Today’s cybersecurity landscape requires CISOs to play all around the digital field; From safeguarding outdated IT and OT networks to a Sisyphean race against future cyber threats (i.e. AI and Quantum computing). The challenges are wide-changing and ever-evolving.

As this year’s Halloween approaches, we’ve unearthed the seven most haunting nightmares that keep CISOs vigilantly awake, day and night.

Bring Your Own Malware:

Nowadays, employees’ private home network is a company’s problem where remote work is available. The increase of connected devices along with the rise of IoT botnets, has become a critical task to the organizational network. It is an endless battle that CISO cannot lose. In the first two quarters of 2023, there were almost 7.9 million identified DDOS attacks. Those attacks are not only initiated by cyber-criminals but were also observed by state-sponsored actors as well as intermediate actors using the popular Bot-as-a-Service to outsource their target.

Many vulnerabilities are associated with connected devices, especially those that are being used for private matters (BYOD). Mapping and ensuring the safety of these devices, especially those aimed for private use, pose a significant threat to company assets and policy compliance. The complexity deepens with external vendors, service providers, and contractors accessing internal systems.

This uncontrollable situation has left many cybersecurity teams feeling overwhelmed. Many claim that they simply don’t have the right tools to detect in real-time the jeopardy levels of employees’ BYOD while connecting to the corporation’s network. Some studies demonstrate that as many as 41% of companies do not have a BYOD policy in place. And out of the ones who do have a policy in place, 33% admit that they don’t have a tangible way to enforce it.

Snacks Drained all of my Budget:

Year after year the most targeted industries are the ones with the least amount of resources, tech-savvy labor force, and lack of long-term cybersecurity strategy. No surprise here, we are talking about the public educational system and the healthcare sector. Since the late 80s much has been said and done about the indifferent neglect by governmental officials. Sadly, the situation hasn’t changed in centuries. And if it has, it was only after a catastrophic cyber incident followed by high-profile media coverage.

Despite many investments that have been made, especially during the past 10 years in cyber-posture, they often lag behind the sophisticated tools wielded by hackers, cyber-criminal campaigns, and state-sponsored malicious initiatives.

Regrettably, decision-makers pay attention to the risk of cyber-threats only an “expensive” security breach to their network.

Zero Budget, Zero Day, Zero Job:

There is an immoral equation where a lack of resources and attention by the board of directors results in full accountability towards the CISO once a cyber-incident occurs.

Once a cyber event does happen, the one to fall is normally the person in charge of security. It can be the CISO, but in many places, it’s still the CIO, CSO, or even the head of IT. Such a sack has long-term consequences as the recruiting process for new personnel, who are unaware of the system’s unique behavior will find out of lacking only months in the process, while hackers are getting in and out without a problem. Also, any purchasing or educating process that was done by the former head of IT security will have to start all over again, preventing an efficient recovery plan.

Much Legislation and bills are being passed across the United States and Europe in moving the responsibility needle towards senior management and the BOD. However, as with any bureaucratic action, it takes time and patience to navigate the processes and achieve results.

The EmailPhant in the Room:

As a thumb-rule and until further notice, compromised corporate email accounts are the hackers’ weapon of choice. Perhaps one of the tools CISOs are afraid of the most is the most commonly used tool, the email client.

According to Webroot comprehensive analysis, as much as 46,000 new phishing sites are created every day, and 1.385 million new, unique phishing sites are created each month. Moreover, a new phishing site is being published online every 20 seconds.

As, by nature, email is globally accessible for inside and outside networks, it is being used by hackers, cyber-criminals, and other state-sponsored actors and is the first vector to gain access to an organizational network. Leveraging social engineering and spear phishing techniques, malicious actors impersonate a person of interest, such as a C-level personnel, a customer, or a direct manager, to share sensitive information or provide unauthorized actions. They might lurk a victim into clicking a URL link that redirects to a connection with a C2 server, steal privileged access credentials, spread malware or ransomware, and laterally move through the network.

But above all, the most successful and destructive vector is by using email with attachments containing unknown unknown hidden malicious code. With the improvement in machine-learning generative AI, and leaked available databases, hackers can easily concoct a personalized tailored-made email with well-articulated English, and relevant information and look as reliable as possible.

Sweets & Sour Subtotal

The Internet of Evil Things, budget starving, and email attachment torments are only some of the nightmares CISOs are facing on a daily basis. Tune in for part II of odix’s Halloween special and learn how some chains might take us down, why Generation X employees are the ones to rely on compared to millennials, and how it’s all related to the CISOs’ mental health.

Scary Halloween.

Part II – Breach