printer friendly version

Cyber security outlook

Cyber security receives an enormous amount of airtime these days. Whether it’s reports of malware (malicious software), data breaches, identity theft, insider threats or anything else, there is seemingly no end to the dangers and risks posed by inadequate security in the information society. There have even been reports of networks that have been breached via poorly installed IP cameras and late last year there was also a report that some video management systems (VMS) had vulnerabilities.

In general, even though we are in a connected world, far too many people ignore the threats in the false belief that someone else will handle it or that their antivirus software will protect them. The fact is that there is no single solution to cyber security risks today. Even if a person or organisation spends a fortune on the best technology, the greatest threat is still the human being.

In South Africa we are accustomed to insiders working with syndicates or themselves and committing fraud and theft, and worse. The reality is it happens everywhere. Unfortunately, cyber threats don’t have to rely on the ethically challenged among us. Phishing scams and malware embedded in websites can infect anyone not careful about what they do. Who has not, for example, received an email from an unknown person with a supposed invoice or DHL receipt as an attachment?

And it’s no use saying you’re not rich or your small company isn’t likely to be a target. Cyber thieves collect masses of data wherever they can get it. In this article, Hi-Tech Security Solutions looks at some of the reports from 2015 highlighting the targets, methods and results of cyber threats. The reports show that the attack vectors are broad, access is easy and the results of cybercrime are not simply losing a bit of data.

The statistics

The Verizon 2015 Data Breach Investigations Report analysed over 79 000 security incidents from around the world. Of these, just over 2000 confirmed the loss of data as a result. The results clearly show these security events happened in a broad range of industries, from accommodation to education, manufacturing to real estate and many others. It also shows that incidents happen across businesses of all sizes.

While the top three industries targeted are government, information and financial services, the same as the 2014 report, the authors warn “No industry is immune to security failures”. (One of the benefits of this report is that trends can be mapped over a number of years in which the report has been published.)

Another interesting fact from the Verizon Report is that, contrary to some media reports that claim insiders pose the greatest threat in terms of cyber security breaches, since 2010 the report shows that external factors cause the majority of breaches, with internal attacks accounting for less than 20%. Moreover, 60% of attackers are able to compromise their target organisation within minutes.

Deloitte’s Global Cyber Executive Briefing again highlights the fact that no industry is immune. This report addresses seven industries and provides examples of the business impact these data breaches incurred. The industries featured include technology, online media, telecommunications, retail, e-commerce and online payments, insurance and manufacturing.

The report’s business impact highlights show that it’s not simply a case of losing some nebulous data that nobody can trace back to your company (hopefully), there are real consequences. These range from “stolen money and property to regulatory fines, legal damages and financial compensation”.

Furthermore, Deloitte states these are “just the tip of the iceberg. The really significant costs are the intangibles, particularly loss of competitive advantage, loss of customer trust, and damage to an organisation’s reputation and brand. Intangibles such as these can have a major impact on an organisation’s strategic market position and share price.”

Not only businesses at risk

From a personal perspective, while you may not have the bank and credit card details of thousands of clients on your mobile device or laptop, data breaches are devastating to individuals. Personal attacks range from card theft or cloning through to account takeovers or identity theft, which is a painful, costly and lengthy problem to recover from.

The Norton Cybersecurity Insights Report claims that 348 million identities were exposed in 2014 by thieves hacking trusted institutions. Furthermore, it states that 594 million people around the world were affected by cybercrime – most of whom did not know how to handle the consequences. The impact is summed up in saying that consumers lost an average of 21 hours and $358 per person due to online crime over the year under review.

Once again, passwords are a problem. People choose weak passwords to protect their information, assuming their banks and financial services companies will protect them. That is not always the case. Moreover, sharing passwords is also quite common – another security no-no.

People, it seems, are determined to use the simplest and most stupid passwords no matter what they see or hear. SplashData recently released its list of worst passwords used in 2015, which was compiled from two million leaked passwords during the year. Disappointingly, but not surprising, the password “123456” retains the top spot as the most used password in 2015. Retaining its second position is “password”, while “12345678” has climbed to third position with “qwerty” up to fourth.

Browsing the Norton Report will educate readers on a few steps one can take to secure your online information. The tips are simple, but the data shows most people don’t follow them. They include, deleting emails from unknown senders and avoiding clicking on attachments that look suspicious, as well as the old faithful standby of backing up your data.

