That was the assignment given to me and my cohort in early 1990 during my senior year of high school. Our imaginations ran wild as we considered driver-less cars, smart homes, smart devices, and even smarter people. Interestingly, security, or rather, the need for information security, was the furthest thing from our minds.
Today, much of what we imagined in 1990 has come a reality. Driver-less cars exist, albeit with a human being still sitting behind the steering wheel. Homes and devices have become ‘smarter’ thanks to the Internet of Things. Simply put, anything that carries an on/off switch can be connected to the Internet. This creates endless possibilities for increased automation and innovation.
Sadly, it also opens the door for increased and sustained threat activity and cyber risks.
The cyber security threat landscape has become real and shows no signs of stopping. While, historically, wars have been fought in the air, on land and on the seas, it now appears that the next war will be fought (or will begin) in cyber space. In his book “Cyber War”, Richard A. Clarke writes, “On October 1st 2009, a general took charge of the new U.S. Cyber Command, a military organization with the mission to use information technology and the Internet as a weapon. Similar commands exist in Russia, China, and a score of other nations.” He continues, “The most likely targets are civilians in nature. The speed at which thousands of targets can be hit, almost anywhere in the world, brings with it the prospect of highly volatile crises.”
A day doesn’t go by without us hearing of some form of information security breach or attack. Malware, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, ransomware, phishing, spear-phishing, business email compromise, Man-in-the-Middle, Man-in-the-Browser, and Identity Spoofing are just but a few of the concerns affecting everyone today. Given the ubiquitous nature of the Internet and our continued reliance on it to enable business interactions, we have found ourselves in a perfect storm. On one hand, the Internet provides us the business-to-business, business-to-consumer, and individual-to-individual connections which simplify our lives.
Today, an individual can have a video call with someone on the other side of the world, while simultaneously sending an email to a colleague who sits two cubicles away. On the other hand, the Internet and today’s technology allows a threat actor to gain unauthorized access to our intellectual property or hijack and take our systems hostage. The Beazley Group, a specialist insurance firm based in London, predicts that ransomware attacks will double in 2017 after recognizing that such attacks had quadrupled in 2016. Ransomware has reached such a level of maturity that criminal enterprises have established Ransomware-as-a-Service. This is frightening!!
The need for organizations to have robust and resilient cybersecurity strategies is very high. Sadly, EY, in its latest Global Information Security Survey for 2016/17, notes that 87% of board members and C-level executives said they lacked confidence in their organization’s level of cybersecurity preparedness. Furthermore, there is little confidence in the strategies being employed. This survey was conducted with 1,735 participants spread across the three geographies: EMEIA, The Americas, and Asia-Pacific and Japan.
The distributed denial of service attack on October 21st, 2016 which crippled much of the Internet and affected sites such as Twitter, the UK Guardian, Netflix, CNN and many other sites could be considered a test run for a coordinated global attack. Most recently, the WannaCry ransomware attack of May 12th, 2017 sowed just how easy it is for threat actors to wreak havoc and create a crisis for organizations. The impact of this attack was felt around the globe, sparing no one. Companies and their IT teams scrambled to take systems offline, patch servers and workstations, and in some instances, effect recovery procedures to restore data that had been encrypted.
For the Caribbean region, for example, these attacks reveal two things which afflict businesses: ignorance and indiscipline. Far too many people, including executives, board members and company owners, choose to ignore the realities we are faced with; opting instead to have a false sense of security by believing, “this won’t happen to us”, “that issue is focused on North America, Europe, and Asia”, and “we don’t have anything a hacker would want.” These beliefs couldn’t be further from the truth. Experience has shown that the cost of ignorance is very high.
For every 10 customers visited, at least 5 suffer from indiscipline. This statistic is not scientific but is based on observation and gleaned from conversations had with company executives and IT staff. The indiscipline runs the range of weak or non-existent security controls, poor password management, poor patch and configuration management, a heavy reliance at times to one individual who performs the work of 5 people, and an over-reliance on technology with the view that it is a panacea. While organizations within the financial sector fair better, thanks in part to heavy regulations, other sectors are woefully behind. These include telecommunications, manufacturing, and government/the public sector.
Information security can no longer be the responsibility of the IT guy, the IT girl, or the IT team. It must be owned by the organization. There must be a clear and consistent message, with corresponding actions which resonate from the boardroom to the ancillary staff. User awareness must be addressed consistently and with zeal; user behavior must be modified and monitored. The defensive strategy starts within and goes way beyond the technology. It must encompass the organization’s processes and people.
— Hitachi Sys Security (@HitachiSecurity) August 8, 2017
As we push further into a digital world, with data being collected from data points embedded in normal, everyday aspects of our lives, the attack surfaces and threat vectors increase exponentially. Therefore, we can expect increases in:
In closing, we need to be aware that the security threats have steadily increased ever since the first “bug” (a moth) was found by Rear Admiral Grace Murray Hopper in 1945 among the relays of a Navy computer. In the seven decades which followed, the threats have consistently increased; again, with no indication that they will slow down in the foreseeable future.
Therefore, as we continue through 2018 and beyond, it is important that we prepare ourselves and seek to become cyber-resilient as the all-too-familiar statement still rings true; “it’s not a matter of ‘if’ you are going to suffer a cyber-attack, it’s a matter of ‘when’ (and most likely you already have been.)” Companies must acknowledge that they need help, as they cannot go at this alone. They must seek help sooner rather than later. After all, it’s better to be prepared for an attack and not have one, that to have one and not be prepared.