Security Challenges – Three Thoughts for the New Year
2021 was a challenging year in cybersecurity, and there’s no reason to believe that this will end. As we approach 2022, all businesses large and small need to address some basic issues that impact the security of their systems. and their customers?
- Vendors. No company stands alone – they depend on a multitude of vendors and third parties to operate. These range from point-of-sale systems to HVAC operators to property management systems. Every vendor that has access to company systems – and it’s surprising how many do – presents a threat. When they have access to a company’s network, that creates an opening for a bad actor. Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the company’s network. And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
- Internet of Things. Internet of things – the elf on the shelf, alarm systems, internet-enabled heating HVAC, solar panels, and public Wi-Fi systems have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” (https://techcrunch.com/2021/12/17/security-flaws-wifi-gateway-hundreds-hotel/). The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they are then able to use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages. This is not something unique to hotels – everything that connects to your system is a potential weak spot in cybersecurity.
- Social Media. Virtually all companies use social media to promote their businesses and attract customers. But social media depends on the collection and use of personal information, and that information can make companies a prime target of bad actors. Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network – which could be your network – they can pose an existential threat to a business through ransomware, extortion, denial of service and other attacks.
These are not the only security risks that companies face in 2022, but they demonstrate a conundrum – the very things that create security challenges are also essential for operations. Internet-enabled devices are ubiquitous and essential to business. Social media is a key part of marketing, giving firms the ability to target potential customers at a relatively low cost; that ability is especially important during the current economic challenges. Vendors cannot be eliminated; there are too many functions that require special skills and experience that companies cannot effectively bring in house, at least at a reasonable cost.
But this does not mean that companies can simply throw up their hands. If businesses create reasonable security efforts, they can control their risks and reduce the likelihood of a breach and the damage it would bring. Resources, like the National Institute of Standards and Technology, have created frameworks to help companies evaluate and address their risks (https://nvlpubs.nist.gov).
The Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group works with companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Mike Gold (mgold@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.