Top 10 Cybersecurity Tips for 2018
Hacking has been a part of the internet from way back before the worldwide web was a thing. Some people might remember the 1983 film WarGames, in which two teenage computer-geek protagonists unwittingly access a US military supercomputer used to run nuclear war simulations.
Thankfully, most hackers do not manage to get that far into most countries' military infrastructure but they do manage to cause an awful lot of damage in the commercial sector.
Mostly the often-mysterious cybercrimboes seem to steal user account information – presumably to get people's email addresses, which are then entered into a world of spam, malware and ransomware.
The worst hack in history – in terms of the number of people's personal information stolen – was the Yahoo debacle, in which cyber villains made off with 3 billion account details. According to CNN, “every single Yahoo account was hacked”.
Verizon, which recently completed its acquisition of Yahoo, reduced its initial offer by $350 million in light of the hack, and eventually paid $4.5 billion for the company.
So it was an expensive hack, but not the biggest hack in history – that dubious honour goes to the WannaCry attack, which has so far cost $8 billion worth of damage worldwide, as reported by Reuters.
But even that $8 billion cost of the WannaCry attack would be dwarfed by a hypothetical attack that insurance organisation Lloyd's of London postulated last year.
In a report co-produced with risk-modelling firm Cyence, Lloyd's estimates that a hypothetical hack could potentially cause $121 billion worth of economic losses worldwide, according to Bloomberg.
And away from the headlines about multi-billion-dollar cyber attacks, there are millions of breaches which can each cause several hundred or several thousand dollars' worth of damage – or just anguish over lost time on the part of enterprises whose problems are not reported by the media.
So, what to do about all these techno-terrorists? Who knows. Each problem may be different and require a specific solution.
Here are what we here at EM360º believe will be 10 of the most important security trends of 2018.
Hardware-level and firmware-level security
The recent discovery of a 20-year-old flaw in the process of chipmaking has led to a lot of headlines about a type of cyber attack called Meltdown, and a related method of menace called Spectre.
The discovery has probably brought the idea of securing hardware more to the forefront, with hardware suppliers suddenly finding themselves the epicentre of attention as a result.
Companies such as Intel, the largest chipmaker in the world, and hardware suppliers like Apple, IBM, HPE and others have been taking the lead in releasing patches to defend against Meltdown and Spectre.
This will likely lead to more of these hardware makers and designers to emphasise the security aspect of their offering.
HPE, for example, has been promoting what it says is its “new security foundation” to protect against malicious threats that target server firmware.
It’s no longer adequate to limit security to firewalls when it comes to server infrastructure, says HPE, which is believed to be the world’s leading supplier of servers.
Using artificial intelligence
Biometric identification systems – such as fingerprint and facial recognition – are growing in popularity.
These systems, of course, can require significant computing power and artificial intelligence to work properly.
But good hardware is also important because it’s the initial point of contact – literally – with the user.
The quality of the device or component which scans or analyses the user’s fingerprint, iris, face or voice is probably going to become more of an issue going forward.
How each system can be differentiated – how the quality of each can be compared and contrasted to others – is probably going to be an issue.
Regulations and the red tape menace
Increasingly stringent regulations introduced by governments around the world will probably encourage a culture of greater accountability for companies which claim their hardware or software is secure.
While most people would accept that nothing can be invulnerable all the time, that is not a good enough excuse to get away with an impressionistic sales pitch for whatever security feature a company is trying to sell. Measurable and verifiable criteria is probably the way to go.
While no one likes red tape, the emergence and propagation of government-backed cybersecurity frameworks such as the European Union’s General Data Protection Regulation and the US’ Privacy Shield encourages a culture of security within clearly-defined rules, and may have a positive effect on the enterprise sector.
Whimsical allusions to the Wild West might have seemed fun in the past, when the worldwide web was new to the masses, but being shot up by Billy the Geeky Kid on a regular basis may not be many people’s idea of a fun business environment.
