Yesterday (Thursday, 14 June), I was fortunate enough to attend the Cyber Security Summit in London. The event was action-packed full of great presenters, insights and cyber-security simulations. With so much going on in the world of cyber, here are my top takeaways from the event.
1. The democratisation of cyber-crime
Tech companies and managed services partners are always going on about the “democratisation of technology,” i.e. as tech firms compete and innovate, more and more people gain access to better and better technology.
From a business productivity perspective, this democratisation has been a godsend. As technology improves and its price diminishes, small firms have been able to access sophisticated software that lets them compete with the bigger players in the market. User experience has also dramatically improved as a result of tech democratisation and firms no longer need to invest in huge IT departments in order to find operational success. The democratisation of technology is at the heart of digital transformation and is the reason why huge multinational banks are running scared of small fin-tech firms.
While democratisation in technology has brought about many positives, it’s also been exploited by cyber-criminals to facilitate access to a multitude of malicious software. No longer is a hacker required to be a technical mastermind, in fact, they no longer even need to be technically proficient. All they need to do is access the darknet via the TOR browser and buy whatever piece of malware they want. Complete with a list of gullible organisations that pay the ransom when they get attacked, along with instructions and ratings on how to carry out an attack in the first place, the democratisation of technology has crossed over to the democratisation of cyber-crime.
So successful has this democratisation of cyber-crime been that children as young as 11 are being found out to be the culprits of serious cyber-security breaches in the United Kingdom. As the former head of the Metropolitan Police’s cyber-crime unit, Charlie McMurdie pointed out in her presentation, one of the most frightening things about cyber-security is the ease with which an attack can be carried out. You don’t need to be a genius, you don’t need to do a lot of planning and you don’t need a lot of resources to be able to carry out a business-crippling cyber-attack. Children are literally carrying out these attacks from the comfort of their bedrooms.
With close to no barriers to entry for cyber-criminals, businesses need to wake up to the fact that anyone, from anywhere, could attack their business with the click of a few buttons. Access to highly effective malware is available to anyone who’s willing to trade a few bitcoins for it and criminals are building communities, sharing advise and building each other up.
2. U.K. Business are in denial when it comes to cyber-crime
One key message that kept coming up across all presenters was the lack of business readiness when it comes to cyber-security and cyber-crime. So many firms still think of cyber-attacks as an if, rather than accurately acknowledging that it’s actually a when.
As Charlie McMurdie pointed out in her presentation, the United Kingdom is the top target for cyber-criminals in Europe. We are leaders n banking and finance, and as a result, the U.K. has a big red ‘come get me’ sign that lures cyber-criminals from all across the globe. The fact that we also have a healthy small and medium-sized business (SME) sector (SMEs make up 99% of U.K. businesses) means there are plenty of opportunities for criminals to attack.
The message for SMEs at the event was clear: you need to stop hiding behind your size and assuming that nobody would be interested in hacking you. As the democratisation of cybercrime shows, anyone can become a cybercriminal, which means any firm, no matter how small, is exposed. Whether it’s a disgruntled ex-employee or a kid trying his luck, mounting an attack is far too easy and small firms that think they’re not at risk leave themselves wide open to be taken advantage of.
3. Machine Learning and Unstructured Data are making phishing attacks more sophisticated than ever
If you’ve ever been the victim of a phishing attack, you’ll be aware that while the email, post or text message you received looked legitimate on first viewing, closer examination usually reveals quite a few telling flaws. These could be a funny looking link, or an email address that looks similar to your business’s standard @yourcompany.co.uk yet is actually @youcompany.co.uk.
These types of phishing attacks still have quite a high success rate, though businesses have become more aware of what to look out for when it comes to a phishing scam. The introduction of machine learning, however, is about to flip this on its head.
Just like Facebook or Google can use your unstructured data to build a profile of your likes and dislikes to serve you the most engaging and relevant ads possible, cyber-criminals are starting to use these same tools to build sophisticated phishing campaigns that know you better than you do. Hackers use data that can be scrapped from your various public digital profiles (LinkedIn, Facebook, Personal Blog) and use machine learning to generate thousands upon thousands of various messages, emails and social media links that can catch you out and infect your work or home computers.
As these types of attacks produce more believable content, it’s absolutely essential firms implement email protection software and network firewalls, otherwise, the risk of genuine human error will leave businesses of all sizes exposed.
4. Rehearse disaster recovery drills just as you would a fire alarm drill
One of the difficulties in highlighting the risks of cyber-attacks is that there are no real physical signposts. Whereas with a fire you see and smell the smoke, a cyber-attack can take place and it might be days, if not weeks or months before a firm is aware that anything has happened.
Because of this, firms often come up with detailed and complex cyber-attack recovery plans that look good on paper yet no-one in the business knows exactly how to execute because they’re simply not rehearsed often enough, if at all. As the saying goes, practice makes perfect, and the only way firms are going to cope with an attack is by actively training for one. Bi-annual drills are a good place to start, along with having cyber-wardens in each function of the business. Your cyber-security plan doesn’t mean a thing unless you know how to execute it effectively and immediately.
5. Humans can either be a company’s strongest defence or its weakest link
You and your staff are essential parts of the war against cyber-crime as technology alone can only do so much. If your business invests in continuous user training and awareness, your staff could be the best weapon you have against an attack successfully penetrating your firm, if, on the other hand, you don’t, then they’re almost guaranteed to be your Achilles heel.
With the rise of remote workers, be it client-based or home-based, and the bring your own device trend (BYOD), firms need to make sure staff are aware of the cyber-threat landscape and are using best-practice security methods to conduct their day-to-day jobs. As malicious actors work to improve and challenge the defence status-quo, investing in regular training makes sure staff is aware of current threats.
Making sure everyone in your organisation has good digital literacy, are aware of the current threat landscape and know how to react in case of an emergency are the only ways you can mitigate the effects of the attack that will eventually befall your organisation.
Remember, it’s not a matter of if. It’s a matter of when.
Words by Camilo Lascano Tribin
Like what you read? Then stay in touch, click here to subscribe to our mailing list and start receiving the latest tech and industry insight, leading opinion pieces, tips and tricks, webinars, white papers, case studies and event invites straight to your inbox.