The consumerization of IT will continue to wreak havoc on IT departments in 2013 as the rise of bring-your-own-device (BYOD), cloud computing and social media continuously provide ill-intended hackers and cyber criminals expanded platforms to exploit.
As employees use more consumer-grade applications and access more corporate data from unmanaged mobile devices, the network perimeter continues to disappear – along with IT's ability to enforce appropriate security controls.
Convenience and efficiency is top of mind for end-users, while security awareness ranges from limited to non-existent. As a result, security officers will have their work cut out for them in the year ahead. New breeds of sophisticated attacks designed to take advantage of security-ignorant end-users debuted in droves throughout 2012 – and I expect this trend will only strengthen in 2013.
Here's the Top 7 end-user security threats that IT departments must be prepared to combat in 2013:
- Social media: Malicious code within ads or third party apps, posts containing links to malicious sites and sharing of sensitive information or derogatory comments will continue to pose real risks in 2013 – ranging from exposing proprietary information to damaging the corporate brand and even inviting lawsuits. Online work and personal identities are merging as employees increasingly use social media platforms like Twitter, LinkedIn and Facebook to communicate with customers, partners and friends. As people become more willing to share personal information online, they assume a dangerous level of trust for new “friends” and “followers,” and open the door for new creative variations of old social engineering attacks.
- Text messaging: A report from the Pew Internet and American Life Project claims that 73 percent of adults with a mobile phone use text messaging – sending and receiving an average of 41.5 messages per day. And most are not likely to think twice about the security implications of clicking on a link in a text. This leaves an open door for attackers to spread malware, phishing scams and other threats among mobile device users. SMS phishing, aka ‘smishing' attacks, will continue to gain momentum in 2013 because unlike major web browsers that have phishing protection built in to alert the user to suspicious sites, mobile phones aren't equipped to help users avoid malicious text messages.
- App downloads: BYOD programs make it tough for IT departments to control the security of end-user devices. It is often difficult for employees to understand why they can't download their favorite apps (like Angry Birds) to their personally owned devices – even when those devices contain sensitive corporate data and business applications. At the same time, malicious and high-risk apps are becoming more sophisticated. The number of dangerous Android apps is expected to hit 350,000 by the end of 2012 and one million by the same time next year.
- Email: Spear phishing attacks against the White House and South Carolina Department of Revenue made headlines in 2012. While spear phishing is on the rise, Wombat Security Technologies' research shows that relatively simple phishing emails are still hooking up to 60 percent of employees. Unlike mass phishing emails, the success of spear phishing depends on three things: (1) the apparent source must appear to be a known and trusted individual, (2) there is information within the message that supports its validity, and (3) the request seems to have a logical basis. Social networking is making the gathering of the data necessary to craft convincing spear phishing emails easier for cyber criminals. Trend Micro reports that 91 percent of recent advanced persistent threat (APT) attacks involved spear phishing tactics to dupe the victim into opening a malicious file or Website.
- Cloud services: The use of consumer-grade cloud applications (e.g., Dropbox and web-based email applications) for business purposes is gaining popularity among employees who naively choose convenience over security. Many end-users don't understand what corporate information is and why it needs to stay within corporate resources. Cloud services bring with them security risks, such as data compromise and loss, and uptime reliability that most end-users don't understand or consider in their rush to adopt the most convenient and easily accessible solution. As data becomes widely distributed across cloud services that are unknown to the IT department, the risk of exposure increases exponentially.
- Passwords: With the disappearance of the network perimeter, so goes the ability of IT to enforce password best practices. After years of password breaches and warnings about weak passwords, a large percentage of people are still choosing words like “welcome” or personal information, such as a birthday, for passwords. This ultimately places company data and networks at risk. In a single instance this year, Yahoo confirmed 450,000 passwords were breached. As more resources sit outside the control of a centralized IT department, enforcement of strong password management controls will become an even bigger challenge in 2013.
- Lost devices: A recent Cisco study claims that nine percent of employees have reported a lost or stolen device, and of those workers, 26 percent have lost the technology more than once within a year's time. As mobile devices proliferate in the workforce, the ramifications of a lost or stolen device are huge. Personally owned mobile devices are more difficult to remotely wipe when lost or misplaced since they are not under IT's direct control. This can expose corporate data to loss and may result in the breach of sensitive data, potentially triggering state, provincial or national data breach notification requirements.
Based on the sheer volume and velocity of attacks against unsuspecting and under-educated employees expected in the year to come, it is evident that something must be done to shore up this gaping hole in corporate defenses. Maintaining the status quo will not be a sustainable option in 2013, as resource strapped IT organizations cannot afford to spend increasing amounts of time, money and energy responding to these types of cyber attacks.
Recognizing that humans are still the weakest link in the security chain, many security officers are re-evaluating their approach to cyber security training and embracing new interactive forms of training to improve knowledge retention and behavior modification rates. A new report out from Wisegate cites security awareness as one of the top CSO priorities for 2013.
Further, Chris Christiansen, program vice president for IDC's security products and services group, notes that threats are evolving at a rapid pace as employee adoption of mobile computing and social networking has skyrocketed. He adds that, “The old once-a-year ‘check box' approach to security training cannot keep pace. It is time for employees to understand the importance of security policies and learn how to put them into practice.”
Most employee-caused security breaches occur through ignorance rather than malice. Research shows that organizations with well-understood security policies suffer fewer breaches, and companies with an ongoing security awareness program suffer 50 percent less breaches.
While no risk factor can ever be entirely eliminated, companies that implement new interactive approaches to security awareness training are finding that the payout is worth the investment. As employees learn how to identify and report attacks, they become invaluable to a company's defensive, as well as offensive security posture.