeted attack.
Hackers are now adopting a new approach to trick unsuspecting users to reveal information that can then be used to hijack their accounts. One way is to send the target a text message, pretending to be the very exchange that the target has an account with. Such messages usually rely on a sense of urgency and warnings about possible ‘suspicious activity’ detected on the users account, prompting the target to text back the 2FA code sent to the target to “avoid having their account locked”. Victims tend to cooperate without double-checking with the actual exchange as the email message looks and sounds legit and proceed to send the code back, believing they have thwarted the attempted hack. But in doing so, they actually give the hacker the one thing they needed to break into their account.
Attackers can sometimes even spoof their identity — so the text looks like it comes from Google, or Facebook, or Apple, rather than an unknown number. Unfortunately, huge amounts of data dumps from old hacks for emails/usernames and passwords that are floating online – notably from LinkedIn – giving hackers part of the necessary information to hijack users’ accounts. Furthermore, since a lot of people reuse passwords, this leaves their accounts all the more susceptible to hacking.
While there is no immediate solution to the growing number of hacking attacks targeting users at every level, it is clear that the new focus should be on sizing up security to address evolving threats.
What this means for SMBs?
According to Ponemon Institute, over two thirds of SMBs with 100-1000 employees experienced a cyber attack in 2018. Another recent survey in the UK by market research firm Opinium for an internet service provider had almost identical findings. That survey found that nearly two thirds of all business with 10-49 employees were targeted by cybercriminals in 2019.
It is not just big corporations that are the obvious targets of attacks anymore and there is a reason for this. Major companies usually have larger budgets to afford better security, complex monitoring systems and high tech entry devices, which is hardly the case for small and medium enterprises.
Small businesses are increasingly being targeted because they often don’t have measures, so thieves can evade detection. Many small businesses also overlook the value of the information they store, believing it to be of little interest to anyone. Some small businesses don’t realize they may be targeted because they are an entry point to the network of a larger company, they do business with. All of these and other reasons make small and medium businesses lucrative targets for malicious hackers. With good planning and prioritisation a robust foundation of security to safely grow business in 2022 can be built.