I recently attended a conference discussing Cyber threats. The majority of the speakers were security professionals representing a wide range of UK organisations. An interesting theme began to emerge, there appears to be two current ways of thinking regarding Cyber threats, those that believe ‘Cyber’ is just another media buzzword and those that genuinely believe ‘Cyber’ is the new war front. No matter where you stand on the topic, you will appreciate that in today’s world of “e-activities & interconnectivity” cyber threats are something to be taken seriously. In the last few years key events have changed the game completely. The militarisation of cyber space and criminals learning fast - moving into the low risk-high reward area of cyber crime. It is actually easier to rob a bank electronically than holding up a branch. Privacy is also changing, Edward Snowden has made sure of this.
There is a lack of understanding from organisations and the general public on how best to prepare for these new threats. Are these new cyber threats and risks going to be fed into the enterprises risk management plan or do you wait to see what happens first? With business and our own personal lives being increasingly carried out electronically and stored online there is a greater reward for criminals in this field. In the example of a large merger deal with a Bank, numerous emails will be sent between the concerned parties and if there is an individual that has no understanding or interest in maintaining up-to-date systems or anti-virus software then this can lead to criminals hacking into the system and gaining inside information. This won’t be from a state-of-the-art laboratory or using any ground breaking techniques, a simple phishing email with a trojan attached would do this pretty easily. The criminals are prepared to wait up as long as 200 days before attacking to learn user patterns and items of value. Once they have their information they can go and buy shares of the companies involved or sell the information to other interested parties or the press and make a pretty penny . . . all from behind their keyboards.
The threat landscape is changing and our attitudes must change with it. To have a chance against an ever evolving threat we need an ever evolving defence. We may not be able to win every fight but it is important to learn from the mistakes and prevent them from happening again. We need ways to quantify the impact of these attacks. Loss of Intellectual property, loss of future business, reputation damage; there are currently no definite methods calculating these at the moment, even for insurance purposes! The need to educate ourselves to raise awareness is of the up most priority. Unfortunately there is a reactive approach to information security and that is not good enough. We need to change how we think about it, we need to promote discussion and transparency in order to collectively improve, because as of now the risk for the criminal is so low that they would need to be very lazy not to get involved.