Written by

K. Hawkins
June 13, 2016

9 Biggest Cybersecurity Concerns Facing CIOs Today

Although the chances of a major hack or breach are relatively slim, it is always best to prepare for the worst because the business damage could be incredibly detrimental. As we all know, the internet is growing rapidly and constantly evolving in new ways. 0s and 1s have never had quite so much concrete control, in the short history of digital technology  look no further than the healthcare industry to see how much an internet connection can affect human lives.

The world wide web is ever-growing, and it is the CIO’s job to secure that realm for all users who enter. The larger the company, the more vulnerable its customer data will be to malicious theft, and the greater the responsibility is to be aware and build a proper defensive. The following list details a number of the largest concerns facing CIOs today.

  1. CNP (Card Not Present) fraud. CNP is changing rapidly with the technology in mobile wallets and because of the provisioning techniques and utilization of TSMs. Both Applepay and Android Pay can provide the same technology and authentication online as they do in person. They are also both EMV compliance and are expected to shake up the whole CNP market as they are approved for card present interchange rates given they are EMV compliant and have been certified by all major networks. Fingerprints aren’t the answer for security as many banks once thought. Fingerprints mobile wallets have presented numerous security issues to consider. Yet with the ability to properly provision a card in a mobile wallet with various levels of authentication, tokenization and instant shutdown ability with integration to banks and networks this is a whole new ball game. Paypal is trying to catch up as it will be more expensive to process all credit cards without the technology that the networks, banks, Apple and Google now have.[*] 

  2. The IoT to steal. The Internet of Things (IoT) is collecting data about everything, from heart pulses to pharmaceutical orders to cars and travel routes. And, as for most budding technologies, developing solid security isn’t often a priority until the later stages. Though it may vary by industry, there will undoubtedly be an increase of cyberhacks in the IoT sector, and for some industries, it’s already an issue. The healthcare industry, for example, is the leader of IoT technology for its use in hospitals, yet so far it “already faces 340 percent more cyberattacks” than any other industry[1]. Alas, with every opportunity comes a threat. Looking down the road, IoT in the retail industry, is turning largely towards incredibly accurate smart technologies such as item-level RFID (Radio Frequency Identification) accounting for inventory tracking. And perhaps one of the most disturbing scenarios would be an inventory hack on a a company whose entire data systems are digitized.

    Healthcare Industry, Cyberattacks, loT Technology,

  3. Hackers breaching non-traditional payment systems. The technology in mobile wallets to provision securely, utilize tokenization, and deliver through near field communicaton (NFC) is good. Tokenization is key to combatting payment fraud in near field communicaton NFC, a delivery mechanism for trusted service managers (TSM). However, there is one mobile payment system utilizes both NFC and magnetic secure transmission (MST) technology in orger to deliver payment credentials to a POS. It is the only mobile wallet that uses both technologies as a result of an acquisition. This mobile wallet has the highest merchant acceptance out of any platform, but it utilizes host card emulation (HCE) and the use of MST, which is a way of electronically emulating the same data a magnetic stripe card provides to a read, has the potential to be considered less secure. HCE  stores card holder data in the cloud, which leads some to believe it may be more risky from a security prospective. Though it is worth noting that it has still met EMV compliance standards. So while these methods have security measures in place, and meet security standards, there is always some potential for a breach moreso in some cases than in others.[*]

    NFC Technology, MST technology, Mobile Wallets,

Luckily, this breach didn’t access banking/router or credit card information. However, while credit card information should certainly be at the top of the Do-Not-Compromise list, client- or company- financial information isn’t the only thing CIOs should be worried about losing. Corporate intellectual property could be hacked if work emails, contacts, and network apps are on the mobile device. And at the base level, let’s not forget the importance of email addresses, which are so often used as usernames.

