As the war on cybersecurity rages on, government and private companies are waking up from a cybersecurity slumber to embrace new security measures allowing them to be more proactive about keeping safe from organised Internet crimes.
But this can be daunting, especially when you don’t know where the lighting will strike. Here are some hints, where the vulnerabilities might still be hidden, and what we need to do about them.
The rise of “Shadow IT”
According to a Strategic Planning Assumption (SPA) made by Gartner, by 2020, a third of successful attacks experienced by enterprises will be on their “shadow IT resources”, in other words on the resources, that lack support by the organisation’s central IT departments.
Until recently, the term “shadow IT” was reserved for describing the wrongdoings inside an organisation, such as when employees bypass procedures for introducing new software to existing environments (e.g. they download apps that are not approved by the IT team). However, after the most recent cybersecurity incidents, it became apparent cloud infrastructures are also unsafe.
Nearly 80 % of surveyed businesses have admitted to using a third-party cloud – application without the approval or knowledge of their IT departments. This means that data security and protection methods that companies usually set as their standard practice might never be met. Another concern regarding cloud environments means data is distributed to too many, unknown places, which makes it harder to keep a track of it, let alone plan a comprehensive protection and disaster recovery plan around it.
The backfiring hype on new technologies
Not only is data moving in new directions. IT infrastructure is rapidly changing too. According to Gartner, endpoints of the Internet of Things (IoT) is expected to steadily grow to reach 20.4 billion Internet-connected devices. As companies engage more and more to implement smart technologies that would be their market differentiators, they often tend to forget that changes in security systems should mirror those in IT infrastructure.
One thing that is clear about cyber – attacks, is that they very often try to target breakthrough technology, typically because it lacks the security history, that could make it more resilient. As the number of companies that trust their data with IoT devices increases, it is crucial for workplace security regulators to adopt new guidelines that will ensure riskless deployment of various, new data endpoints to the network. Businesses as standard, should be performing obligatory security tests, managing the relationship between these devices (including data they send and receive) or even prohibiting connecting private IoTs to your network in general.
Application services are still not secure
Application software, more commonly known as “apps” are used daily, both professionally and personally for the benefit of us all. Thanks to their simple, easy – to – follow interface we can use them for different tasks and activities, ranging from taking pictures, ordering a meal, or booking a cab. At the moment they are so ubiquitous that it will be hard to imagine a world without them. However, the mere fact that they save us a lot of effort when it comes to organising our daily lives doesn’t necessarily mean they are all innocent. In fact, the famous 2010 Wall Street Journal investigation has revealed that apps are not good at keeping users’ secrets – the majority of applications leak unencrypted data, without users’ specific consent, not only to the developers, who write those apps but also to the third-parties such as marketing companies.
Eight years later, we witnessed some improvement in the matter of unambiguous and informed consent mainly due to new GDPR regulations, however, it is still true applications are the source of our most valuable (e.g. health apps) data, and can, if wanted to, be easily targeted by hackers due to their inbuilt vulnerabilities.
Malware is getting more sophisticated
Although some of the hacking incidents could be prevented if organisations followed cyber-security recommendations more closely, such as in the infamous WannaCry attack that disrupted more than a third of NHS trusts in England, it is also true that these threats are becoming more sophisticated. The nature of cyber- attacks moved from attempts to hack people’s devices to conduct spoofing man – in – the – middle’ raids, capable of gathering encrypted and unencrypted data by compromising the routers and servers that underpin internet access.
There are few reasons for it. One of them is the lucrative side of the hacking business itself. The highest earning hackers are believed to earn up to $2m a year for performing crime – as – a service activity, such as data and IP thefts, DDoS attacks and spreading malware. But besides the financial gains, cyber- attacks are also conducted on a large scale for intelligence gathering purposes. These cyber- crimes are usually political in their nature and are organised by states that are engaging in cyber-wars. Sadly, these are predicted to increase, if the tensions between countries such as Russia and the UK keep on escalating.
We are still not getting better at fixing vulnerabilities
Ironically, although we are getting more technologically advanced, this doesn’t imply we are any nearer to being more secure. The very problem with fighting cybercrime is that developments in cybersecurity are relatively slow, compared to how fast hackers can embrace new technologies. To implement any changes across society must go through a lengthy bureaucratic process (consider GDPR regulations). Similar limitations will apply to a company – introducing a new process to tackle cybersecurity threats often involve revolutionising all existing practices, and 99% of the time this can’t be rushed. Criminals are simply more flexible in their actions, which is why the majority of responses to the 2017 attacks were reactive. Although AI evangelists are proclaiming change with smarter solutions enabling detection of attacks at their earliest stages, it still feels right to ask – who will watch the watchmen? And how long do we need to wait before we finally get it right?