Left to right, Richard Barretto, Jim Miles (Director of North American ISV at Progress), Mike Fugal & Nectar Daloglou
Cyber threats are one of the biggest IT challenges organizations face today. At the recent Progress User Group (PUG) Conference held in Waltham, Boston, Progress Senior Vice President & Chief Information Security Officer Richard Barretto shared an overview of Progress's comprehensive security practices to safeguard its users' systems and data.
In this article, we will recap some of those Best Practices so that you and your organization can foster a security-first culture, maintain efficient operations, and stay ahead of regulatory compliance.
These days, it's easier to ask where it is safe. Ransomware, Malware, Supply Chain, Phishing, and IoT. The potential for a breach is everpresent. It may seem hopeless, but as Richard pointed out, we have many tools and strategies at our disposal to protect our private data.
Ransomware will continue to be a significant threat to organizations of all sizes in 2024 and beyond. Cybercriminal ransomware-as-a-service resources that are widely available for anyone to use have lowered the bar for entry to people looking to profit from this type of attack.
A total of 66% of all organizations were impacted by ransomware in 2023, according to Sophos' The State of Ransomware Report.
Ransomware is the most common type of malware that organizations are likely to encounter in 2024. Other types of malware that could target organizations include Spyware, Keyloggers, Trojans, Worms, and Bots.
Upstream and downstream business partners in the supply chain can be a source of cyberattacks. This means that threats originating via linked IT systems need to be quantified and mitigated.
The risk of supply chain attacks will be high in 2024. These attacks aim to compromise a company's network by exploiting vulnerabilities in its third-party suppliers, software, or service providers. Organizations must prioritize building stronger supply chain resilience to mitigate this significant risk. IT teams can achieve this by focusing on proactive vendor security assessments, rigorous software management, network monitoring and incident response planning.
Frequently, people are the weakest link in the security chain. This statement isn't to disparage anyone — we all make mistakes, but defenders must incorporate this fact into cybersecurity planning. The sophistication of social engineering attacks, like phishing emails, is still a successful attack vector and a source for gathering data for future attacks.
A Hong Kong company recently transferred the equivalent of $25.6M to cyber criminals after a scam featuring a digitally recreated version of the company's chief financial officer, along with other employees, who appeared in a video conference call instructing an employee to transfer funds.
These attacks are becoming more sophisticated as criminals use LLMs (as mentioned above) and deep fake AI video generation tools to compose more realistic emails, videos, dummy websites, and other collateral to trick people into clicking malicious links or divulging data they shouldn't.
Internet of Things (IoT) sensors and devices are expanding almost exponentially in the built environment and manufacturing. Some of these IoT devices have notoriously poor security. We've all heard of cases where a series of these devices get shipped out with the same admin account and password. One that often doesn't get changed during deployment.
This expansion of IoT devices increases the attack surface, which introduces easily exploitable vulnerabilities. If the IoT devices have access to other network systems, this can open a back door for anyone who knows the default account settings.
Cybersecurity Ventures predicts that the global cost of cybercrime will be over $9 trillion in 2024 and that this figure will increase by approximately 15%, with steady growth in the years to come.
These are sobering figures, and a significant proportion of the overall cybercrime costs to businesses and other organizations will be due to the costs associated with dealing with data breaches. Ransomware recovery operations will also be a sizable chunk of the overall figure. The last few years have demonstrated that cybercriminals are relentless opportunists who will exploit every opportunity to extort money from their victims or sell stolen data to others.
In his presentation, Richard Barretto explained that having a proactive and open conversation company-wide was one key to an effective strategy for protecting ourselves from cyber-attacks.
Richard's presentation included other, more down-to-earth suggestions, such as implementing the latest IT tools and outsourcing security where needed.
Some of the suggestions were to:
Nectar Daloglou, the founder of OmegaServe and Mike Furgal, Senior DBA, former Progress Managed Database Services Director and current OmegaServe staff consultant, held a technical presentation on Cybersecurity for OpenEdge at the same PUG conference.
In that presentation, Nectar and Mike shared some detailed Progress OpenEdge specific techniques for securing your databases and being prepared should the worst occur and you need to restore your systems without causing disruptions to your 24/7/365 mission-critical operations.
Follow this link to our website if you want a copy of the technical presentation slide deck and access to a recent webinar in which Nectar and Mike discuss this subject in detail.
References
The Cybersecurity Threat Landscape in 2024 by Progress Software and Sophos State of Ransomware
Read our recent post on Securing Progress OpenEdge Data