Big and emerging threats
Netflix isn’t always real. But like they say, there ain’t no smoke without fire. Here are some of the more (un)popular ways in which business security is getting compromised:
1. Ransomware
Ransomware is like a thief locking up your personal stuff and demanding money to unlock it. In the digital world, they lock up your computer files. There were over 500 million ransomware attacks globally in 2023.
In one instance, a ransomware group, ALPHV, aka BlackCat, got into Lehigh Valley Health Network’s computer system. They leaked images of patients along with medical questionnaires, passports, and other sensitive patient data after the healthcare provider refused to pay the ransom demanded. LVHN have since faced lawsuits in relation to this ransomware attack.
2. Vishing (aka voice phishing) and Smishing (aka sms phishing):
Vishing is like a con artist calling you pretending to be someone they’re not. They want to trick you into giving away personal information, like your password or credit card number. Smishing is the same, except instead of a call, you get an SMS from the impersonator.
In 2023, there was a smishing campaign to obtain bank details and personal addresses by hackers claiming to be the USPS.
3. Third-party exposure
Imagine you’re playing a video game that connects to different online services for extra features. Now, if one of those services gets hacked, it’s like leaving a backdoor open for thieves to sneak into your game and steal your private information. This is similar to what happens with business software, especially with apps that companies use for work, like Microsoft 365 or Google Workspace.
These apps can connect to many other smaller apps, sort of like add-ons in your game. But sometimes, these extra apps ask for more access than they should, like the ability to read or delete files. This can be risky because it creates more ways for hackers to sneak in and grab sensitive information.
In 2020, sophisticated attackers believed to have been directed by the Russian intelligence service compromised SolarWinds software. They embedded it with malware that was then deployed through a product update, giving them backdoor access to all of SolarWinds Orion Platform customers’ networks. Up to 18,000 customers installed updates that left them vulnerable to hackers, including Fortune 500 companies and multiple agencies in the U.S. government.
4. Data privacy in generative AI
The foremost concern here is ensuring the confidentiality and integrity of proprietary data. Generative AI models require large datasets for training, which often includes sensitive company information. There’s a risk of data exposure where sensitive training data can be inferred from the model, or through data leakage in AI outputs.
In a class action filed in 2023, people alleged that OpenAI, Microsoft, and their respective affiliates violated the privacy rights of millions of internet users through the large-scale scraping of their personal data from social media, blog posts, and other websites, and using those data to train machine learning models.
Generative AI and its impact on cybersecurity merits a more detailed look in a separate blog post.
5. OT security in physical industries
Operational Technology (OT) controls machines in industries like manufacturing. If this tech gets hacked, it can cause real-world damage. OT controls everyday things like building management platforms, fire control systems and physical access control mechanisms. Much of this automation has headroom for better security.
State actors recently targeted water plants across the country.
6. EV car hacking
Electric vehicles are more software than hardware today. These machines are linked to a central system within the vehicle and every component is connected to each other and to apps. This connectivity has made EVs more vulnerable to hacking.
The chargers used to refuel connect to the car’s computer and communicate with it to manage charge level, voltage, and other metrics. This can leave EVs vulnerable to malware or maliciously modified chargers altered to damage cars by using the incorrect voltage, for example.
Tesla suffered a data breach that was the result of an insider data leak, not a takeover of the EV world as we know it.
Emerging technologies extend the ways in which threats can appear. Given our access to information, you’ll have a better chance of countering a threat if you Google or ChatGPT it, than if you think the apocalypse is here.
