Cybersecurity Insights from CDW: What Enterprise CISOs Need to Know About Internal Threats
By: Orhan Yildirim
Recently, CDW released a comprehensive, thought-provoking compilation of insights on cybersecurity, compiled and summarized by Sadik Al-Abdulla.
We highly recommend spending time with this report, which is over 100 pages long and shares the vision of several highly respected cybersecurity companies.
“We have reached a tipping point when it comes to the volume and dynamics of the threats we face,” the report starts out. “The landscape is not only changing but it seemingly shifts daily. And to complicate matters further, as the world continues to be increasingly connected, organizations are becoming more vulnerable.”
What’s most interesting about this publication is how elegantly it blends security into business models and applications, particularly as the world becomes more connected and enterprises transform how they communicate and deliver services more digitally every day.
Bottom line? Data and information are now tied directly to profit, and consequently, security is no longer an afterthought.
With a rise in ransomware attacks (many which we’ll never hear about due to the sensitive nature of the breached enterprises), cybercrime has become a trillion-dollar industry, dwarfing the $100B spent each year by enterprises and organizations, according to Gartner’s research.
When this level of theft can be so easily monetized, more and more adversaries are jumping on board, and many of those adversaries – in fact probably half – are internal.
While spear phishing and other traditional breaches are still prevalent, and single clicks to open the door for attackers to pivot into enterprise networks (enterprises assumed were private) are on the rise, the sophistication for large breaches comes from the dark side – inside.
Today a single cyberattack can shut down a government or a business.
A single digital thief can hold a large company hostage for cryptocurrency-based ransoms, which cannot be traced in many cases by law enforcement.
“But it’s not all doom and gloom,” the report says, “Because there’s so much riding on security, the C-Suite has become involved in the conversation. And with a strong business case, IT is making inroads with a new seat at the table.
“Cybersecurity will never be easy, and it might seem daunting at times. Al-Abdulla, Director of Security Solutions for the company says, and “That’s why CDW created this guide. It explores the different ways organizations approach security and mitigate risk. It also presents research and various perspectives from industry leaders across the world. In the end, we hope it helps your organization develop a stronger security posture.”
Colleague Mark Lachniet Security Solutions Manager at CDW points out in the report “Considering that the average data breach in North America costs enterprises a whopping $1.3 million and $117,000 for small and medium businesses, respectively, it has never been more important for organizations of all sizes to take the necessary precaution and invest in a comprehensive security plan,” and describes a “Pandora’s box of new, ever-changing threats.”
Lachniet shares an example of a typical vulnerability, where Windows shops use the same local administrator password across multiple systems. “This happens regularly, and for understandable reasons, like easing management overhead or because it’s default behavior when provisioning a batch of computers using a disk image.”
Shockingly, this one practice has “probably allowed CDW’s penetration testing team to compromise more systems than any system “exploit” that you might read of in the news. The reason is simple. Once the team gains access to one system — be it an end-user workstation or a server — they can almost always crack or impersonate that local administrator account (or other accounts on the machine) to hack other devices with the same password, and then use it to access even more machines.”
Summarizing that enterprises need a cultural change in addition to technology chance, CDW recommends structuring internal conversations around two critical questions:
- How can we prepare ourselves to manage risk and limit the potential damage a breach may have on the organization?
- How can we change our mindset from prevention to risk limitation?
“Changing the conversation from prevention to mitigation will lay the groundwork for a new security culture.”
This rich document, which is available for free download here, was prepared with support from IDG. This should be required reading for all professionals, including CISOs, who are passionate about protecting the organizations they work for, and the digital landscape and society in general.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.