It’s time to be vigilant to cyberattacks
Peter Bailey reveals the main cyber security trends for businesses in 2019 and highlights the basics of a sound information security strategy.
Peter Bailey reveals the main cyber security trends for businesses in 2019 and it seems that cybercriminals are finding that social engineering exploits are more likely to pay off than technology-led attacks.
Don’t expect the number of cybersecurity breaches, attacks, frauds and other incidents to drop in the year ahead. Do expect to see more exploitation of individuals as social engineering becomes more popular. And expect to see just as many ‘mega breaches’, where mass customer information is stolen.
That’s the top line summary of what to expect in the world of information security for 2019.
Cybercrime is a business for those who engage in it and the purpose of any business is to generate profit. With sophisticated technology available for the protection of company information, cybercriminals are finding that social engineering exploits are more likely to pay off than technology-led attacks. This is because people tend to create security vulnerabilities, whether that be due to poor password practice or simply a lack of awareness of common attack techniques.
This is cyclical – in years gone by, we’ve seen attacks see-saw from technology-driven to socially engineered, and of course, combinations of the two. The cyclical nature of how attackers go about their business is also reflective of the ‘arms race’ between defenders and attackers – without being constrained by things like budgets and business priorities, more often than not, attackers have the upper hand.
It’s never for long, though. Even as we see legitimate applications for emerging technologies like machine learning and other forms of artificial intelligence (AI) and automation, so too are cybercriminals looking to put these techniques to work for their own purposes. They’ll likely use AI to make themselves more effective, combining it with social engineering techniques to trick people into giving away sensitive information.
And as defenders, it is always a bigger ask to stay on top. After all, we have to protect against every potential vulnerability. The attacker only has to focus on the one exploit they feel confident will work (and they can replicate that effort against thousands or even hundreds of thousands of targets – just one or two successful compromises in every hundred is enough to keep the money rolling in).
On the subject of money, there’s a simple question to be asked about the seemingly endless ‘mega breaches’ we routinely see in the news. The answer is that consumer data is valuable.
We know this already from the likes of the big social media companies, notably Facebook, and even more notably in the wake of the Cambridge Analytica scandal. The shockwaves of that event, which happened around this time last year, continue to reverberate, because it laid bare at least two important points. The first is that, yes, ‘free’ social media is using your information for revenue-generating purposes (that is, it has value). The second is that you are indeed the product, and not the customer.
Now, neither of those points should come as any surprise, but in fact it did come as a surprise, probably because the extent of how personal data can be used was suddenly apparent. And that gave rise to immediate follow-up questions: what else can my data be used for? And what else has my data been used for already?
When, for example, Equifax is hacked, what’s the value that hackers see in this kind of personal information, which includes things like names and addresses, other demographic information and potentially credit card details? The card details are sold on the dark web. So too is the demographic information; it can be used for all manner of things, including the social engineering we’ve already discussed, and which is on the rise.
But what a lot of us don’t realise is that this information can also find its way into legitimate ‘marketing’ (or other) databases, which are then sold on to legitimate companies. They then use the data for legitimate purposes, in all probability without any idea of its shaky provenance.
It is a scary world out there, to be sure. But taking the necessary precautions makes it far less so, and that starts with a risk mitigation approach.
Remember we noted that hackers likely have thousands of companies in their sights, looking for the weak points? Make sure you’re not one of them.
This starts with an unrelenting focus on the basics; get the basics right and you will successfully fend of perhaps 80 per cent of all attacks.
The basics stay the same, too: here they are again:
• Use a security software suite and make sure it is always up to date.
• Always keep software patched and up to date, including internet browsers.
• Train staff on information security best practices. Everyone must be vigilant.
• Have a plan. Know what to do if you suspect a breach, because when remedying, time is of the essence.
• Be compliant. Know what regulations apply to your business. Put in place the necessary structures and processes.
Beyond the basics, your information security strategy will depend on your line of business and may include hardened systems and processes. Bear in mind, though, that a good security policy doesn’t paper over the cracks. It makes sure the cracks aren’t there at all.
Finally, if you think cyberattacks are something that happens to other companies and other people, don’t. It can happen to you at any time, in your personal life or at work (and it can start personal and get into the workplace).
What we know, whether an iTunes scam or the Z Energy breach, is that vigilance always should be your watchword.
Peter Bailey (pictured) is General Manager of Aura Information Security.
Other Articles
What’s your retention risk?
Taking Charge of Rogue Employees