Block ’em with blockchain
Blockchain, of course, is a system of recording an online transaction. That transaction can have a monetary value attached to it, but it doesn’t necessarily have to.
Having been developed essentially as a security application, blockchain, therefore, is ideal for many instances where the utmost security is required.
No wonder, then, blockchain forms the basis for bitcoin and other crypto currencies.
But blockchain adoption is likely grow way beyond the digital money market and go into areas such as the automotive sector, where some companies are testing it in new, internet-connected cars.
It will be interesting to see if what people say is a highly secure system is able to stop determined hackers.
The thing about blockchain is that people involved in the transactions can often be found – because it uses a public ledger system.
Whether private blockchain implementations – if that’s possible – can prevent breaches remains to be seen.
Patch, patch and patch again
It’s an unfortunate fact of digital life that one has to update software and systems almost every day with this or that.
Often it’s just an update and nothing to do with security. But increasingly these days, it’s security patches for new and emerging hack attacks terrorising the internet populous.
It sounds tedious to have to patch things on a regular basis, which is why the idea of automating the process is increasingly being implemented.
When you’ve got thousands of servers and computers that all need patching, automation seems to be a sensible option.
Information is power
Back when desktop publishing and then the worldwide web were new, and media outlets started growing at an exponential rates, the phrase “information is power” was used to refer to the fact that everyone could have access to vast amounts of information which may have been inaccessible to them in past.
Information, it was thought, would give power to the people. It hasn’t quite worked out that way in some aspects, and even though there‘s now more information available than we know what to do with, it’s still essential to keep abreast of the latest developments in security – whether it’s a new ransomware doing the rounds or a new security patch to counter it.
And as more reputable media outlets start hiding behind paywalls, it’s that much more important to decide where and how you will get the information you need to keep your business – and private – data secure.
Internet of insecure things
It’s often said that no computer system can be 100 percent secure 100 percent of the time, and the internet of things has reduced that percentage of security – whatever it was – even lower.
Experts say the IoT makes everything even less secure and it’s a struggle to keep up with the number of new devices and systems – packed with sophisticated new sensors and chips – connecting to the IoT and bringing with them their particular vulnerabilities.
Estimates vary as to how many new IoT devices are already on the internet, with some saying they already outnumber the 7 billion global population, but most agree they will double or treble in the next few years.
Hackers are said to be developing huge botnets to attack IoT networks and devices, and the security industry will have its work cut out trying to fend them off.
There is a scarcity of skilled people available to work in the cyber security sector, which is obviously a problem now, and will continue to be a problem going forward.
But given the ever-changing nature of the threat from cyber crooks, what is probably more sensible is to adopt a recruitment approach which integrates ongoing training and retraining of existing staff.
Cyber security professionals can do their best to learn by themselves, and many employers are doing their bit as well, but with new regulations coming out all the time, along with new cyber threats, a more structured approach which builds knowledge may be one that provides the best return on investment.
Test twice, implement once
Software and application testing is likely to become more routinised as companies start realising that prevention is better than cure.
Most providers of security systems would probably appreciate the value of predictive maintenance, and maybe even use so-called “white-hat hackers” to test their security from the outside.
But routine testing and ongoing monitoring, along with automated patching, advanced data analytics, perhaps with AI systems, could be the way to patrol the perimeter – rather than the “wait and watch” method that may have been the posture in the past.
With insider threats said to be the biggest threat companies often face, ongoing training may help weed out the employees who are most likely to go rogue – or have already done so without you even knowing.
Simple things like employee data theft may have been very difficult to discover in the past, but it really shouldn’t be now, what with all these monitoring systems available.
Another benefit of ongoing, active training and assessment programmes – especially perhaps from the point of view of regular, non-rogue employees – is that innocent people may be saved from becoming the subject of intense, unwarranted scrutiny as well as excessive and unnecessary deterrence measures, which can often be the very distractions used by the real rogues to get away with damaging the business without anyone detecting or knowing about it.