7 Major Cybersecurity Risks For Midsize Organizations: Gartner

From ransomware and data mining to the supply chain and OT technology, here are the top seven cybersecurity risks midsize enterprises will be dealing with over the course of 2022.

Upping The Game

The security industry is in the middle of a years-long transition from trust but verify to never trust, always verify as zero trust architectures become more pervasive, said Paul Furtado, Gartner’s vice president of midsize enterprise security. Companies aren’t doing the fundamentals well, with 56 percent of attacks exploiting known vulnerabilities where patches have been available for more than 90 days.

“The only thing harder than defending yourself against a cyberattack is telling your executives and your partners why you didn’t do enough to protect yourself,” Furtado said Monday during the opening keynote at Midsize Enterprise Summit IT Security, hosted by CRN parent The Channel Co.

Organizations looking to improve their security need to start with comprehensive around the clock security, which Furtado said requires working with an MSSP, MDR or EDR partner. Data protection should be using immutable backup technology and protecting all critical data as well as the backups themselves, according to Furtado.

“Patching your vulnerabilities is going to be your biggest and easiest thing that you can do,” Paul Shipp of Wisconsin’s Door County Medical Center told CRN. “I‘d like to think that we do that pretty well.” Shipp said the Medical Center’s IT teams takes care of getting patches out when they need to go out on behalf of all employees and departments.

Companies should also examine how they can implement zero trust in a way that’s good for them and their business and also get a dynamic incident response plan in place, according to Furtado. From ransomware and data mining to the supply chain and OT Technology, here are the top seven security risks Furtado said midsize enterprises will be dealing with over the course of 2022.

“It’t not going to get better,” Furtado said. “It is going to get worse. We as practitioners need to up our game because the bad actors are upping their game.”

7. Zero-Day Exploits

The speed at which zero-day exploits are being created and deployed is alarming, with industry experts spotting an all-time record 66 zero-day exploits during 2021, Furtado said. And those zero-day exploits are being weaponized at never-before-seen speed, with the log4j vulnerability discovered Dec. 9 and a strain of ransomware that was developed specifically to exploit log4j out by Dec. 10.

Within three days, the world’s largest Ransomware as a Service operator – Conti – had modified their ransomware to use log4j to exploit VMware hosts. In the case of log4j, organizations were still trying to figure out the impact of the log4j vulnerability on their business and vendors often didn’t have fixes available three days later, but bad actors were already attacking organizations with the vulnerability.

6. Insider Threats

Insider risk refers to every account that has access into an organization’s environment such as service accounts, custom integrations, and API accounts, according to Furtado. Insider threats, meanwhile, are the very, very small percentage of insiders that are actually doing something that’s going to cause a security incident, Furtado said.

Seventeen percent of all sensitive files are available to every employee in an organization, 30 percent of data breaches are the result of some sort of insider events, and 63 percent of all insider events stem from either a deliberate error or carelessness. It historically took about 77 days to identity an insider who was misusing their power, but remote work has made spotting malicious insiders much harder.

Insider events result in potential damages of around $1 million since it allows hackers to easily exfiltrate data out of the victim’s environment. Hackers are propositioning discontented insiders with offers to split some of their earnings if the insider deploys malware in their company’s own environment or clicks on a malicious email that makes it through the company’s gateway, according to Furtado.

Furtado urged organizations to add ‘quishing’ to their cybersecurity awareness training since bad actors are taking advantage of the ubiquity of QR codes at places like restaurants to introduce malicious QR codes of their own. Adversaries are combining quishing with keyloggers and screen grabbers on mobile devices to get a multi-factor authentication token without the user’s consent and explode their account.

5. Regulatory Changes

Organizations not only have to worry about the patchwork of privacy laws and reporting requirements across every state in America, but also need to be well-versed in foreign privacy laws like the UK and European Union’s GDPR (General Data Protection Regulation) if any of their clients are European citizens, according to Furtado.

Stateside, Furtado said the U.S. Senate passed the American Cybersecurity Act which requires reporting significant cyber events within 72 hours and ransomware payments within 24 hours. In a similar vein, the U.S. Securities and Exchange Commission (SEC) has a proposed rule change for publicly traded companies that would have similar mandatory reporting requirements for significant cyberattacks.

