Cyber risks are relevant to everyone, not just to governments hosting elections or to major organisations and businesses. Everyone is a target and the threats exist at all levels. We are at a moment in time when we must be armed with sufficient cyber awareness to remain safe and yet this is becoming harder and harder to do thanks to a new cyber frontier – IoT.
There is chasm of a knowledge gap that is being constantly exploited by hackers who are capable of both extremely high tech attacks and simple, mass produced phishing attacks. Many in the security industry are vocal in the need for training, pinpointing the employee as the weak link in cyber security and urging education across the board.
However, as Kaspersky’s David Emm told CBR, training is not a silver bullet – indeed, Mr Emm goes as far as to state that he doesn’t “think you can train someone to be secure.”
“We don’t train children to cross this or that road, or work the buttons on the pelican crossing. We train them so that they are aware in any road safety situation and I think it’s the same with security,” Mr Emm told CBR.
It is evident that carelessness does carry a significant cost, and that the general culture and attitude surrounding cyber awareness and security is moving at a much slower rate than the technology developments being made to take on the threats, and far slower than the agile adversaries.
David Emm told CBR about the times of big change in tech in recent years, which have either mobilised threats or brought about new incentives for their criminal deployment.
“If you look historically at how things have developed they tend to be largely evolutionary, but then occasionally you get this complete turnaround when we all started to do online banking, online shopping and using social media. At which point malware turned from being designed to disrupt people to making money,” said Kasperky’s Principal security researcher.
We now find ourselves at a new precipice that will test the cyber resilience of citizens globally, as well as businesses and organisations. On facing the IoT threat, Mr Emm said:
“I think we are kind of on the cusp of another of those big changes, which is towards everyday objects being computerised, and they are all over now, but we are not really seeing them exploited wholesale yet in the way that mobiles are or desktops.”
The Mirai Botnet attack at the end of 2016 cast light upon the way in which unassuming devices found in the home can be used as an entry point and launch pad for hackers to initiate a network attack on a huge scale. The Mirai Botnet attack relied on devices running out of date versions of Linux, highlighting the formidable edge that this sort of attack gains from carelessness.
Details like this are overlooked in business also; George Brasher, the Managing Director of the UK and Ireland at HP told CBR that printers are often overlooked as an important route into the network that needs to be secured. He explained that printers are end-point devices that are often numerous enough to launch a large scale assault on the network.
The reality of the situation is that an intricate web of connections has been made between devices and networks, the security factor of which the world is only just realising. Putting in perspective how far we have already gone down this road, David Emm said:
“There are not many parts of life now that are not connected, if you think about hospitals for example, and I’m not even talking about turning off a life support machine, you have patient records and all of the admin systems in the hospital.”
Now that we are living fully connected lives, cyber awareness and education are critical, particularly within businesses and organisations. This is also the case because there is no longer a hard shell of cyber protection forming a perimeter, so all hands are required on deck and everyone is responsible for their personal devices that enter important networks.
Despite the crucial need for a cultural change in understanding and appreciation of the relevant threats, methods of raising cyber awareness and educating staff in a business setting is weak.
“We are not terribly imaginative I don’t think either, maybe in the first week during an induction they make you sign off on it, but you are not thinking about that in your first week, you are stressed you are anxious you want to know where the bathrooms are, whether you get a sandwich, who people are, you’re not thinking about security,” said Mr Emm on the importance a new employee would place on cyber security.
In addition to weak approaches to instilling cyber awareness, a recent report delivered a shocking realisation to the world that only 57% of UK businesses even have cybersecurity strategy implemented. This lack of planning and understanding is highly concerning amid a time of unparalleled cyber threats that no security provider can guarantee safety from.
David Emm said: “We need to be more imaginative, and that applies to the government and educating citizens as well. I have asked a few times in different forums, why don’t we see public information films on the TV? The answer to that really comes back as people are not necessarily consuming things via TV anymore, but they are still consuming content.
“Masses of people watch Eastenders or Hollyoaks, so how expensive can it be to get the media to run a campaign? We do it for drink driving.”