1. Social Engineering
Social engineering attacks exploit social interactions to gain access to valuable data. At the root of all social engineering attacks is deception. Cyber criminals trick and manipulate their targets into taking certain actions, such as bypassing security measures or disclosing certain sensitive information. Even the best cyber security systems can’t stop a social engineering attack, because the target lets the hacker into the system. Experts say social engineering attacks are on the rise, which is why we’ve listed it as a top threat.
2. Third Party Exposure
Many retailers use third parties for services such as payment processing. As such, they often believe liability for a third party breach does not apply to them. In reality, using a third party vendor does not absolve them of responsibility for a data breach.
Even if a company does not directly handle personal information—including social security numbers or credit card numbers—a third party can put them at risk. Negligent data handling can put the sensitive information of millions into the hands of hackers, as shown in the recent Volkswagon/Audi cyber exposure. Even if the attack originated with a third party, the business that contracted with the third party vendor is still liable and legally required to notify their clients and regulators if there is a data breach. The fines and penalties can be steep, ranging from tens of thousands to millions of dollars, depending on the circumstances.
3. Patch Management
Many attacks start with outdated software. For this reason, not staying up-to-date with software patches leaves companies vulnerable to any number of information security breaches. As soon as attackers learn of a software vulnerability, they can exploit it to launch a cyber attack
4. Cloud Vulnerabilities
The more we rely on the cloud for data storage, the higher the risk of a major data breach. Cloud services are vulnerable to a wide range of cyber attacks. This includes account hijacking and Denial of Service (DoS) attacks, which prevent companies from being able to access their data. Many businesses believe they are secure because they use cloud security technology. In reality, technology is only part of the solution. Because no technology can completely eliminate vulnerabilities, a holistic approach is needed for robust protection. Insurance is an important piece of that protection as part of a comprehensive cyber risk management plan.
5. Ransomware (and Ransomware-as-a-Service)
Ransomware attacks are a serious cyber threat. These attacks infect your network and hold your data and computer systems hostage until a ransom is paid. The immediate losses from the ransom are only the tip of the iceberg. The monetary damages from lost productivity and data loss are often the most destructive to a business. Attacks like these are why 60% of small businesses go out of business within six months of a cyber breach.Ransomware is among the top 10 cyber attacks and is a popular way for attackers to target businesses. This won’t change any time soon; according to the U.S. Department of Homeland Security, ransomware attacks have been increasing across the globe. Additionally, ransomware is now available to less sophisticated hackers in the form of ready-made kits they can buy, known as Ransomware-as-a-Service. This is being used to target primarily small businesses due to their typically weaker cyber security measures. The result has been a rising frequency of attacks with reduced individual cost, as hackers want quick paydays from their hacks. The ease of pulling off these attacks, and the large number of hackers poses an enormous risk to small businesses.
6. Mistaking Compliance for Protection
Simply meeting data compliance standards is not the same as continuous and robust protection. For example, many companies need to meet the Payment Card Industry Data Security Standard (PCI DSS) for their annual audit. However, this is not necessarily representative of their usual standard of protection. According to Verizon’s PCI Compliance Report, four out of five companies failed to maintain compliance at their interim assessment. These were the same companies that previously met compliance standards. Companies that were deemed PCI DSS compliant still suffered from cyber security breaches, some just weeks after they were certified. As these companies have learned, simply meeting legal standards is not the same thing as adequate cyber protection.
7. Lack of Employee Training
A recent study from a Stanford University professor found that 88% percent of data breach incidents are caused by employee mistakes. The most common cyber security threat employees fall for is phishing attacks. With attacks growing more advanced, many employees don’t have the skills to identify a phishing email. Additionally, many employees engage in poor cyber security discipline, using the same password for work and home computers. The solution for this is employee training. Any cyber risk management plan needs to account for human vulnerabilities, and take measures to ensure everyone is following correct protocols. Only this—in tandem with a robust system of controls—can begin to provide adequate protection against cyber threats.
8. Inadequate Cyber Risk Management ControlsMany of the strongest tools against cyber exposures, such as multi-factor authentication (MFA), endpoint protection, and secure email gateways, are often ignored by companies. This is a major mistake, as these controls are extremely effective at mitigating risk for common attacks such as phishing and social engineering. Not only does this open them up to cyber security threats, but it can also damage their ability to secure comprehensive cyber insurance. With the extreme rise in attacks in recent years, obtaining new cyber insurance plans and cyber renewals will not be as easy as before. Carriers now want their clients to take on additional protections before they will provide them coverage.
9. Internet of Things (IoT)
The Internet of Things (IoT) connects devices from all over the world through the internet. This allows for a network of devices that can store, send, and receive data. Because of its convenience, many individuals and businesses are taking advantage of this growing technology. But, the very thing that makes them convenient also makes them vulnerable. Hackers can exploit internet connectivity as an access point through which to steal data. As companies increasingly rely on IoT devices, many experts predict this will be one of the biggest cyber threats in the coming years.
10. Outdated Hardware
Not all threats to cyber security come from software.The pace at which software updates are released can make it difficult for the hardware to keep up. This, in turn, creates exposures that can put companies’ data at risk. As hardware becomes obsolete, many outdated devices will not allow updates with the latest patches and security measures. Devices that rely on older software are more susceptible to cyber attacks, creating a major potential vulnerability. It is important to monitor this and respond quickly when devices become out of date. Just like you should keep your software up-to-date, you should do the same with hardware.