Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use custom-developed and off-the-shelf web applications, and they present significant cyber risk because of the vulnerabilities that are typically in them.

It’s important that, before any web application goes live, companies perform appropriate cybersecurity tests. This can happen either when it’s initially developed or after significant changes are made. Ideally this testing would involve experienced cyber analysts experienced in testing against applications based on the Open Web Application Security Project Top 10 for web applications and APIs.

Most off-the-shelf enterprise applications that organizations use today have security controls built in. The challenge is to implement those controls properly. It’s important to do that once a new application is implemented so that you get the full security benefit of the features.

Potential disruptors facing organizations are concepts used to secure our federal information systems moving into the private sector, like zero trust. Zero trust means giving users no access until they can prove why they need it.

While many organizations may not fully adopt a zero-trust approach, using some parts of this concept helps improve posture and  protect sensitive data and unauthorized system access.

Organizations will see regulations with an increased focus on privacy laws, ensuring that they maintain the privacy of their customer data. We’ll also see an increase in state-level cyber regulations.

We’ve also seen a recent expansion in scope for some organizations with requirements for GLBA, that require penetration testing, vulnerability scanning and continuous monitoring of servers and endpoints.

By 2025 more than 75% of the world’s population likely will be covered by privacy laws. These laws include General Data Protection Regulation in the EU and privacy laws by states in the U.S. to protect consumer data.

Department of Defense contractors will be faced with what’s known as the Cybersecurity Maturity Model Certification. CMMC, as it’s also known, will be a requirement for all DoD contractors doing business with the federal government.

The DoD realized it’s critical that vendors in the defense industry implement security controls to protect sensitive data belonging to the federal government.

They instituted the CMMC requirements, which likely will go into effect by mid-2023. All DoD contractors will be required to comply at some level with a cybersecurity maturity model certification. They also will be required to have a third-party audit attesting to their level of cybersecurity maturity in accordance with the CMMC model.

In addition to third-party audits, organizations should engage with professionals to help them get ready for their CMMC audit. It’s no secret that CMMC compliance will require a significant amount of time, resources and effort for organizations to maintain compliance.

Users continue to be the weakest link in the cyber security chain. Organizations must focus on routine training and awareness of their end users and IT personnel related to cybersecurity risks and threats.

They also must align their IT controls with their manual or financial internal controls. This helps mitigate risks such as financial fraud resulting from business email compromises as these attacks continue to rise and result in lost funds.

Organizations also should focus on engaging their senior leadership and boards of directors in their cyber risk management programs. A challenge we often see is organizations making investments in cybersecurity tools and systems, but not making investments in the resources they need to manage them.

Cyber threats will continue to evolve, and breaches will occur more frequently. It’s important for organizations to develop a proactive cyber risk management program to effectively test for and mitigate these risks.

Brad Pierce serves as the chief information security officer for HORNE and leads cybersecurity programs and initiatives. He also manages cybersecurity operations for the firm and its clients, collaborating with executive leadership teams to strengthen their security systems.



More Insights

Six things you need to know about Google Analytics 4

Google Analytics 4 is the next generation of Google Analytics. This is not simply a new version; it’s a new way to track and present data....


Tips to get the most out of Google’s Helpful Content Update

Change is coming faster than ever. Every week, I search for the meaning of some new acronym that impacts our business processes. As someone who...


Bridging the Gap: Capturing knowledge before it walks out the door

By 2030, all baby boomers will be 65 or older. Not to mention that many Gen Xers — or those born between 1965 and 1980 — are now in their 50s....


Healthcare leaders need to be ‘aggressively urgent’

The healthcare industry is in a state of emergency today. In an industry where change notoriously happens gradually at best, leaders should change to...


How companies combat software insecurities

In most companies, developers are focused on meeting project deadlines, and that often leads to applications that are insecurely coded. Custom...


Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use...


Talk to an expert today.