Data security is a people problem
Cyber-crime is big business - estimated to cost over $3 trillion annually across the globe, according to cyber-security firm Fortinet. And while threats from increasingly sophisticated criminals are becoming more severe, Fortinet says many businesses are still falling prey to older exploits such as SQL Slammer and SQL injection attacks.
The WannaCry (aka WannaCrypt) ransomware attack that infected PCs in over 150 countries is testament to the escalating nature of threats - both in terms of the scale of the attack as well as the speed at which it spread. It had hit over 100 countries within hours of its release.
Compounding the problem is the lack of security skills, expertise and education in the workforce. Market research and analysis firm Frost & Sullivan estimates the shortfall will be as much as 1.5 million skilled people by 2020. For businesses this means they need to commit increased resources to keeping up to date with the changing threat vectors, keeping their infrastructures secure and educating both employees and consumers on how to keep their data protected.
Several key trends have emerged for 2017 that enterprises should be paying particular attention to.
Ransomware, DDOS & IoT device attacks
IT security company ESET is predicting an uptick in ransomware attacks, DDOS attacks and attacks against IoT devices. IoT devices pose a particular threat as they are frequently unsecured and use the default password setting out of the box. This makes them vulnerable for use in DDOS attacks, which have increased in scale and scope to frightening proportions, like the attack against DNS provider Dyn late last year, which disrupted the Internet across Europe and the US.
The attack made use of the Mirai botnet, which is made up of compromised IoT devices. For enterprises, this will increasingly become a problem as they seek to secure these devices, which are showing up in everything from smart TVs and cameras to medical devices and air-conditioners.
Ransomware threats have also escalated, as evinced by the WannaCrypt attack which has affected, amongst others, the UK’s National Health Service, Spanish telco Telefonica, FedEx and others. Organizations, public and private, in over 150 countries fell victim to the attack. Ransomware, a malicious program that locks down files and data in order to extort money, is particularly associated with the healthcare industry, according to Fortinet’s research, with a prevalence rate of 47% over other industry sectors.
Hacks and leaks of private information
Following several high-profile information leaks, and if recent history is anything to go by, hacking and data leaks are set to escalate. In 2016, LinkedIn’s systems were hacked and some 117 million records stolen, 65 million Tumblr accounts were leaked, while a MySpace hack saw 427 million accounts leaked.
As attackers get smarter, the average person on the street is still relatively uninformed about how to protect themselves and their information from criminals who seek to exploit it for commercial gain. This low level of security awareness takes itself into the enterprise, where businesses are faced with the task of educating their workforces on an ongoing basis. They also need to engage customers to teach them how to keep personal data safe, and not fall prey to phishing attacks that see criminals spoofing company communications to steal private data.
Phishing is still used very effectively to compromise corporate networks too.ESET suggests cyber-security education needs to take place across all sectors of society - from primary through tertiary education, on a governmental level and throughout the private sector.
Legislation and regulation
One of the challenges for governments and regulators is that legislation and regulation isn’t keeping up with the rapid pace of change in the cyber-security sphere. Additionally, there are costs associated with compliance, and organizations may either choose to or only be able to do the minimum needed to avoid falling foul of legal or regulatory requirements.
The US Cybersecurity Act of 2015 intends to enable information about security threats to be shared between government and the private sector.Due to conflicting interests at play as well the need for legislation to be promulgated at state level, it is uncertain how rapidly and effectively the Act will be complied with, however.
It’s a people thing
The common thread in all of these trends is people - the cyber-criminals themselves, the people who use ICTs, people who develop laws and policies, people who may or may not be aware, be educated, be compliant with company policy and procedures, and a shortage of people with desperately needed security expertise.
While technologies like machine learning can certainly help to mitigate some of the skills and the human error problems, cyber-security is ultimately a people problem. Companies that aim to tackle it effectively need to target more of their efforts in that direction.