Parasoft announces the opening of its new office in Northeast Ohio.
Nightmare Before Christmas: Why Cyber Leaders Should Safeguard for the Holiday Season
September 28, 2022
Cybersecurity attacks increase each year over the holidays, and considering the spike in supply chain-based and zero-day attacks as of late, the 2022 holiday season is bound to be more extreme.
Some reports cite a 30% increase in ransomware attacks during that time year-over-year, and cybersecurity experts and officials alike warn of cybercriminals taking advantage of companies that let their guards down — especially during the holiday shopping season.
The holidays are right around the corner, so now is the time for developers to run stress tests and assess their code for vulnerabilities to mitigate a last-minute scramble.
Why? What worked last year might not work this year. Hackers and cyber attackers often move faster than companies — and they can target not only your organization, but also vendors whose code is embedded in your product.
Here are three steps business and security leaders can take now to bolster security for the holiday season:
1. Remediate your way out of being an easy target
Some organizations view security as an "I'll fix it later" problem, versus prioritizing mitigation of the issue in the first place. That's a risky, expensive mentality — ransomware payment amounts are up 12.7% from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing.
This problem occurs year-round, but these backlogs get especially overwhelming during the holiday season, causing organizations to be a much easier target for hackers. One survey of cybersecurity professionals whose companies experienced a holiday or weekend ransomware attack found that despite 89% of respondents expressing concern about a repeat event, 36% of respondents reported having no contingency plans.
But most businesses can't afford to ignore security until a multi-million dollar cybercriminal attack.
Simply put, there is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). Remediation, particularly in a prioritized way, can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat.
2. Fortify manual efforts with automation
Automation excels in areas where you want to alleviate developer hours spent, such as tedious tasks like detecting where sensitive data is stored or creating pull requests that are ready to merge. Developers who have automation tools at their disposal can spend more time focusing on the hard-to-remediate issues that require human judgment.
Automation can also reduce human error, which spares the entire team time, energy, and headaches. For example, there are tools that can help ensure issues or vulnerabilities get addressed correctly and efficiently, eliminating the impact of an incorrectly patched vulnerability or overlooked detail down the line.
Granted, good automated security practices require a sufficient amount of automated quality testing. You must ensure that fixing a security issue doesn't create an operational or functional problem. An updated and functional regression suite is a must.
Companies that don't fully leverage automation can risk leaving themselves severely exposed and tend to be inadequately equipped to navigate threats that continue to crop up, especially during the holiday season.
3. Cover your bases outside of the security team
Many cyber leaders are focused on security and developer teams to secure their businesses against holiday season cyberattacks. But efforts to secure important data and information should go beyond these teams, in the form of both company-wide education and safety guardrails related to sensitive information or data.
Important steps to take to close any gaps or potential entryways for attacks include:
1. Improving and enforcing cyber awareness training for staff, including non-technical teams. Refreshers on phishing scams, or correspondence sourcing sensitive information or soliciting links and downloads, can be helpful for employees at all levels and departments.
2. Mandating multi-factor authentication for important accounts. Making this extra layer of security a requirement for certain accounts, like employee email, moves the needle in making it harder for hackers to take advantage of known, weak or reused passwords to steal data.
3. Keep software updated and back up all important data. Employees across teams should be encouraged to keep their personal and company technology updated and consistently checked for viruses or malware. Even so, it's worthwhile to operate in the cloud (with the above guidance in place) or on-prem in a fashion that ensures the preservation of all important data.
Cybercriminals are banking on lax oversight during the holiday season, but by taking a vigilant, proactive, and remediation-first approach early on, they will be met with a more difficult challenge. Cyber leaders should consider the holiday season already underway, and act now to set their team up for success.
Industry News
May 02, 2024
Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.
May 02, 2024
Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.
May 02, 2024
Nokod Security announced the general availability of the Nokod Security Platform.
May 02, 2024
Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.
May 01, 2024
Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.
May 01, 2024
Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.
May 01, 2024
ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.
May 01, 2024
Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.
May 01, 2024
Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.
April 30, 2024
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
April 30, 2024
Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.
April 30, 2024
F5 announced new security offerings: F5 Distributed Cloud Services Web Application Scanning, BIG-IP Next Web Application Firewall (WAF), and NGINX App Protect for open source deployments.
April 29, 2024
Code Intelligence announced a new feature to CI Sense, a scalable fuzzing platform for continuous testing.
April 29, 2024
WSO2 is adding new capabilities for WSO2 API Manager, WSO2 API Platform for Kubernetes (WSO2 APK), and WSO2 Micro Integrator.