As a result, Furtado expects to see a surge in companies reporting ransomware attacks over the next 12-to-18 months, which will lead to headlines around ransomware spiraling out of control when it’s really that companies are no longer allowed to keep ransomware attacks under the radar. Organizations must start preparing their executives for the surge of information that’s coming, according to Furtado.

4. IoT, OT & ICS

Eighty-one percent of all CVEs (common vulnerabilities and exposures) reported against IoT, OT and ICS systems were identified by a third party rather than the vendor themselves, Furtado said. CISOs don’t need to have ownership of IoT, OT or ICS systems in their environment, but Furtado said they should be providing security oversight since they’re often brought into the discussion if there’s a security issue.

A security professional would know which port the OT device is supposed to use, what the average packet size is, and which other devices it speaks to on the internet, making it easier to identify abnormal behavior that could be an indicator of compromise, he said. The OT team in a clients’ organization is most likely not examining the activity in the same manner, so it helps to have the security team present.

Furtado said he was able to gain access into three different SCADA and IoT systems in just 30 minutes on the web, which he reported to the respective vendors. Businesses might very well find that their IoT, OT or ICS system is publicly accessible to people outside the organization if they’re not providing diligent oversight, according to Furtado.

3. Supply Chain

Bad actors have come to understand the impact that disruption to a supply chain causes and are moving away from attacks against critical infrastructure because of the backlash to the Colonial Pipeline hack, he said. Downstream supply chain vendors allow adversaries to carry out destructive attacks without facing the wrath of overt retaliatory attacks from government agents like what happened with Colonial.

There were 2.2 trillion downloads last year of open-source code, and 29 percent of the downloaded code had known cybersecurity vulnerabilities, according to Furtado. Bad actors have significantly increased the number of attacks they’re doing against open-source repositories given all of the vulnerabilities, Furtado said.

Threat actors supporting both Russia and Ukraine are launching malware from open-source repositories as well as trying to wipe code that’s pulled down from the repository, according to Furtado. He urged midsize organizations to pull down the vendor risk questionnaire from CISA’s website to assess the potential impact of a supply chain attack against their organization, Furtado said.

2. Data Mining

Data mining makes it possible for adversaries to not only extort their direct victim, but also for them to go after a victim’s suppliers or clients and pressure them, Furtado said. Threat actors are now telling a victim’s customers that the customer data will be included in the leaked dataset unless the supplier pays the ransom, according to Furtado.

A ransomware actor was able to access individual patient records at a mental health clinic in the Nordics and threatened patients themselves, ordering them to pay up if they didn’t want their personal mental health records posted. And an American non-profit who claimed they couldn’t afford to pay a $2 million ransom was faxed a copy of their own insurance policy showing they could in fact pay that amount.

Businesses need to think not only about protecting regulated data but also about safeguarding non-structured data that could be detrimental to the organization if it was publicly released. Encrypting sensitive data does nothing to protect companies from a business disruption perspective, but it does greatly reduce risk to the business by ensuring that the data has no value even if it’s exfiltrated, he said.

1. Ransomware

Midsize organizations are the most highly targeted segment for ransomware attacks, with 81 percent of successful operations coming against companies with less than 1,000 employees and 90 percent going after businesses with less than $1 billion in revenue, Furtado said. Ransomware started with encryption, and then moved to data exfiltration where hackers will threaten to release victim data, Furtado said.

Recently, adversaries have turned up the pressure by throwing in denial of service (DoS) campaigns during ransomware attacks and engaging in data mining, where threat actors use AI, machine learning and analytics to generate more value from the victim data they’ve exfiltrated. Victims should expect a ransom demand of between 1 and 1.5 percent of their global revenue, according to Furtado.

The average ransom payment for a mid-market organization is $322,000, but the total cost of recovering from a ransomware attack is usually between five and ten times that amount. Organizations that are hit with ransomware should brace for 20 days of business disruption, with the majority of that coming on the front end prior to the implementation of a business continuity plan, according to Furtado.

Organizations that pay a ransom should still expect to lose 35 percent of their data since the bad actors use accelerated encryption, which leads to high levels of corruption and doesn’t capture databases or files that are in use. And for those companies that pay, Furtado said 80 percent of them will be targeted again either by the same threat actor or a different threat actor since word will get out on the dark web.