The problem is getting worse for several reasons. Cybercrime used to be reserved for nerdy kids in their bedrooms. But nowadays it is increasingly attracting professional criminals. They can make good money from cybercrime and the risk of getting caught is low. Even if they do get caught the punishments are far less arduous than if you get caught robbing an actual bank or dealing drugs. The huge growth of Bitcoin and other alternative currencies have also made it much easier for the crooks to get paid.
The traditional way of protecting a business against cyber-attack was to protect the perimeter.
This meant carefully scanning incoming emails. It meant ensuring that all devices connected to the network were audited and properly protected with up-to-date, anti-virus software. It meant firewalls to keep your network separated from other networks.
But this sort of protection isn’t possible for the modern business.
Firstly because it is almost impossible to say exactly where the perimeter is. Today’s companies run networks which are linked to supply chains, to cloud providers, to mobile networks and include mobile devices which spend time linked to dozens of external networks. There are dozens of possible attack vectors to defend.
Threats don’t come from a neat list of known threats any more either. Malware is evolving almost minute-by-minute so identifying it by its signature is no longer possible.
Instead defence strategies are taking a more holistic view of security rather than trying to keep the bad stuff out.
Detection systems behave more like performance monitoring systems. They notice anything out of the ordinary – whether it is a machine or a user accessing more data than usual, or different data. They spot networks or systems running more slowly than usual and flag them up for investigation.
Successful defence also means designing security in from the very beginning, not adding it on at the end. It also means taking measures to make life harder for attackers even if they do get access.
It means using encryption to routinely protect important data so that even if a breach does happen it will do far less damage. Anonymising databases will also reduce the rewards for cyber crooks.
Good data protection practise like deleting details no longer required can also help mitigate the risks of a successful breach.
In the end almost all successful cyber-attacks rely on social engineering and human error. You need to teach your staff that security is not just a technology problem. If an email or a phone call makes them feel suspicious they should stop and think.
Security needs to be second nature for everyone not just the IT department.
Attackers will use any vector to get into your systems – some targeted attacks have started with phone calls rather than emails for instance. Others have used physical access to buildings and computers as a starting point.
But you can’t let the paranoia get to you either – you need an atmosphere where people are not afraid to admit they’ve made a mistake.
Cyber criminals have hit several UK hospitals with ransomware attacks in the last few months.
A member of staff at a hospital in Cambridgeshire inadvertently clicked on an email attachment and was sent to a web page which showed the ransom demand. Instead of immediately blowing the whistle that person ignored the demand and carried on working.
By pure good luck the hospital systems escaped serious harm because the attack came just minutes after a full back-up and the recovery plan worked faultlessly.
However good your defensive systems in the end it is your staff who are both the biggest potential weakness and your best defence against cyber attack.