Shadow IT, phishing, malware, oh my! The risks secretly haunting your organization

Beware: it’s a twisted web out there, and this might be our most chilling year yet! Here are some quick statistics to set the tone:

• IT Security Company NCC Group’s Monthly Threat Pulse of March 2023 recently reported a 91% increase in ransomware attacks in March 2023 compared to February 2023, and a 62% increase year over year when compared to data from March 2022.
• According to a Deloitte Center for Controllership poll, nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead.
• According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025.

Let’s dive into the shadows… if you dare.

Shadow IT: Unmasking the applications on the dark side of your network

Out of sight does not necessarily mean out of mind when it comes to the uncontrolled, unauthorized, and unseen forces that threaten your digital domain.

Any information technology systems, applications, software, or services that an end user engages with without explicit IT department approval fall under the purview of Shadow IT. These risks are hiding in more places than you think (and aren’t subject to the same monitoring that traditional corporate applications allow) – the average enterprise contains 4-10 times as many Shadow IT applications as corporate-managed apps. That’s why, from identifying and categorizing threat exposure to establishing response protocols, many organizations are taking a system-based approach to supporting their control frameworks.

Want to learn more about automated EUC risk management? Explore the following use cases:

• Spreadsheet Risk Management
• LIBOR Transition Risk Management
• Dodd-Frank Act & so much more

Piranhas in the water: phishing, prexting, baiting and more

If you need proof that social engineering attacks (like phishing) are on the rise, look no further than the latest headlines. Take the cyber attack on MGM Resorts, for example, where hackers allegedly used LinkedIn information to impersonate one employee to manipulate sensitive information out of another. The result was a large-scale cyber attack that impacted MGM’s operating systems, causing downtime throughout its casino floors, reservation systems, booking systems, email systems, etc.

There’s a good reason phishing scams continue to be listed as one of the most prevalent cybercrimes in the FBI’s IC3 Report. In fact, we hit a record number of mobile phishing attacks in 2022.

The Cybersecurity Infrastructure and Security Agency (CISA) is actually addressing phishing as one of the cybercrimes to watch out for during this year’s Cybersecurity Awareness Month. CISA is focusing on how individuals, families, and small to medium-sized businesses can secure our world by:

• Using strong passwords
• Turning on Multi-Factor Authentication (MFA)
• Recognizing and reporting phishing
• Updating software

Beware: malware, ransomware, & more

Malware attacks dipped slightly in 2020 for the first time in five years — but they’re back on the rise and now hitting 10.4 million per year, according to SonicWall’s 2022 Cyber Threat Report. That same report identified 270,228 “never-before-seen” malware variants in the first half of 2022 alone.

Not to mention, new technologies (like GenAI) are not necessarily introducing new threat capabilities, but helping bad actors be more agile and effective. Language models can now be leveraged by bad actors to be more persuasive, for example, making social engineering attacks more convincing and dangerous. And some bad actors can even build their own language models.

The fact is: threats are moving faster and more effectively — so your risk management has to as well.

How can we be more aware?

To expand your risk strategy and make it a process that you can continuously and constantly improve upon (and measure), you’ll need to bring in more people from your organization, constantly share new information as it becomes available, and stay agile with automation-based technology. Security training will also look different; employees will need to be better about spotting threat indicators (like a mismatched send address / send name) versus glaring spelling errors.

Bonus fright: third-party risk

While ransomware has been in the news for several years, third parties are an up-and-coming target because they offer economies of scale to threat actors through their partnership ecosystems.

In a world of remote work, global supply chain challenges, and a growing ecosystem of vendors supporting your business, risk is no longer bound to your headquarters, which means you need to be able to:

• Identify the risks associated with an extended vendor ecosystem
• Mitigate risks posed by both third-party and fourth-party vendors
• Determine whether your current strategy and technology support a comprehensive third-party risk management program

Want more tips on identifying and mitigating third-party risk? Download our comprehensive TPRM checklist.

Bringing your risk management from scary to secure – and measuring it

Threats are scariest when they are kept in the dark, so a successful risk management strategy is one where you clean out the cobwebs and turn on the lights. Threats should no longer be imagined as surprises that jump out from the shadows, but expected events that affect every business. To navigate this change, strategic businesses employ risk management technologies that pair machine learning with constant vigilance to help users identify, mitigate, and report on risk.

More resources you may enjoy:

• Secure Our World: 4 Work-Related Security Best Practices for Cybersecurity Awareness Month
• Aligning your cyber risk management program with your company’s bottom line
• The cyber attack on MGM Resorts: what you need to know (and what it means for your risk management strategy) | Mitratech