As companies face increasingly sophisticated cyber threats, they often turn to technology solutions to help protect their data and systems from attacks. But what happens when your company is in the technology industry?
Cyberattacks are increasingly targeting technology companies who often store and handle significant amounts of sensitive data, including personally identifiable information and intellectual property on behalf of their customers. A technology company’s risk depends on the kind of products and/or services that they provide, but security incidents suffered by even small technology vendors can result in poor image, potential stock devaluations, and diminished trust in the company.
The Bigger the Company the More Secure, Right?
Many companies assume that because a technology vendor is large in size that they must have all of the proper security controls in place, but that’s not a safe assumption to make. Yahoo reported two major data breaches in 2016 after the company suffered a state sponsored cyber-attack in 2013 impacting 500 million accounts and a second attack in 2014 where it was estimated that hackers stole the account information belonging to 1 billion users. The company later confirmed that all 3 billion of its accounts were impacted, which resulted in Verizon Communications canceling it’s $4.8 billion acquisition of the company in July 2016.
Microsoft was also in the headlines after the infamous BlueKeep security vulnerability was used as part of the catastrophic WannaCry attack in 2017. BlueKeep is a Remote Desktop Services Protocol (RDP) vulnerability in Microsoft Windows that attacks SMB file sharing services and has been warned about by Microsoft and the National Security Agency.
What Kind of Threats Should You Prepare to Face?
Technology companies and their employees face a variety of cyberthreats, including advanced persistent threats (APTs) and social engineering fraud like phishing attacks. Like many other industries, technology companies often suffer cyber-attacks due to security flaws and failure to update software or patch systems. Understandably, there’s a resistance to upgrading software when the version in use is familiar, and understood from a functionality standpoint. Unfortunately, that same software is well known to hackers who are constantly looking to known vulnerabilities to exploit. Learn more about the dangers of operating outdated software in our whitepaper The Problem with Running Outdated Software.
Tech companies also tend to be early adopters of new technologies, frequent mobile device users which have been found to not be secure, and often embrace open environments that make it more difficult to defend every device in their IT environment. All of this makes the attack surface more difficult to protect as the net is cast so wide, but fortunately, these companies are also quick to adopt processes and technologies to help protect them protect data and defend against cyber-attacks.
The Solution? The Essential Security Controls & a DevSecOps Strategy
As one of the industries that’s experiences some of the most public breaches, it’s critical for these organizations to continuously monitor systems and assess their integrity of their security posture. It’s highly recommended that these companies adopt a framework approach to security using frameworks like the CIS Controls and also segment their data so that customer data is stored separately from company data. The CIS Controls help simplify security by outlining 6 Basic Controls that underpin every cybersecurity initiative, with 14 others recommended based on your organization’s risk profile.
As innovative as these companies tend to be, we need them to continue to innovate and set an example for others in cybersecurity. One suggestion that security professionals should all agree on is that technology products and software should be designed with security built in, not added on as an afterthought. This concept can be described as DevSecOps, which considers security at all stages of the development cycle. To learn more about this strategy and how to implement across your organization, read my latest blog post on How to Move from a DevOps to a DevSecOps Approach.
Share this post