The approach

If you believe the movies, hackers are busy burrowing away in dark rooms finding ingenious ways to break the security of governments and banks with the aim or wreaking havoc in the world. And while there are those who have the skills to outsmart the smartest, most breaches are far less exciting.

The Check Point 2015 Security Report highlights some of the methods used to breach organisations. These include malware designed to open an organisation to the hackers or to turn thousands of computers into ‘bots’ which are in turn used to attack (such as Distributed Denial of Service (DDoS) attacks) or infect others without the user knowing. These can be sent in deceptive emails or embedded in seemingly innocent websites, or they can even be passed along the old fashioned way on a USB drive.

The vulnerability of mobile devices connected to corporate systems also highlights the dangers of attacks through mobile devices. For example, Check Point notes that of 700 businesses surveyed, 42% had suffered mobile security incidents costing more than $250 000 to remediate.

And then there are the applications users and businesses choose to use in their daily operations. These applications have legitimate and useful purposes, but they can be compromised to allow unwanted access to corporate data. And in the drive to get free applications instead of paying for them, users often open themselves to malware. Some of the categories of applications that are known to cause problems are:

• Remote administration tools that allow IT personnel to access employees’ computers remotely.

• File storage and sharing applications.

• Peer-to-peer (P2P) data exchange applications.

• Anonymising applications or plug-ins such as VPN systems designed to allow people to watch overseas content.

It must be noted that all these categories contain professional applications that are used on a daily basis globally without problems, but the access they gain to corporate networks and hence corporate data makes them high risk should users choose the wrong application or if an application contains a vulnerability. Check Point found an increase in the usage of these applications across the board over a three-year period.

Another point the report makes is that due to the dispersed nature of organisations today, there is an almost constant flow of sensitive information out of organisations. Most of this is quite normal and acceptable, but if there are no processes in place to monitor and understand what is happening and what may not be for legitimate purposes, the chances of losing sensitive data increases.

As with the other reports, Check Point also provides recommendations on what can be done to stem the tide of cybercrime. Some of its recommendations include:

• Protecting your data by encrypting it.

• Creating layers of protection with checks and balances.

• Helping everyone – from top down – understand the importance of mitigating cyber-related risks to protect intellectual property.

Planning to fail

Looking ahead, the McAfee Labs 2016 Threats Predictions Report looks at the year ahead and predicts that the main areas of risk in the cyber security world are the “continuing expansion of the attack surface [for example, more users, more smartphone and devices connected, more network traffic and much more data], increased attacker sophistication, the rising cost of breaches, the lack of integrated security technologies, and a shortage of skilled security talent to fight back.”

When looking at cyber security threats, a short article such as this only scratches the surface of the problem; we haven’t touched on some prevalent topics, such as ransomware, hacktivism, new devices like wearables, hardware-centric attacks and the Internet of Things (IoT). The reality of the risks becomes abundantly clear when reading the reports mentioned.

While the “it won’t happen to me” syndrome is still widespread, along with the belief that someone else will solve the problem for you if it does happen, cybercrime in all its forms is growing and has become a very profitable and hard to prosecute business.

South African companies have had an easy ride until now because there has been no legislated sanction of cyber losses. Companies have not even had to admit to breaches, which has negative consequences for individuals and the businesses themselves. This will change if and when the Protection of Personal Information (PoPI) Act is enforced – if it is enforced. The consequences will not only relate to financial loss and a bit of embarrassment, but could impact the business going forward.

There are, of course, endless companies out there willing to sell you the solution to your cyber security fears. The reality is that we need an integrated approach to dealing with the threats that includes technology and people. Educating people is probably one of the most important weapons in the fight against cybercrime. In fact, education can reduce the ability of criminals to access data and areas they are not supposed to, and reducing the number of attacks one has to deal with will make the process of dealing with the others a little easier.

As noted in the Deloitte report, “The good news is that cyber-threats are a manageable problem . . . a well-balanced cyber-defence needs to be secure, vigilant and resilient. Although it isn’t possible for any organisation to be 100% secure, by focusing on these three key attributes, it is entirely possible to manage and mitigate cyber-threats in a way that reduces their impact and minimises the potential for business disruption.”

Share this article:

Further reading: