Of the top five most valuable brands in North America in 2019, four were information technology companies. Information technology has provided a backbone of innovation that is pushing global economies forward and delivering the tools needed to support Industry 4.0.
Such a high profile brings its own challenges: cybercriminals have taken note and are targeting the industry with increasing interest. Like all organizations, the information and communications sector are experiencing increased cyber-threats. Any sector that has personal data or intellectual property is at risk of a cyber-attack.
Verizon’s 2019 Data Breach Investigations Report found the info-tech sector is highly susceptible to internal (56%) and external (44%) threats, and financial motives (67%) and industrial espionage (29%) are a major driver. The industry is shown to be particularly vulnerable to DDoS attacks.
In the following pages, we will break down the top five security challenges facing the information technology sector and provide suggestions for mitigating the industry’s growing list of threats.
Challenge 1: Finding qualified people to protect assets & infrastructure
Startups are thriving in the technology sector. Technology, especially digital products, is an area where you can still genuinely launch a company from your bedroom or garage. However, just because the founders of a startup are technical, that does not mean they understand the areas of cybersecurity that could impact their organization or how to protect their assets from attack.
Cybersecurity is a specialized skill and there is currently a serious shortage of qualified and experienced candidates to fill security roles. The (ISC)2 Cybersecurity Workforce Study, published in November 2019, found that 65% of organizations felt there was a shortfall of skilled cybersecurity staff.
In small companies, especially startups, this figure is likely to be even higher and compounded by a lack of funding to pay specialists. In addition, smaller organizations and startups are increasingly using cloud computing to meet their IT needs. According to Flexera’s 2019 State of the Cloud Survey, 94% of respondents use cloud computing; 72% of SMBs stating that security in the cloud was a challenge. Together, the use of web apps to manage essential IT operations and lack of in-house security skills leaves smaller companies like tech startups open to privacy and security issues around data and IP breaches.
Suggested resolution: Awareness training & third-party services
Organizations of any size or maturity can get a head start on cybersecurity issues by using a combination of security awareness training for employees and outsourced security services. In terms of cloud computing, startups need to ensure their choice of vendor will allow them to meet compliance requirements for the cloud apps they use.
Challenge 2: Vulnerabilities in new technology
Building digital products that are competitive on a rapidly evolving global stage means the tech industry is under pressure to constantly innovate. This forces experimentation around technologies that are often themselves immature or untested. These technologies include the blockchain, artificial intelligence, the Internet of Things (IoT) and many other areas such as virtual reality. Often, when new technologies hit the market, there is a rush to integrate your own product to make sure it is competitive and offers the features users expect. In these scenarios, security often becomes an afterthought.
This has been the case, for example, with the IoT. There is massive activity around the IoT. According to GSMA predictions, there will be 25 billion devices on the planet by 2025. A Gemalto (Thales) study found that around half of companies were unable to detect if an IoT device had been breached. Other IoT issues, such as hardcoded default admin passwords, have blighted the IoT industry.
As well as having the early adopter issue of security as an afterthought, the industry itself is a source of vulnerabilities. Software products are subject to life cycle management and testing to ensure fit for purpose. However, this life cycle is not without risk, and vulnerabilities continuously emerge.
A report into web application vulnerabilities found that 82% percent of vulnerabilities were located in application code. Because vulnerabilities are an ongoing issues, software patching is still part of a general security strategy and finding vulnerabilities in code is a never-ending challenge for the industry.
Suggested resolution: Make secure coding a priority
Keeping ahead of the competition requires innovation, but this should never come at the expense of security. Solution designers and architects should always be aware of the technology they use to build their products. This starts by using secure coding techniques.
However, the entire product life cycle needs to include both privacy and security by design as part of the design process. Product testing and staging must incorporate privacy and security; security is paramount, especially in data-rich systems. The technology sector must avoid compounding vulnerabilities by using innovative but vulnerable software in new products.
Challenge 3: Social engineering & misuse of social media
The technology industry is not only an early adopter of using new technology to create a competitive edge, but also new ways of communicating. The tech industry uses social communities like Twitter, Instagram and LinkedIn as promotional platforms and places to discuss industry issues. In fact, the high-tech sector is one of the top five industries on LinkedIn.
When you make a lot of noise, it isn’t just the good guys listening. The problem with social media is the lines of communication can become blurred. Social communities are used by cybercriminals as a vector to commit cybercrime and social platforms are often used by cybercriminals to target users and steal their identity. A survey by Stratecast found that 22% of social media users were victims of a cybersecurity incident.
The targeting can be done both on- and off-platform, using the name of the brand to trick a user into giving away personal data, including login credentials. It isn’t too much of a leap to imagine that a cybercriminal could steal a privileged social media user account and use this as a springboard into an organization by using the account as a doppelgänger.
Suggested resolution: Security awareness training
Make employees of your company aware that social media platforms are places where they need to take care when discussing company and personal information. While it is important to engage the tech community and be involved in industry discussions, doing so with forethought should be second nature to anyone who works for a technology organization.
Have a social media use policy in place and incorporate it into your overall security policy. Security awareness training will also teach your team the dangers of social engineering and how to protect social media account credentials.
Challenge 4: Protecting company intellectual property
High-tech companies create valuable intellectual property (IP). An IP commission report in 2017 found trade secret theft was around 1 to 3 percent of gross domestic product in the U.S. Digital IP, often in the form of digital data like software code or technical documentation, is shared using digital means — including the cloud. A survey by the Cloud Security Alliance found cloud sharing apps were the most frequently requested app in IT-based organizations.
Making assets that contain IP digital has complicated its protection. An example that exemplifies the theft of IP in the industry is that of Avago and Skyworks, two tech companies based in the USA. IP data was stolen by simply attaching documents to emails by two employees and then used as a basis to start-up their own tech company.
The use of shadow IT just makes matters worse, with around 80 percent of employees using web apps without the knowledge or permission of the organization. A Cisco report found that cloud services are the most prevalent form of shadow IT.
Code repositories are also increasingly cloud-based. In the tech industry, the sharing of information and code across remote teams is important to keep the ball rolling in an agile environment. However, by working across cloud-based operations, IP is open to malicious insiders and outsiders in equal measure.
Suggested resolution: Create a culture of security
Making employees of your company aware that your IP extends to ideas and processes within your organization, not just code, should be a part of your ongoing security policy and strategy. You should also ensure robust security measures are in place across the infrastructure that controls your IP.
A culture of security should extend across your multidisciplinary team, from design and architecture to demonstrator creation and code repositories. All aspects of your solution are potentially up for grabs and your IP is at risk — security needs to be an integral part of the creation of your IP.
Challenge 5: Innovating in an API economy
As mentioned earlier, tech companies are under enormous pressure to innovate and stay competitive. This is within the context of a digital world becoming more and more connected through use of internet-enabled devices, machine-to-machine technology and big data. To this end, technology companies are embracing the concept of an API economy.
An API, or Application Programming Interface, is a way that applications can more easily communicate with each other. APIs build ecosystems of functionality to generate platforms and more disparate, yet connected, systems and behaviors. Using an API-approach to building systems means you have to expose your API endpoints. In doing so, you add functionality and features that would otherwise take major effort to build.
It is in the connecting of those dots that security issues can creep in. Connecting the API dots within a system means data flows between each of the API units. In many cases, these data may be the personal data of the user. In a study by (ISC)2, 42% of respondents placed insecure interfaces/APIs as their biggest security concern in public clouds.
Suggested resolution: Authentication & token security
Security of APIs is fundamental to the security of the overall system. The connection between services, if not hardened, will become a focal point for the attack of that system. Areas to focus on are authentication and token security across the API layer and encouraging simplicity of API architecture to remove points of failure.
The information technology industry is a place where amazing things happen. Innovation is the bread and butter of the industry but can also be its Achilles heel in terms of the cybersecurity weaknesses of the sector. Being at the forefront of technology has created the perfect set of conditions in which cybercriminals can flourish.
However, the technology industry is in an excellent position to counter these attacks, not just against their own industry but also on behalf of the organizations that consume their products. Because solution creators are often the cause of breaches (e.g., in the guise of software vulnerabilities), the industry has some challenges. However, many resolutions exist:
- Secure coding techniques, including code reviews
- Secure testing and staging
- Security awareness for teams, including in start-ups
- Cloud providers that meet compliance requisites like the General Data Protection Regulation (GDPR)
- Social media use policies and user education
Having good due diligence around security will not only benefit your own organization, but also your clients. Good security is good business.
- 10 Most Valuable North American Brands, Statistica
- 2019 Data Breach Investigations Report, Verizon
- Cybersecurity workforce Study, (ISC)2
- 2019 State of the Cloud Survey, Flexera
- IoT Infographic 2019, GSMA
- State of IoT Security, Gemalto (Thales)
- 2020 Web Vulnerabilities, Positive Technologies
- Six Security Trends, Stratecast
- A Case of Corporate Espionage, Securonix
- 2019 Cloud Security Report, (ISC)2
- Privacy and metrics of testing and staging environments, CSO Online
- A Guide to the Demographics of LinkedIn Users, Market Mojo
- What is Shadow IT?, SkyHigh
- Managing API Security in the Connected Digital Economy, Akana