Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use custom-developed and off-the-shelf web applications, and they present significant cyber risk because of the vulnerabilities that are typically in them.

It’s important that, before any web application goes live, companies perform appropriate cybersecurity tests. This can happen either when it’s initially developed or after significant changes are made. Ideally this testing would involve experienced cyber analysts experienced in testing against applications based on the Open Web Application Security Project Top 10 for web applications and APIs.

Most off-the-shelf enterprise applications that organizations use today have security controls built in. The challenge is to implement those controls properly. It’s important to do that once a new application is implemented so that you get the full security benefit of the features.

Potential disruptors facing organizations are concepts used to secure our federal information systems moving into the private sector, like zero trust. Zero trust means giving users no access until they can prove why they need it.

While many organizations may not fully adopt a zero-trust approach, using some parts of this concept helps improve posture and  protect sensitive data and unauthorized system access.

Organizations will see regulations with an increased focus on privacy laws, ensuring that they maintain the privacy of their customer data. We’ll also see an increase in state-level cyber regulations.

We’ve also seen a recent expansion in scope for some organizations with requirements for GLBA, that require penetration testing, vulnerability scanning and continuous monitoring of servers and endpoints.

By 2025 more than 75% of the world’s population likely will be covered by privacy laws. These laws include General Data Protection Regulation in the EU and privacy laws by states in the U.S. to protect consumer data.

Department of Defense contractors will be faced with what’s known as the Cybersecurity Maturity Model Certification. CMMC, as it’s also known, will be a requirement for all DoD contractors doing business with the federal government.

The DoD realized it’s critical that vendors in the defense industry implement security controls to protect sensitive data belonging to the federal government.

They instituted the CMMC requirements, which likely will go into effect by mid-2023. All DoD contractors will be required to comply at some level with a cybersecurity maturity model certification. They also will be required to have a third-party audit attesting to their level of cybersecurity maturity in accordance with the CMMC model.

In addition to third-party audits, organizations should engage with professionals to help them get ready for their CMMC audit. It’s no secret that CMMC compliance will require a significant amount of time, resources and effort for organizations to maintain compliance.

Users continue to be the weakest link in the cyber security chain. Organizations must focus on routine training and awareness of their end users and IT personnel related to cybersecurity risks and threats.

They also must align their IT controls with their manual or financial internal controls. This helps mitigate risks such as financial fraud resulting from business email compromises as these attacks continue to rise and result in lost funds.

Organizations also should focus on engaging their senior leadership and boards of directors in their cyber risk management programs. A challenge we often see is organizations making investments in cybersecurity tools and systems, but not making investments in the resources they need to manage them.

Cyber threats will continue to evolve, and breaches will occur more frequently. It’s important for organizations to develop a proactive cyber risk management program to effectively test for and mitigate these risks.

Brad Pierce serves as the chief information security officer for HORNE and leads cybersecurity programs and initiatives. He also manages cybersecurity operations for the firm and its clients, collaborating with executive leadership teams to strengthen their security systems.



More Insights

HORNE opens office in Metairie to benefit clients, team members

HORNE, a professional services firm, has opened an office in Metairie, Louisiana, to better serve clients in the...


From Baby Boomers to Gen Z: Can they actually work well together?

In today’s evolving workplaces, it’s common to see baby boomers to gen z working together in the same company. How can different generations work...


A deeper look at the generations

The workplace is no stranger to diversity, including race, religion and culture. But in the last few years, there has been a significant increase in...


4 ways to build bridges with multiple generations in the workplace

Those in management positions or roles of influence should learn the best ways to connect and manage each generation in a way that encourages a...


Five ways your Due Diligence provider can deliver value

In the course of an acquisition, “due diligence” is often regarded as a built-in part of the process – a formality to be checked off once...


HORNE Board of Directors admits new partner

Chandler Croom, who works in HORNE’s Franchise services group, was admitted as a partner, effective January...


Talk to an expert today.