  1. Cloudwars. Perhaps one of the largest cybersecurity scares are the breed of hackers who break into computation infrastructure and hide behind legitimate network sources, thus remaining anonymous. Remember the hacker in the fourth season of House of Cards who breached the pseudo-Google cloud, giving the President all of the data he needed to sway the election outcome? While it would take a serious analytics team to actually scan that much data to comb for mass public sentiment, it wouldn’t take much to collect specific data from individuals. And many clouds contain massive amounts of consumer behavioral data.

    Cloudwars, Cybersecurity, Consumer Behavioral Data,

     

  2. New top-level domains and phishing. Top Level Domains (TLDs) are increasing in numbers as the internet gets older. Starting with 6 (.edu, .com, etc…) in 1985, we’re up to 1k with another auction expected this year[2]. The trouble is, very few existing TLDs come from secure networks  with the right infrastructure to protect from malware. As CIO states, “criminals could steer unsuspecting consumers towards shop.apple, apple.macintosh or apple.computer to try to steal their information,” and the average internet user might not recognize that such URLs have no affiliation with the Apple they know and trust.

    1. Cyber insurance premiums are at an all-time high. Why? Because insurance companies are a bit hesitant to offer coverage when companies like Target are losing $260 million over a data breach. How does one protect from the unknown? One way is to set steep baseline requirements. According to CIO, “Policies will take into account such items as a company’s market capitalization, defense and risk profiles, attack frequency, and the capability to halt attackers and remediate breaches.”

    2. Just because e-commerce is going social doesn’t mean high-security will follow. Social Media plug-ins, called APIs (Application Program Interfaces) can be a blessing and a curse. The fact is, your company is smart to use social APIs to allow consumers to sign in upon first arrival to your site. It makes the sign-up process a smooth and effortless endeavor, and the data that can be collected and shared is sure to help your marketing team’s ability to optimize the customer experience, if used properly.

    1. Open source, open book. Security updates to operating systems such as Microsoft Windows will push hackers to target open-source vulnerabilities, says a report published last year by TrendMicro. The report determines the best way to avoid these cybersecurity concerns is by patching your organization’s systems and software with regular updates. Furthermore, it states, a responsible CIO should “invest in intelligence-based security solutions backed by trusted global threat information sources, which can thwart exploitation attempts even if patches for vulnerabilities have yet to be issued.”

      "Hackivists", BlueCoat, TLD

    2. Election Year “Hacktivists”. Imagine if you could cease funding to the opposing candidate of your choice. That would really put your chosen candidate to the advantage, right? That’s exactly what “hacktivists” are up to, especially during election year. Companies who are affected in some way by election year should particularly keep an eye out for malware and other election scams, such as phishing emails.

Luckily, BlueCoat has provided a very nice report to cover “the web’s shadiest neighborhoods.” If you’re considering a TLD for your company site, complete with a list of how to minimize risks. CIOs can consider blocking traffic from suspicious TLDs, specifically the top 10 TLDs on the list. Other measures include notifying employees to use caution when clicking through links by using the link-view hover (link appears in the bottom left corner of most browsers) before clicking, and similarly, using the press-and-hold option to verify a link on mobile devices before clicking through.

The problem is, these APIs can be an unlocked side door, when left unsecured. As an incident showed us last year, when thousands of “deleted” personal videos and photos resurfaced in a Snapchat breach, CIOs are wise to look into establishing security around APIs. Apparently this cyberattack, deemed “The Snappening,” occurred when hackers were able to breach the content via third-party applications that used Snapchat APIs.

Although the largest targets might be social media, candidate and political cause sites, all organizations should be on the lookout during this tumultuous time. For extra measure, it might be wise to remind employees to keep an eye on SSL Certificates and the padlock in the address bar when entering personal or company information at work, especially when visiting political sites during an election year.

What other major cybersecurity concerns face modern CIOs today? Let us know in comments below.


References:

[1] Raytheon and Websense Security Labs

[2] Tripwire 

[*] John Silverstein, Vice President of Operations, CGS, contributed his expertise and strategic perspective on the industry.

Written by

K. Hawkins

BPO Guide

BPO Guide