IT Security Risks: Addressing the Scope and Variety of Threats

by Cynthia Cavendish-Carey, Vice President, C4CS

Truly, the only constant is change. This is especially a fact in the Information Technology (IT) world. Hackers and cyber criminals are continually becoming more sophisticated in their strategies and tactics to infiltrate and disrupt IT assets – personal and professional.

Is your organization prepared to address the numerous and sundry types of threats in today’s – and tomorrow’s – IT environment? Phishing has been around for as long as email has existed. Now, ransomware has gained notoriety and is increasingly being used to interfere. Botnets, smurfs, spoofing, spear phishing, Trojans, malvertising… the list goes on and on regarding the techniques that criminals are employing to attack our technology and to disrupt our ability to conduct business.

Smart leaders understand that there is a need to protect against the gamut of IT security risks. The first step is knowing the types of threats currently in existence. Here are some of the most prevalent ones, but there are many others.

Acceptable Use Violation Willful or accidental misuse of resources that places the organization at a higher risk of malicious actions
Cyber Intrusion Unauthorized attempted or successful access to organizational resources.
Data Loss Loss of control of organizational data that is normally controlled or restricted, including Personally Identifying Information (PII). This is often associated with Third Party Compromises, especially when information is contained in a cloud environment.
Denial of Service High volume network traffic that exhausts all available bandwidth.
Device Loss or Theft Loss of control over organizational assets (i.e., computing equipment or machinery) on which sensitive information may be housed.
eMail Blacklisting Removal Real-time lists of domain names and IP addresses reportedly used by spammers or senders of unsolicited bulk emails. Blacklisting is intended to block such emails, thereby reducing the flow of unwanted emails.
Insider Threat Current or former team member(s), contractor(s) or business partner(s) who capture information or intellectual property prior to access being restricted. This compromises integrity or availability of the organization’s information, systems and is a threat to confidentiality.
Malware, Malicious Code A virus, worm, Trojan horse or other code-based entity that successfully affects a host. Worms and some viruses are self-replicating and can infect multiple systems or files within moments. Discovery and quarantine protocols are critical to contain and eradicate these issues.
Password Attack Password information that is accessed by “sniffing” a user’s network access via social engineering, guessing or gaining access to a password database (e.g., brute-force password guessing, dictionary attack that systematically employs common password formulas).
Ransomware A type of malware that encrypts local and shared files in order to induce victims into paying a ransom in exchange for a decryption key.
Reconnaissance & Information Gathering Unauthorized discovery and mapping of networks, systems, services or vulnerabilities – often preceding a malicious event. In effect, this is an attacker’s homework as a precursor to another type of IT security risk.
Social Engineering Relies on human interaction(s) and trickery to compel users to divulge information that will allow an attacker to directly or indirectly execute a technical attack and gain information that can be utilized in a subsequent phase of the assault.
Supply Chain Attack Occurs when criminals manipulate software code in order to compromise downstream applications. Also referred to as a third-party or value-chain attack, this threat relies on outside providers with access to a company’s systems and data. This is an attractive endeavor when commonly used software vulnerabilities are leveraged to give hackers access that can subsequently be replicated across all enterprises using it.
Business Email Compromise A type of scam in which an attacker gains unauthorized access to a corporate email account and impersonates the true owner in order to defraud the company, its employees, customers and other stakeholders. Organizations with business interests abroad are often the targets, whereby money (i.e., via wire transfers) or sensitive data are requested to be transmitted to the attacker’s account under the guise of a request that comes from the CEO or another executive.
Third Party Compromise Vendors and service providers with access to organizational assets (e.g., networks, systems, servers, devices). However, adequate protections and protocols are not in place, thereby exposing the organization to IT security risks, including potential leaks of confidential information and unauthorized access.
Website Compromise Organizational site(s) can be compromised, resulting in any number of detrimental effects, including embarrassment, preparatory intrusion, competitor threats (especially from foreign entities or domains), disruption of transactional capabilities or password protected service centers on the site.
Zero-Day Vulnerability Software or firmware flaw for which no available patch currently exists. These vulnerabilities are often exploited by hackers discovering such weaknesses before the provider can create the necessary patch.

Hackers used to be random individuals with nothing better to do with their time. But now, these threats can come from anywhere and anyone at any time, including state-sponsored crimes, industrial spies, terrorists, organized crime groups and malicious insiders. Additionally, technology has evolved dramatically, which further increases the number and impact these risks present. Artificial Intelligence (AI) was initially conceived and developed to improve technology, security and the availability of information. However, criminals are figuring out ways to use AI and the “Internet of Things” for their own nefarious purposes.

Clearly, we live in an increasingly virtual world dominated by information and technology. IT Security risks and cybercrime statistics are rising each and every day and are predicted to cost Trillions of dollars in the world economy – that’s Trillions with a capital T. We have only to look at the headlines on any given day for proof.

Protecting your company and its IT assets begins with establishing a comprehensive IT Security Plan and tools that are developed, implemented and overseen by experts in the field. Too often, exposure results from human error, pointing to the significant and rapidly growing need for awareness and training as a matter of course in every organization. Building a culture of compliance with regard to IT Security is essential for viability, sustainability and growth in today’s business world. We will continue to explore these and other aspects of IT Security planning, preparedness, training and testing in upcoming articles in this series.

Read the next article in this series: IT Security – So, What’s the Plan?

IT Security and Cybersecurity – What’s the Difference? Click here to read the article: Clarifying Terminology

In partnership with Catalyst Connection, Pittsburgh-based C4CS® (https://c4cs.com) provides customized crisis management and IT security consulting and training. Available group training and one-on-one crisis leadership coaching includes virtual and in-person tabletop and other crisis exercises built around realistic scenarios such as industrial accidents, cybersecurity incidents, employee and product crises among other hypothetical situations. To learn more about how C4CS can assist your organization, email: info@c4cs.com