Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use custom-developed and off-the-shelf web applications, and they present significant cyber risk because of the vulnerabilities that are typically in them.

It’s important that, before any web application goes live, companies perform appropriate cybersecurity tests. This can happen either when it’s initially developed or after significant changes are made. Ideally this testing would involve experienced cyber analysts experienced in testing against applications based on the Open Web Application Security Project Top 10 for web applications and APIs.

Most off-the-shelf enterprise applications that organizations use today have security controls built in. The challenge is to implement those controls properly. It’s important to do that once a new application is implemented so that you get the full security benefit of the features.

Potential disruptors facing organizations are concepts used to secure our federal information systems moving into the private sector, like zero trust. Zero trust means giving users no access until they can prove why they need it.

While many organizations may not fully adopt a zero-trust approach, using some parts of this concept helps improve posture and  protect sensitive data and unauthorized system access.

Organizations will see regulations with an increased focus on privacy laws, ensuring that they maintain the privacy of their customer data. We’ll also see an increase in state-level cyber regulations.

We’ve also seen a recent expansion in scope for some organizations with requirements for GLBA, that require penetration testing, vulnerability scanning and continuous monitoring of servers and endpoints.

By 2025 more than 75% of the world’s population likely will be covered by privacy laws. These laws include General Data Protection Regulation in the EU and privacy laws by states in the U.S. to protect consumer data.

Department of Defense contractors will be faced with what’s known as the Cybersecurity Maturity Model Certification. CMMC, as it’s also known, will be a requirement for all DoD contractors doing business with the federal government.

The DoD realized it’s critical that vendors in the defense industry implement security controls to protect sensitive data belonging to the federal government.

They instituted the CMMC requirements, which likely will go into effect by mid-2023. All DoD contractors will be required to comply at some level with a cybersecurity maturity model certification. They also will be required to have a third-party audit attesting to their level of cybersecurity maturity in accordance with the CMMC model.

In addition to third-party audits, organizations should engage with professionals to help them get ready for their CMMC audit. It’s no secret that CMMC compliance will require a significant amount of time, resources and effort for organizations to maintain compliance.

Users continue to be the weakest link in the cyber security chain. Organizations must focus on routine training and awareness of their end users and IT personnel related to cybersecurity risks and threats.

They also must align their IT controls with their manual or financial internal controls. This helps mitigate risks such as financial fraud resulting from business email compromises as these attacks continue to rise and result in lost funds.

Organizations also should focus on engaging their senior leadership and boards of directors in their cyber risk management programs. A challenge we often see is organizations making investments in cybersecurity tools and systems, but not making investments in the resources they need to manage them.

Cyber threats will continue to evolve, and breaches will occur more frequently. It’s important for organizations to develop a proactive cyber risk management program to effectively test for and mitigate these risks.

Brad Pierce serves as the chief information security officer for HORNE and leads cybersecurity programs and initiatives. He also manages cybersecurity operations for the firm and its clients, collaborating with executive leadership teams to strengthen their security systems.



More Insights

Demystifying OSHA Inspections and Enhancing Workplace Safety

Are you confident that your team is prepared for an OSHA site visit? If the answer is no, or if you want to be more prepared, then join us as we...


Market Dislocations: Bid-Ask Spread and Risk Premium in Healthcare

We have been hearing about a “bid-ask spread” issue in the lower middle market healthcare space for a significant time, and I wanted to discuss...


HORNE’s Board of Directors Announces New CFO

HORNE’s Board of Directors recently appointed Kennon Breaux as the firm’s chief financial...


HORNE Board of Directors Announces New Director of AI and Innovation

HORNE’s Board of Directors recently appointed Naveen Khan as the director of AI and Innovation for HORNE’s Intelligence and Automation...


Section 3 in HUD Programs

If you represent a HUD organization that regularly receives Federal funds, you are probably familiar with requirements relating to Federal Labor...


Compliance with Federal Environmental Review Requirements

Did you know that every Federally-funded project must undergo an environmental review before any funds can be spent, or even committed to a project?...


Talk to an expert today.