Understanding the Growing Threat Landscape and Prioritizing Cybersecurity Measures

Understanding the Growing Threat Landscape and Prioritizing Cybersecurity Measures

Recently, a website hosting provider by the name of Jelly Bean Communications Design got itself into some serious trouble with the company facing charges under the False Claims Act. The US Department of Justice (DoJ) explained how Jelly Bean had been contracted in 2013 by Florida Healthy Kids Corporation (FHKC), a state-created health and dental insurance provider, to manage HealthyKids.org and associated websites.

Turns out that Jelly Bean didn’t quite live up to its promises of secure hosting and proper maintenance of the website’s software systems. This negligence left HealthyKids.org and its related sites and data collected by Jelly Bean from users wide open to a cyberattack – a threat that the DoJ said was realized in 2020 when more than 500,000 insurance applications submitted to the site were revealed to have been hacked.

Jeremy Spinks, Jelly Bean’s sole operator and co-owner, managed to avoid a trial that could have led to imprisonment. Nonetheless, he is now liable to pay $293,771 in damages, as per the agreement reached in a Florida court. The DoJ alleges that “contrary to its representations in agreements and invoices, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems.”

Similarities with SolarWinds

Now, if you’re getting a sense of déjà vu, you’re not alone. This whole debacle sounds a lot like the mess over at SolarWinds, doesn’t it? We’ve seen how that went down – fines, reputations tarnished, and widespread fallout.

These cases, where companies are being dragged before the courts for deceptive claims about their cybersecurity readiness, non-compliance with regulations, or sheer negligence – as seen in the case of Jelly Bean – are happening more and more frequently. This trend should worry us all because protecting personal data is crucial not only for individuals’ privacy but also for maintaining trust in digital platforms and systems essential to our daily lives. So, why is this happening?

First off, the digital landscape is evolving at breakneck speed. With more aspects of our lives shifting online, from banking to healthcare to socializing, the amount of sensitive personal data floating around in cyberspace is staggering. This creates a juicy target for cybercriminals looking to cash in on valuable information.

On top of that, the sophistication of cyber threats is constantly increasing. Hackers are becoming more adept at exploiting vulnerabilities in software, networks, and human behavior. At the same time, regulations and compliance standards around data protection are becoming stricter. Laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) are holding organizations accountable for how they handle and safeguard personal data. This means that companies can no longer sweep data breaches under the rug without facing serious consequences.

Some of the Most Common Cybersecurity Pitfalls

In our experience, when conducting initial penetration tests for companies, we often encounter a concerning trend that is not too dissimilar to what happened with Jelly Bean Communications Design. Outdated software and libraries, sometimes going back several years, are alarmingly common. This widespread issue extends across workstations, servers, and networks, where approximately half of the devices lack critical security updates for Windows, Mac, or Linux dating back two years or more. Shockingly, data stored on laptops often remains unencrypted, while antivirus software is either absent, outdated, or a mix of disparate products accumulated over time. Such lax practices not only violate data privacy, health, and financial cybersecurity regulations but also render systems vulnerable to exploitation.
What’s particularly troubling is the dual nature of the problem. In many instances, companies are oblivious to these vulnerabilities. On the other hand, some organizations recognize the deficiencies yet drag their feet when it comes to fixing them – if they even make an attempt at all. Both scenarios reflect a degree of negligence, one stemming from ignorance and the other from indifference—a concerning revelation that underscores a systemic failure to prioritize cybersecurity.

Similarly, our assessment of application penetration testing reveals a similar predicament. Outdated frameworks like Ruby on Rails, Django, or Spring, along with perpetually neglected libraries such as jQuery, AngularJS, or ReactJS, are commonplace. Despite the known vulnerabilities associated with these frameworks and libraries, maintenance efforts often lag behind, leaving systems exposed to potential exploitation. Addressing these vulnerabilities is absolutely critical, not only to mitigate risks but also to adhere to secure Software Development Lifecycle protocols.

This begs the critical question of who bears the responsibility for cybersecurity within an organization and whether it receives the appropriate prioritization it deserves. Regrettably, in many cases, cybersecurity fails to receive the attention it demands, with decision-makers instead choosing to gamble on the likelihood of a security incident. “It might have happened to them, but what is the likelihood of it happening to us?” This kind of cavalier mindset is not only reckless but also potentially catastrophic, as the fallout from a security breach can have far-reaching and devastating consequences – as seen with SolarWinds and Jelly Bean.

Conclusion

When it comes to protecting people, most of these regulations are very reasonable in terms of expectations. An organization has every right to protect its clients if it is a B2B business and customers if it is a B2C business because safeguarding their sensitive information is critical for maintaining trust and integrity.

If an organization simply chooses not to be cyber secure and there is a successful attack that results in damage or negative impact on clients and customers, organizations will pay the price of financial penalties for loss of trust and reputation damage.

In many cases, this is completely avoidable and likely at a cost that is less than what results from the fallout. So, organizations must take proactive measures to improve their cybersecurity posture and ensure their clients’ and customers’ safety and trust.

Secureside was founded for one purpose: make organizations cyber secure. If you would like to learn more get in touch with our team today.