Pro IT

Under Attack from Cyber Crime

WannaCry, the recent global cyber-attack highlighted the threat our businesses face from the online world. This attack wasn’t hugely successful when putting into context of the number of devices it infected worldwide, but it did generate a discussion on what the future holds for future threats.

The ease of which this threat was curtailed may not be the same going forward unless we invest time and resource into protecting the world from future attacks. In order to do this the manufacturers and businesses that operate in this space will need additional support, which may or may not be through government regulation.

We have an expectation that computers must be inexpensive and full of software, this though is at the expense of security and reliability. So it’s common for the machines we use to have vulnerabilities that attackers find easy to exploit and as we look at the number of connected devices growing exponentially the problem could be significant for some businesses unless a solution is found to address the issue.

Globally cyber security is a 1 Trillion dollar industry and growing. This year alone JP Morgan Chase will spend $500 million US on cyber security. Here at home the NZ government estimates cyber- crime cost New Zealand $257 million last year.

If we take a step back and define what cybercrime is then we can look at the issue from a holistic perspective. Cyber-crime is any crime that takes place using a connected device via a network of other connected devices. This then is a broad brush of crimes that include all that we generally think of when thinking cybercrime, DoS attacks, Phishing, Trojans, Spyware, brute force attack etc.

So who is doing this and why are they doing it?

It’s a complex question. Often it can be easy to do and some of the criminals do it purely for the thrill and kudos they receive. When it comes to the more organised criminals it isn’t so clear cut. Some is done for profit, but other attacks are done to cripple organisations and governments.

It can be profitable, while WannaCry netted only $100k it’s all profit. When looking at the opportunity for these hackers the internet has given them access to billions of people so that even a scatter gun approach can net return. Cryptocurrencies have also made it a little easier to hide the identity of the hacker, although not completely.

The future looks quite bleak in relation to being able to stop this so the current investment is likely to continue to rise until we address some of the questions the future will pose. The internet is no longer a web that we connect to. Instead it’s a computerised, networked and interconnected world that we live in. A world where we will have billions of devices connected and networked to make life easier.

And here lays the greatest risk.

I can’t help thinking back to the Y2K problem at the turn of the century. We didn’t know what could happen because we didn’t know what was connected to what and whether this had the capacity to error and crash some system.

What we do know for sure is the attacks will not stop while we continue to produce software that has vulnerabilities and still use weak passwords (the most common password is still 123456).

The biggest concern is identifying where these risks are, what the impact might be and how far reaching. If we take the growth of connected devices, it seems clear the ability for a massive global attack is going to occur unless there is some action by governments and manufacturers to address vulnerabilities quicker than we do today. In 99% of known attacks, security and IT professionals would have been aware of the vulnerability for at least a year.

What we can do in our own businesses is to address what we have control over. Making sure you are updating your system is obvious and has been talked about a lot. Another thing we can do is tighten up on passwords, we are just to blasé.

Iris scanners are already imbedded in the higher end smartphones and this will continue to become better with each new release. Many companies are now employing a dual authentication process, like Gmail and Yahoo has started to push notifications out so you don’t need a password to access email.

But I don’t think manufacturers are the ones who can fix the problem. In the end the solution is a multilevel approach from manufacturers, governments and consumers. If we continue with low cost devices and low cost deployment we will continue to experience attacks that easy to do but become increasingly harder to isolate for the billions of connected device.

The question I would leave you with is if you can address the one thing in your business what would that be?