One unfortunate aspect of human psychology involves how people tend to deal with potential threats. As long as the threats are more abstract than actual, all too often we reason that there’s no rush to build defenses against them. Only after a threat materializes and does actual harm do we start to really take it seriously.
Anyone who thought the dangers associated with the Internet of Things (IoT) were more bark than bite was disabused of that notion on October 21. That morning, a distributed denial of service (DDoS) attack against Dyn, a dynamic DNS service, significantly reduced the availability of dozens of major websites and internet services.
The source of the attack: tens of millions of IoT devices ranging from closed-circuit cameras to home DVRs. The devices had been compromised with the Mirai malware program, which used password guessing to infect them. On the morning of the attack, the malware directed the devices to send a crippling deluge of requests to the Dyn servers.
Prior to this attack, there were plenty of warnings about the risks posed by poorly protected IoT devices. An AT&T Cybersecurity Insights report released earlier in the year, for example, explored IoT-based threats in depth and recommended a number of best practices to limit exposure to these threats. Among the recommendations: don’t permit easy-to-hack default passwords for IoT devices. Just that one recommendation, if followed by device vendors, would likely have prevented the October attack.
IoT-based threats, of course, are only one form of “new” vulnerabilities organizations must address as both technology and business operations transition through rapid changes. Two other fast-emerging sources of cyberthreats are cloud computing and mobile computing.
The new AT&T Cybersecurity Insights report, “The CEO’s Guide to Navigating the Threat Landscape,” examines all three of these emerging cyberthreat sources – IoT, cloud and mobile. An AT&T survey cited in the report found companies storing more than half of their data in the cloud report higher frequencies of malware, ransomware, advanced persistent threats, information theft and unauthorized access. Even so, the report cautions that data stored in corporate servers may not be any safer than data stored in the cloud.
Meanwhile, about 40 percent of the cybersecurity professionals surveyed by AT&T reported that their organizations’ mobile devices were compromised in the prior 12 months. Evidence suggests attackers are increasingly targeting app stores to distribute mobile apps infected with malware, and free Wi-Fi networks continue to pose significant risks to corporate users and enterprise data.
Long story short, organizations must ensure that their security infrastructure keeps pace with the ways technology is evolving and is used. Meeting that objective requires companies to conduct regular risk assessments, to continuously educate their employees, and to deploy security controls tailored to meet both established and emerging threats.
Most fundamentally, it means taking new categories of cyberthreats seriously, even if they haven’t yet materialized as actual attacks. There’s too much at risk – intellectual property, customer confidence, legal liability and your businesses’ bottom line – to fall victim to the “it can’t happen to us” line of thinking.
Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.