In its 2015 Annual Security Threat Report, released last week, Dell looks at trends from the 2014 security landscape and suggests methods to mitigate new and growing risks, focusing on eight key findings.
Point-of-Sale (“POS”) Malware
At the forefront of the list, Dell notes a surge in POS malware attacks, such as those responsible for the larger retail breaches of 2014, where millions of personally identifiable records were stolen. At the very least, Dell suggests updating the operating systems of POS remote terminals as well as restricting them to communicate with only recognized IP addresses. Dell also brings employee security training into the discussion, noting that 56% of companies admit that their employees may not be fully aware of their security rules.
Attacks on Supervisory Control and Data Acquisition (SCADA) systems are also on the rise, doubling from the year before. In a recent post, Norton Rose Fulbright provided background on energy-related security concerning such attacks, including those implicating SCADA systems. SCADA systems control remote equipment, and read telemetry from remote sensors. Unlike POS attacks, the SCADA intrusions seen last year were more political in nature, generally targeting power plants, factories, and refineries. Because SCADA is unlikely to contain personally identifiable information, these attacks need not be reported under data breach laws, but industry-specific compliance may be warranted in certain cases. Dell anticipates a rise in the number of future SCADA attacks, at least in part because of the age of these systems, and because attacks are not often shared between companies. Predictably, Dell recommends updates to the software and hardware of the systems, and suggests that SCADA operators report and share penetration attempts to help the industrial community prepare for and combat the threat.
Though Dell praises the use of point-to-point encryption of data, it cautions that hackers are exploiting encrypted traffic to hide their malware, and Dell recommends implementing SSL inspection. Dell also predicts a dramatic increase in malware targeting wearable devices and smartphones. The Report likewise points out the susceptibility of home routers, and suggests changing the default settings and implementing firmware updates, especially for employees that sometimes office out of the home. Finally, Dell reiterates basic security policies, such as educating employees on the importance of security, using two-factor authorization on remote devices, and having a detailed and well-communicated incident response plan.
Dell’s Report only further evidences the fact that institutions, in all industries, should plan and prepare for an increase in cyber-attacks in the coming years. Those holding personally identifiable information, in POS systems for example, should keep current their cyber security protocols, and educate employees. In addition, companies may want to consider a detailed and well-practiced incident response plan in the event of a data breach. Depending on the industry, those institutions operating SCADA equipment may well have certain regulatory obligations, either currently in effect, or pending. It is clear from Dell’s Report and others that cyber-attacks are on the rise, but with the right planning and training, companies can mitigate the risk and lower liability.