2016 was undoubtedly a challenging year for information security with huge data leaks, ransomware, and Internet-of-Things (IoT) malware attacks dominating media reports.

A situation exacerbated by a shortage of IT security skills, it would seem that 2017 may be no different than the last for organisations, as cybercrime steadily increases.

Although it is speculation at this stage, it is likely that crime syndicates will find increasingly creative ways to infiltrate South African businesses, both directly and indirectly. Incidents will range from data leaks to ransomware attacks and such incidents will affect all industries, whether retail, education or healthcare.

This makes it necessary for organisations to look at investing in new technologies to prevent such attacks from occurring and to take proactive steps to ensure the integrity of the organisation's infrastructure and the safekeeping of its data.

On the rise in 2017

It might be a different calendar year, however, that doesn't mean the threats faced by organisations are any different to what they were in 2016. This means we're still having discussions about the security risks inherent in the push for worker mobility, the move to the cloud and the adoption and proliferation of IoT technologies in our lives.

This is because all of these technologies open up new vulnerabilities or points of entry for possible malicious attacks and there is the risk of data and systems being exploited this way.

According to the International Data Corporation (IDC) Global IoT Decision maker Survey in 2016, some 52% of data that should be protected, isn't. This includes financial information and medical records. The IDC also predicts that by 2018 two out of three of corporate networks will have experienced an IoT-related security breach.

The Network Barometer Report 2015 showed that organisations aren't yet doing enough to ensure network security and 60% of all network devices have at least one security vulnerability. 76% of vulnerabilities identified in 2014 were more than two years old, and 9% were over 10 years old. Despite these numbers, 74% of respondent organisations still do not have formal incident response plans in place.

As companies start to move their systems into the cloud and look at ways of enabling a mobile workforce, and as more machines connect to the IoT, it makes sense that there would be an increase in cybercrime activity.

This is likely to involve an increase in malware for mobile phones, which attacks will combine mobile device locks with credential theft, to allow cyber thieves to access banks accounts and credit cards. We're likely to experience an increase in sophisticated attacks on hardware and firmware, while hackers using laptop software will attempt "drone-jackings" for their own criminal or hacktivist purposes.

While Cisco says that there will be 37 billion things connected to the Internet by 2020, today's reality is that IoT malware is already opening backdoors into connected homes and businesses and these vulnerabilities could go undetected for years.

Despite making great strides in enabling worker mobility by implementing IoT-based solutions, organisations have yet to properly consider the impact of the Internet of Things on the corporate network.

Proactive steps to protect

Businesses are coming to the realisation that their data is a target and their infrastructure and employees are the means to access and exploit.

The 2015 Global Threat Report shows that finance continues to be the biggest sector targeted, accounting for 18% of all detected attacks, while attacks against businesses and professional services were up 15% from 9%.

Why is this happening? Because the IT environmental landscape is changing. Those businesses that have recently made the move to the cloud or are in the process thereof, might not yet realise that the move has revealed vulnerabilities that were not present in an on-premise scenario.

This happens because organisations do not realise that when moving strategy and systems from on-premise to the cloud, the strategy, policy, processes, procedures, systems, and controls all need to be reviewed afresh. It's tempting to think that it is the same system just moved to the cloud, but this is misleading as it is now an entirely different system that requires different settings and controls.

A good start to protecting an organisation from cyber threats is understanding where potential attacks can originate from. Typically, organisations have focused their attention on, for example, perimeter security, without first assessing all vulnerability levels. With the increase of mobile technology and the proliferation of the IoT, the boundaries and perimeters of organisations are no longer as easy to define.

What this means, especially in the move to the cloud, is that the possible entry points into an organisation are multiplying. This makes it necessary for the organisation to conduct a risk assessment that covers their entire infrastructure, systems, and users in order to properly understand the risks and the probabilities involved.

By doing this, it is possible to determine which vulnerabilities can be remedied and which risks can be accepted. Once remedial steps have been taken, it is also essential to conduct security awareness training depending on the security measures the organisation has put in place.

How much protection is enough?

Data is core to the digital business. It is the intelligence that can be turned into business opportunity if accessed easily and understood correctly. It is also an organisation's biggest target, as it is intelligence that can be turned into criminal opportunity if accessed and exploited.

So how can organisations protect their data?

With the Protection of Personal Information Act looming on the horizon for 2017, a good starting point for data protection would be for organisations to look at the PCI DSS standard.

While the Payment Card Industry Data Security Standard is concerned with the protection of credit card information, the model itself is concerned with more than just technical security controls. Its twelve-step requirements have to do with other aspects of information protection, like security awareness and management, data policies, controls and monitoring and logging.

By aligning to these best practice guidelines, organisations will know that they have put in place at least the basic requirements to make it more difficult for a malicious individual to access and compromise critical data.

By Simeon Tassev, MD and QSA at Galix Networking.