There are anything from 13 billion to 21 billion smart devices online today. These estimates were presented by different speakers at a recent Westminster eForum cybersecurity conference in London.
Other figures were more alarming. To date, five billion personal records have been breached worldwide across every type of organisation. The motive is usually financial rather than hostile or political, and it’s easy to see why. One estimate of the total losses to date was up to $1.2 trillion, if you include cybercrimes that are enablers of other illegal acts, such as fraud and money laundering.
Make no mistake, such attacks are the work of organised, entrepreneurial criminal networks, not the opportunistic bedroom hackers or hostile agencies of lore – though those threats certainly exist. Organised cybercriminals want maximum payback on their own technology investments, said the conference.
Growing attack surfaces
With 340 undecillion IP addresses available under IPv6, it’s obvious that the so-called attack surface can only get bigger as the Internet of Things (IoT) grows – an environment that another speaker described as “feral”, largely ungoverned by standards and (despite the UK government’s best efforts) security by design.
IoT devices, such as smart lightbulbs, environmental control systems, digital assistants, and more, can offer backdoors into organisations’ critical infrastructures and data, if securing them has not been factored into the security policy. This is particularly true if the devices themselves are not set to be ‘dumb by default’ until the user opts in to more personalised options.
It must be acknowledged that another significant feature on the security landscape is the growing prevalence of cloud services. In that context, the extended enterprise is a security challenge too: organisations’ partners and supply chain in the cloud are increasingly common targets, offering criminals yet another way into the business.
Most organisations are somewhere on a journey into the cloud for at least some back- and front-office processes. So it stands to reason that providers are targets for cybercriminals, particularly for those with financial ambitions. Suppliers play host to countless customers, so finding a way in could prove lucrative in the long run.
However, even with hosted services the real risk is often at the customer end – in the weakest link in the security chain: people. Employees sometimes fall victim to sophisticated phishing attacks, which are designed to allow criminals into accounts, where they can set up complex frauds or fake transactions.
In such an environment, security has to be agile and connected with governance, risk appetite, and sensible, pragmatic management.
Cloud vs on-prem
But is the cloud itself more or less secure than on-premises systems? It’s fair to say that some IT leaders believe the latter, and feel more comfortable with systems that they can see and interact with first hand, as if that somehow confers greater security than a hosted service.
But such a viewpoint is more emotion-based than logical and ignores the rolling upgrades and automatic patches of most cloud services. Failure to keep on-premises operating systems or applications up to date and/or to failing to install readily available vendor patches are common reasons for cyber attacks succeeding. The havoc created in the NHS and other organisations by 2018’s WannaCry ransomware attacks was just one example of this problem.
A recent Computing Research survey revealed some of the conflicting attitudes to cloud security among the UK’s IT decision-makers, with particular reference to Human Capital Management (HCM) and Finance applications in the cloud. – Read more