In the last year cyber crime has been firmly established as one of the biggest threats to democracy, privacy, and health and safety. Here, Simon Townsend chief technologist EMEA at Ivanti Software discusses this threat and the possible ways to circumnavigate it
What cyber security trends from 2016 did you see?
Ransomware, ransomware, ransomware! Not only this, but 2016 was also year of insider threats. Email continued to be the main route of entry, with phishing scams running rife in organisations.
Ransomware got its own stage in 2016: in 2015 many people were mixing the attack up with other methods of entry or it wasn’t on the agenda for many decision makers. However, now it’s not something just for certain high-profile organisations, it’s a problem for everybody.
What is the future of the cyber security industry looking like?
One of the main trends that I’ve seen in 2016, that I believe will be more prevalent in 2017, is the changing motivations of cybercriminals. Previously, hackers have mainly acted in reaction to something. The attack was usually in retaliation to if a public figure or company had done something which had been perceived as morally incorrect, the attacker would demonstrate that their community will make them pay for their actions.
Recently, cybercriminals have been demonstrating that their activities are becoming more about financial gain and recognition, rather than revenge. Although this was always a motivation, after all one of the easiest ways to make money is to get hold of personal records and sell them on the dark web, we’re now seeing a notable increase of attacks for this purpose.
I also predict an unfortunate increase in cyber-attacks in local government and healthcare. If we take the example that personal records hold the most profit, which institutions hold a wealth of these, and aren’t given a large budget for cybersecurity? Public sector organisations. For example, we’ve seen 21 universities hit by attacks in the last 12 months, and I see that public sector vulnerability continuing into 2017.
Finally, I believe that we are at a tipping point with BYOD and mobile working as digitally minded businesses strive to enable the user and deliver a great experience for employees. By blurring the line between work and home, we’ve created a workforce that can be more mobile, productive and comfortable by using hardware that they are familiar with as consumers, such as having an iPhone as both a work and personal device. However, we’ve seen an alarming rise of breaches caused by employee negligence, human error and users being given access to files that don’t correspond to their role, accessing huge chunks of the network they shouldn’t have sight of.
We may well be at a point where an organisation could turn around and claim that the cyber security risk is too great to give employees these permissions, and take a five-year step back in user experience. Laptops will not be allowed off premises, admin rights will be removed, consumer devices such as iPhones will be swapped for Blackberries, and remote working will be prevented. This will be sad for the progression of information technology as a whole.
How important will AI and automation be in cyber security moving forward?
When it comes to AI and automation, fundamentally we’re talking about threat prediction. At the minute, there are plenty of players in the protection space. It’s like offering to give someone the flu, and then offering an antidote – people would much rather avoid the flu in the first place, which is where prevention and prediction are now coming into play.
For example, if you were to log into Facebook on holiday, or made a payment from an unusual IP range or location, your bank or social account would contact you to confirm your activities. All of this is intelligent automation based on certain rules, and is a large part of what will make prediction and prevention the future of cyber security.
However, this could be a double-edged sword. Using AI and automation in this sense, hacktivists could use the tools to block people out of accounts and prevent access. Unfortunately, no level of cybersecurity can block 100 percent of attacks.
How devastating will data breaches be post-GDPR?
If we take Tesco, for example: The attack on the bank cost them over £2.5million which was taken out of bank accounts. Following that, you’ve got brand damage, on which you can’t put a price. What you can put a price, however, is how much the EU GDPR law would have charged them, either $20m, or 4% of their turnover, whichever is the highest. Looking at Tesco’s 2015 turnover, 4% would be something around the £2.5billion mark. Pretty devastating.
Fines aside, GDPR is going to have a large effect on organisations. Companies are going to have to report things quicker and whistle-blowers are going to have to put their hands up. We may see more data protection officer roles being created, who must let someone know if something goes wrong, or if user data has been breached. This officer is ultimately going to sit outside of the IT and security departments, taking responsibility to report and analyse patterns.
Another way that GDPR will have an effect is relocating resources to meet with the personnel demand. I’m not convinced that everyone has budget assigned to this either, as there are two aspects to GDPR. It’s not just about the cyber security element, but businesses also need to invest in security hygiene, which is one of the biggest challenges.
This involves organisations making sure that they’re aware of the data they’ve got and is stored in a clear, organised and easy to access way. Due to this, I believe a future trend (and something we’re seeing at the moment) is an emergence of data storage organisations talking loudly about how they can aid this, and grow in the market space.
How do you advise the industry educates employees?
Ideally what needs to happen is a culture change. Prevention technology can protect you from most of what’s out there, other technologies that can fill the gap, but ultimately there needs to be a shift within organisations, with more education amongst the younger generations that are moving into work. In the future, we may see working agreements and employment contracts change to include tighter policies about cyber security best practices, including where they work, how they work, and what is acceptable use of company technology. Security companies have been doing this for a long time, which also protects their brands, but now we need to see these policies reach out to further industries and lines of work.
How can businesses face the IoT and mobile threat?
As the Dyn DDoS attack (the cyber-attack that brought down much of America’s internet in October) and the smart car system attacks from 2016 have demonstrated, businesses need to ask themselves: ‘Have we not taken the necessary cyber security steps that we should have in the face of staying competitive?’.
If we look at the recent Tesco breach, for example, we all know the brand as a supermarket, and potentially in a rush to stay ahead of the curve, it has branched out into banking, insurance and mobile phone policies. It’s interesting to look at the fact that the Tesco banking division was attacked, where legacy banks (with most likely more valuable accounts and data to access) weren’t. It’s this rush to market that poses one of the biggest threats when it comes to securing IoT and mobile devices in 2017, as cyber security isn’t considered at the design stage for most products. If you’re going to create an IoT device, invent with security first.
Overall, it seems that IoT in 2017 is close to becoming what cloud computing was in 2014 – a buzzword.
When the market suddenly grabs hold of a technology or a new concept, you find the industry spending so long discussing it, that the next thing you know is 500 companies have popped up and CISOs are spending their time worrying about it, distracting from larger problems in the organisations.
My advice here is to not let IoT become the noisiest topic of 2017 and draw your attention from larger cyber security problems, such as ransomware and email phishing campaigns.
It will be of primary importance to those companies or business units who can gain an edge by using IoT, but its just another platform in the fight against cyber crime that needs addressing, not the be all and end all.