In an increasingly digital world, criminals have the information and the means to ensure that high profile security breaches, involving major household names, continue to make the headlines.
As technology evolves, so do the threats being developed by hackers who have a whole host of motivations for wanting to disrupt businesses of all sizes. It’s a constant battle but thankfully one that has resulted in increasingly sophisticated security tools coming to the market.
In many ways the hackers have more opportunities to attack, given the proliferation of devices being used to access systems and data remotely - all of which can potentially leave the door open and result in vulnerabilities.
We will inevitably continue to see an increase in the sophistication of ransomware attacks (due to their success) and the data available to those who carry out the attacks. In fact, it’s reported that attacks have increased by 3,500 per cent in 2016, hitting 41 per cent of businesses and bringing in revenues of more than $1 billion for cyber criminals. I fear that the emergence of the much heralded Quantum Computing will only enhance the power of the hackers’ toolkit - as much as it will the technologies designed to thwart them.
Hosted services will also provide cyber criminals with details highlighting specific organisations and their unprotected channels, allowing them to choose the most effective route to exploit. These will be provided as a chargeable, anonymous, service.
Looking forward, I’d like to think that if we are to prevent cyber-crime, IT security must be treated much more seriously than it is currently. This means not going through the motions, just doing the basics. All too often, it’s only once a business suffers the damage and downtime from an attack that they then consider more advanced protective measures.
It’s no use just thinking that it only happens to the big brands either. Very often, the hackers’ route into larger organisations is through smaller, more easily compromised, companies. Hacking has fast become a lucrative industry with a genuine recruitment drive taking place to build up teams of the most prolific cyber criminals. So notching up as many SME security breaches as possible improves a hacker’s reputation before they are trusted with taking on larger organisations.
New EU legislation, in the form of the NIS agreement, is coming into force in the next few years. It’s the first proper piece of cyber security law since the Data Act of 1998 and is designed to stop countries ‘doing their own thing’ when it comes to IT Security. There will be protocols to adhere to and presumably governmental auditing to check how seriously we are treating our IT Security. This will hopefully help re-focus the mind-set of businesses so security is firmly placed on boardroom agendas.
More security savvy staff
Your staff are, and will continue to be, your first line of defence when it comes to IT security and this won’t change. As almost 80 per cent of cyber-attacks can be apportioned to human error, so IT security training will become a regular part of new employees’ induction process. Knowing the simple things - such as how to use external storage devices & cloud services safely - can make a massive difference.
Equally, they need to be more aware of social engineering techniques. We all know about emails offering to transfer huge amounts of money from foreign accounts but techniques are now far more sophisticated. Email ‘spoofing’ has become extremely effective at tricking users into opening apparently legitimate attachment from what appear to be known users. The resulting damage, typically caused by one of the many strains of ransomware, can be devastating.
Malicious emails are the most common mechanism for the distribution of ransomware, accounting for more than 59 per cent, but other sources include social media, websites – especially downloads – and infected USB sticks. What they all have in common is that they required action from the user to trigger the ensuing chaos. The attachments are likely to take the form of invoices, shipping confirmations, overdue bills, tax return information or fake credit card rewards schemes. The common theme is that they are lead the victim to believe they may lose money and it’s no longer just zip files but macro-enabled Word documents that do the damage.
Over 50 per cent of spear phishing attacks carried out last year were against SMEs, so raising security awareness amongst your personnel is absolutely crucial if you are to avoid anyone trusting a spoofed email that appears to come from a colleague.
As legislation continues to evolve it’s likely that businesses completing internal security audits will become as commonplace as filling in tax returns and staff cyber security training may also become mandatory.
New security solutions on the horizon
- Passwords will be a thing of the past. They are already becoming unreliable and can be compromised relatively easily in a ‘brute force attack’.
- Although already in use, biometric authentication using facial/ iris recognition will become the authorisation norm.
- The latest update of Windows 10 will allow you to not only log on to your machine with facial recognition, but also securely log in to websites and your applications. We will also inevitably see more and more hardware that supports this technology.
- New technology is now available that works in a different way to traditional anti-virus. Where traditional anti-virus effectively matches against vast databases of known threats, the new solution recognises suspicious behaviour, stops the action and rolls back encrypted files to healthy versions.
- Businesses need to take disaster recovery or DR more seriously and new solutions are available that effectively offer many of the benefits of replication at price affordable to SMEs. Whilst not specifically aimed at mitigating the impact of a security breach, these technologies offer instant roll-back if the system is targeted.
Paul Burns, Chief Technology Officer at TSG
Image Credit: Sergey Nivens / Shutterstock