October is Cybersecurity Awareness Month, which is the perfect opportunity for organizations to take stock of processes, policies and procedures related to the protection of all types of sensitive data. No organization is immune from cybersecurity threats. Although those risks are continuously evolving, there are some threats that impact all types of entities year after year. What have been the cybersecurity trends in 2019, and where will things go in 2020?
- Ransomware. Municipalities and managed service providers were hit hard with ransomware in 2019. And some newer variants of ransomware have been particularly hard to eradicate from systems once they are deployed. Moreover, some ransomwares have been coupled with complex trojans and keyloggers that are compromising protected information. Planning ahead for ransomware attacks means understanding your back-up process, and whether you need to make any adjustments. Understanding might mean asking some questions: how often are system back-ups performed? Where are back-ups stored? Are they segmented from the rest of your system? There is no one-size-fits-all solution. It is also important to gauge your organization’s views on paying ransom demands if all else fails.
- Business email compromise. Cyber criminals worm their way into legitimate business email communications, usually around the time when invoices are going out or coming due, or a closing is about to occur. With several carefully worded fake emails, the criminal can convince your customers to send payment to their bank account instead of your account. Spend time throughout the year reminding your customers about your invoicing and payment processes.
- Phishing. Threat actors realized long ago that they could exploit the fact that we are all so busy that it is difficult to stop and think about whether emails from our contacts are legitimate. Phishing remains a very common attack vector for criminals to access your systems. Once the attackers are able to convince someone to give up their log-in credentials, they can deploy ransomware, infiltrate legitimate email communications, send spam, search for valuable data, or engage in other malicious activity. Employee training is a huge component of a response strategy to this threat. In addition to training employees to stop and think before clicking on links or opening attachments – from users they do not recognize but also from their own contacts – an ongoing training program should also include instructing employees what to do if they do click on a potential phishing email.
Cybersecurity predictions for 2020
It is impossible to know what new exploits will be used in 2020, but we can look to the trends from the last few years to make some guesses. Criminals will likely continue to use the tried-and-true attack vectors. In addition to phishing, that means exploiting known vulnerabilities and taking advantage of poor password management or access controls. The malware that is deployed after access is obtained will likely just get more and more sophisticated and be that much more difficult to detect.
As we move into 2020, there are some comprehensive privacy and data security laws that are set to become effective, or set to be reviewed by state legislatures. Organizations are preparing to comply by conducting data inventories, completing data maps, and creating and revising privacy policies, Incident Response Plans, and Written Information Security Programs.
Preparing for these laws can be overwhelming, but McDonald Hopkins' data privacy and cybersecurity team can help you with compliance and ready your team to confront the clear and present dangers of cybersecurity threats. Contact one of the attorneys below for questions.