As major cyber-attacks in the form of WannaCry and Petya become increasingly common, businesses should look beyond servers and desktops, and also protect other platforms vulnerable to cybercriminals, says software company Symantec.
The deep penetration of mobile devices (that reaches 110% in Asean), as well as the mainstream adoption of cloud and the Internet of Things (IoT) technologies has left a slew of devices open to attacks.
Symantec's Internet Security Threat Report (ISTR) revealed that many of the threats observed against these platforms in 2016 are likely to continue this year.
Symantec found a 200% increase in attempted attacks against IoT devices over the course of 2016. "At times of peak activity, the average device was attacked once every two minutes," said Sherif el-Nabawi, senior director of Systems Engineering, Asia-Pacific, at Symantec.
In the public's mind smartwatches and smart home assistants like Google Home or Amazon Echo are some of the most representative IoT devices. However, the most commonly targeted device could be something as simple as routers or internet-connected cameras, according to Mr el-Nabawi.
Unlike desktop computers or laptops, which usually carry updated security software, these IoT devices' only protection may be easily guessed default usernames and passwords. "Default passwords are still the biggest security weakness for IoT devices, and the most common password tested by attackers is 'admin'," said Mr el-Nabawi.
According to Gartner, 8.4 billion IoT devices will be in use at the end of 2017, up 31% from 2016, and will reach 20.4 billion by 2020.
According to the American software security firm, the most important trend in cybersecurity last year was an increase in email malware rates. "The rate jumped from 1 in 220 emails in 2015 to 1 in 131 emails in 2016, and these malicious emails hit businesses of all sizes, commonly disguised as an invoice or receipt with an attachment," he said.
Slightly more than half of emails received today are scam, and a growing proportion of these contains malware. This increase has been largely driven by a professionalisation of malware spamming operations. There are now third parties who specialise in conducting major spam campaigns.
Cloud apps like Office 365, Google and Dropbox are commonly used to share sensitive information between corporate IT systems, mobile applications and cloud services.
At the end of 2016, the average enterprise organisation was using 928 cloud apps, up from 841 earlier in the year. Most chief information officers widely underestimate this number, and claim to use 30 or 40 cloud apps. The widespread adoption of cloud applications in corporations is also widening the scope for cloud-based attacks.
This should be a major concern for business leaders, since data stored in the cloud can be shared internally, externally, and even with the public. "Often, the lack of policies and procedures around how users in an organisation use cloud services increases the risk of cloud app use," says Mr el-Nabawi.
Cloud attacks are still in their infancy, but 2016 saw the first widespread outage of cloud services because of a denial of service campaign.
IoT, email and cloud are new attack frontiers, but they have the potential to put business and customer data at greater risks than conventional platforms.
"Many IoT devices gather personal data and rely on cloud services to store that data in online databases," he adds.
As cyber-attacks become increasingly common and sophisticated, Mr el-Nabawi advises businesses to prepare for the worst, provide employees with ongoing training about malicious email, and implement a multi-layered defence system.
This system, he adds, should include security gateways, mail server and endpoint, as well as "two-factor authentication, intrusion detection or protection systems, website vulnerability malware protection, and web security gateway solutions throughout the network."
