As quickly as the technology industry identifies cyberthreats and develops solutions to mitigate them, new threats appear. Cybercrime and the cyber threat landscape continue to evolve, with more sophisticated social engineering tactics. All organizations regardless of size or longevity have the potential to become targets.
When organizations scale and their reliance on cloud-based systems increases, so does their risk. Security professionals have their hands full with proactively identifying and mitigating threats—and also providing cybersecurity awareness training for employees.
What motivates these cybercriminals? Data. Two years ago, the world generated 2.5 quintillion bytes of data every day. At the end of 2022, global data experts predicted the world had produced and consumed about 94 zettabytes of data. In just three short years—by 2025—cloud storage will house 200+ zettabytes of data.
The top cyberthreats organizations should protect their critical business data from today include the following five threats.
Broken Access Control Vulnerability
This security flaw permits unauthorized users to access restricted resources—and sensitive data or systems—by circumventing standard security procedures. An Open Web Application Security Project (OWASP) report listed broken access control as the number one threat for exposing private data in 2021.
To mitigate this vulnerability, organizations should adopt a zero trust policy, because intentionally malicious or not, all employees can potentially expose company data—and, thus, be a potential threat. But conducting regular data authorization audits and verifying the information flow is secure (and updating or remediating permissions and defining permission pathways as needed), keeps this security layer secure.
Compliance Lapses
There’s been a shortage of talent among security professionals, and this shortage has led to weaker security protocols and processes at global organizations of all sizes. According to the 2022 (ISC)2 Cybersecurity Workforce Study, the cybersecurity workforce includes over 4 million cybersecurity professionals. But the U.S. still has over 700,000 unfilled cybersecurity jobs.
This lack, coupled with the average number of cybersecurity attacks rising 31% between 2020 and 2021, means companies must remain on alert for threats. Yet companies, including some of the larger tech giants, have continued to lay off workers (including security team members) in 2023, leading to potentially larger security issues.
For example, many organizations only conduct penetration testing during mandatory compliance audits. But by skipping routine penetration testing on “off” times between compliance cycles, companies leave themselves vulnerable to more security breaches. An organization may not even realize its security has been compromised.
Automation offers a key solution for closing this gap, with many tools specifically designed to help facilitate more targeted, faster security testing. Agile security testing empowers organizations to test targeted areas within their security system or specific product updates, for example. But whatever the approach, consistent testing is the best strategy for identifying and closing security gaps.
Internet of Things (IoT)
Organizations rely on IoT for data exchange and connectivity. But we can’t escape the IoT’s architecture, which impacts our lives as it’s connected with household appliances like WiFi-enabled televisions and thermostats to manufacturing and industrial tools.
The European Union (EU) has introduced legislation with very strict cybersecurity mandates to take effect in 2024. As with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), the U.S. government is also exploring mandates requiring IoT organizations to significantly strengthen their own cybersecurity.
Any business reliant on IoT technology must update its software and firmware consistently, applying patches to vulnerabilities to protect its data from hacking. Companies should also leverage stronger password protection protocols to protect against distributed denial of service (DDoS) attacks.
Ransomware-as-a-Service (RaaS)
Cybercrime organizations have discovered the value of offering RaaS. A recent Sophos study found it cost an average of $1.4 million to recover from a ransomware attack in 2021—a price few organizations could afford. But cybercriminal gangs have worked to polish and grow their business models and ransomware technology and models to keep pace with the acceleration of digital transformation. Cloud computing gives cybercriminals a global reach of which they’ve taken full advantage.
The most effective way for organizations of all sizes to improve their IT and security infrastructure—and prevent ransomware attacks—is to plan and conduct continuous monitoring and testing and implement insights offered by ethical hackers. These professionals have the experience, knowledge, and skills to test systems and perform risk assessments for security-related issues. They look for the cracks where cybercriminals could breach security or exploit a weakness to illegally obtain valuable data.
Social Engineering Attacks
Among the most common social engineering attacks, phishing scams allow hackers to manipulate end users’ emotions. These scams may include pleas for donations to a fake website or a request to update login credentials for a bank or retailer. One recent report tracking email threats found a 48% increase in email phishing attacks in the first six months of 2022.
Remote and hybrid working has also proved too tempting for malicious actors to ignore, and they’re continuously updating their phishing attack strategies and tactics to focus on:
- False shipping updates
- Healthcare appointment reminders
- Inquiries from hackers who’ve stolen someone’s identity to pose as a boss or coworker and request personal or financial data or login credentials.
The most effective way to protect vital information and prevent these cyberattacks is to raise awareness through cybersecurity education and training.
Cybersecurity and CRE
Commercial real estate (CRE) owners and investors should consider these potential threats and evaluate their own cybersecurity and data privacy practices to mitigate any risk of unintentional or unauthorized access to sensitive information.
The CRE industry hasn’t focused on data privacy as much as other industries like manufacturing, healthcare, or finance. However, with the increased technology and cloud reliance in CRE, CRE owners face increased risks of targeting by cybercriminals.
Are you a commercial real estate investor or looking for a specific property to meet your company’s needs? Do you own and lease property and want to ensure your tenants’ and your data is protected against potential cyberattacks and security breaches? We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.