Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use custom-developed and off-the-shelf web applications, and they present significant cyber risk because of the vulnerabilities that are typically in them.

It’s important that, before any web application goes live, companies perform appropriate cybersecurity tests. This can happen either when it’s initially developed or after significant changes are made. Ideally this testing would involve experienced cyber analysts experienced in testing against applications based on the Open Web Application Security Project Top 10 for web applications and APIs.

Most off-the-shelf enterprise applications that organizations use today have security controls built in. The challenge is to implement those controls properly. It’s important to do that once a new application is implemented so that you get the full security benefit of the features.

Potential disruptors facing organizations are concepts used to secure our federal information systems moving into the private sector, like zero trust. Zero trust means giving users no access until they can prove why they need it.

While many organizations may not fully adopt a zero-trust approach, using some parts of this concept helps improve posture and  protect sensitive data and unauthorized system access.

Organizations will see regulations with an increased focus on privacy laws, ensuring that they maintain the privacy of their customer data. We’ll also see an increase in state-level cyber regulations.

We’ve also seen a recent expansion in scope for some organizations with requirements for GLBA, that require penetration testing, vulnerability scanning and continuous monitoring of servers and endpoints.

By 2025 more than 75% of the world’s population likely will be covered by privacy laws. These laws include General Data Protection Regulation in the EU and privacy laws by states in the U.S. to protect consumer data.

Department of Defense contractors will be faced with what’s known as the Cybersecurity Maturity Model Certification. CMMC, as it’s also known, will be a requirement for all DoD contractors doing business with the federal government.

The DoD realized it’s critical that vendors in the defense industry implement security controls to protect sensitive data belonging to the federal government.

They instituted the CMMC requirements, which likely will go into effect by mid-2023. All DoD contractors will be required to comply at some level with a cybersecurity maturity model certification. They also will be required to have a third-party audit attesting to their level of cybersecurity maturity in accordance with the CMMC model.

In addition to third-party audits, organizations should engage with professionals to help them get ready for their CMMC audit. It’s no secret that CMMC compliance will require a significant amount of time, resources and effort for organizations to maintain compliance.

Users continue to be the weakest link in the cyber security chain. Organizations must focus on routine training and awareness of their end users and IT personnel related to cybersecurity risks and threats.

They also must align their IT controls with their manual or financial internal controls. This helps mitigate risks such as financial fraud resulting from business email compromises as these attacks continue to rise and result in lost funds.

Organizations also should focus on engaging their senior leadership and boards of directors in their cyber risk management programs. A challenge we often see is organizations making investments in cybersecurity tools and systems, but not making investments in the resources they need to manage them.

Cyber threats will continue to evolve, and breaches will occur more frequently. It’s important for organizations to develop a proactive cyber risk management program to effectively test for and mitigate these risks.

Brad Pierce serves as the chief information security officer for HORNE and leads cybersecurity programs and initiatives. He also manages cybersecurity operations for the firm and its clients, collaborating with executive leadership teams to strengthen their security systems.

READ MORE OF OUR LATEST INSIGHTS

SEE AROUND CORNERS.
INDUSTRY EXPERTISE DELIVERED.

More Insights

Interchangeability Provisions for CDBG-DR and CDBG-MIT Funds

Toward the end of 2023, the U.S. Department of Housing and Urban Development (HUD) introduced important guidance for the interchangeable use of...

READ MORE

Building Resilience: Mental Health and Suicide Prevention in Construction

With the highest suicide rate of any occupation, the construction workforce faces unique challenges that require targeted support. Join us for a...

READ MORE

Blueprints for Success: A Webinar Series for Construction Leaders

Build a stronger, more sustainable business with our exclusive Blueprints for Success webinar series. Designed for construction leaders, each session...

READ MORE

2024 Mid-Year Contractor Tax Planning Checklist

Our partners at CICPAC Tax Thought Leadership Committee have compiled a brief summary of various tax planning issues potentially impacting the...

READ MORE

HORNE Board of Directors Announces Intelligence & Automation Director

HORNE’s Board of Directors recently appointed Bob Harland as a director in HORNE’s Intelligence and Automation team....

READ MORE

Talk to an expert today.