Medium and large enterprises are developing and using enterprise applications on a large scale for various purposes, but a lack of encryption, coupled with serious security flaws in such applications, is also rendering enterprises vulnerable to sophisticated hacking operations.
An average medium to large scale enterprise uses between 300 to 500 enterprise applications nowadays, with such applications offering ease of use as well as significant savings in terms of time and investments.
From customer relationship management to resource planning to file sharing, today's cloud-based applications can handle tasks ranging from minuscule to large-scale ones. However, if such applications are developed and put into use without being subjected to extensive vulnerability testing, they may render organisations highly vulnerable to malware injections and data breaches.
According to a report released by security firm Trend Micro, enterprises downloaded 81 percent of their data on applications that didn't include encryption for data at rest. At the same time, since most of these applications were developed without keeping IT security departments in the loop, such teams were also not able to find or patch vulnerabilities in vulnerable applications.
Lately, enterprises have been creating 'twin applications' that are made to undergo frequent testing to resolve performance issues. These applications help organisations perfect actual platforms and ensure that the latter would perform optimally at all times. However, such twin applications are also targeted by hackers who seek to exploit security flaws as and when they are discovered.
'[W]e believe that while it's poised to transform operations, the product network can be infiltrated by malicious actors aiming to manipulate the system and cause operational disruptions and damages. By manipulating the digital twin itself, these actors can make production processes look legitimate when they have, in fact, been modified,' noted Trend Micro in its report titled Security Predictions for 2018: Paradigm Shifts.
'If a manipulated piece of data or wrong command is sent to an ERP system, machines will be liable to sabotage processes by carrying out erroneous decisions, such as delivery of inaccurate numbers of supplies, unintended money transfers, and even systems overloads,' the firm added.
The firm also spoke about a significant security weakness that impacts organisations across the world- poor credential management. Employees at medium to large enterprises have routinely used weak and easy-to-guess passwords to log in to enterprise platforms, and this hasn't escaped the attention of hackers.
According to Trend Micro, employees not only use weak passwords but also have a tendency of using the same passwords to log on to multiple applications, thereby rendering all of them vulnerable to security breaches. Once a hacker correctly guesses or steals a password and enters a network, he/she can remain within the infected network and steal data over a long period of time.
'Part of the problem with enterprise applications is that there are just so many- keeping track of which passwords we have used for which apps is tricky. On top of this, many apps have frustrating password requirements, stipulating that users must use a certain number of characters, along with a combination of digits, symbols, uppercase letters, and lowercase letters. Quite rightly, many of us have different passwords for different accounts, but this inevitably means we have even more passwords to remember,' says Oz Alashe MBE, CEO of CybSafe.
'For the sake of ease, staff often choose weak passwords when given the option - a short password is both easier to remember and faster to type. To resolve this, businesses should have a simple password policy that encourages staff to choose secure passwords.
'Managers also need to take care to explain the logic behind maintaining proper security. This eases cognitive dissonance, which arises when people believe one thing but are told to act in another way entirely. If employees believe passwords consisting of random strings of capitals, symbols and numbers are overkill, you're always going to have insecure passwords like Password1, regardless of your security guidelines,' he adds.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout