We talk to Raj Samani, Chief Scientist and McAfee Fellow to find out what security threats we'll be facing this year.
We’ve gone through viruses, cyberattacks, malware, and ransomware. What is the big threat of 2020?
McAfee’s Advanced Threat Research (ATR) recently announced that malware led disclosed attack vectors in McAfee’s most recent quarter, followed by account hijacking and targeted attacks. New malware samples increased by 35%, to say nothing of the human cost of dealing with the fallout of these attacks. At the same time, ATR is still seeing lots of innovation in ransomware campaigns, with shifts in initial access vectors, campaign management, and technical innovations in the code, combined with a more targeted approach—which means it’s still a very dangerous vector.
Firms want to know what the big threats are so that they can be proactive, but they do not have the resources and talent to execute. McAfee’s perspective is that rather than focusing on what the latest trend in cybersecurity is, organizations should focus on local and global threat intelligence by geography and industry—which is something that we are trying to address with MVISION Insights and other tools.
How secure are third-party APIs? When dealing with cloud security or data security in the cloud, what are some concerns? How much can be left to your cloud provider?
One of the biggest concerns about cloud security, and data security in the cloud, is Infrastructure-as-a-Service misconfigurations. As the most common entry point to new Cloud Native Breaches, IaaS is a critical area, and McAfee’s recent IaaS Adoption and Risk report found that 99 percent of IaaS misconfigurations go unnoticed. Just 26 percent of practitioners are equipped to audit for misconfigurations here, which likely leads to a lack of visibility in this area.
Organizations need understand that they bear the responsibility for their cloud deployments, including their configurations and their data. As a start, they need to deploy security tools to keep up with cloud-native issues, and continuously audit their deployments for initial configurations and drift over time.
As we move to 5G and IOT, how do we need to rethink security? How can we use the data from IOT devices to improve security?
Modern work happens on devices and in the cloud, so it is as important as ever to detect and remediate threats at or to the endpoint, like IOT devices. The explosion of mobile devices has created a new threat vector, which requires new solutions for detection, remediation, and protection in real time without compromising the user experience or violating privacy.
How ready are businesses these days to recover from cyberattacks? Do they do enough pentesting and simulated attacks on their networks to test security? Are bug hunts worthwhile?
We actually have some research coming out on this before the end of the year, on how resilient businesses across APAC are, and what can be done to reduce their cybersecurity risk.
Generally speaking, no matter the preparations that businesses have in place for cyberattacks, most organizations are lacking critical preparations at the top. A majority of boards lack a representative responsible for cybersecurity. Placing security on the board agenda is one of the most effective ways to minimise the chances for a successful breach, and yet many organizations minimise the need for having a CISO that attends board meetings.
CISOs must be responsible for translating cybersecurity into language that the board understands, and linking security threats to risk, and translating risk to strategy.
Why are we still dealing with things like shadow IT and the insider threat? Will we ever be able to remove the lowest common denominator from people, processes, and technology?
We will always have to pay attention to employees as a critical link in companies’ security chains—they can cause breaches no matter how robust your cybersecurity defences. Shadow IT, the insider threat, and other employee-centric cybersecurity issues are partially rooted in the fact that many employees believe that cybersecurity is best handled by IT or top executives within the company—rather than viewing themselves as active contributors to their companies’ cybersecurity. If employees cannot be engaged as active stakeholders for cybersecurity, they will most likely continue to compromise their companies with risky behaviors.
Working with your company’s people to build a culture of security is an ongoing process that requires working with employees new and old to shape and reinforce how they view the corporate culture. Aspects like an open dialogue and open lines of communication require continuous organizational buy-in, and are never truly finished.