The Gulf Time Newspaper One of the finest business newspapers in the UAE brought to you by our professional writers and editors.
2015 has not been a very pleasant year for business houses, of varied sizes, as far as cyber security of their operations is concerned. Despite allocating increased budgets, more workforce and adoption for various foolproof mechanisms to keep online criminals at bay, there have been many destructive security instances at companies ranging from the US Office of Personnel Management to the Ashley Maddison data breach incident. Particularly, a steep surge in the espionage attempts was experienced that made the identities and confidential details of millions of people vulnerable.
Now as all the information is available online, cyber criminals have become hyperactive and they are on a constant prowl to sneak into the accounts of credulous companies and individuals. They are hacking companies’ data, confidential mails and even stealing peoples’ identities.
In the wake of these attacks, security experts have predicted that leading corporate houses worldwide will adopt a new robust mindset in 2016 and implement
advanced tactics like micro-segmentation to fight uncommon attacks by cyber
criminals.
In its recent estimates, British insurance company Lloyd stated that cyber attacks cost businesses nearly US$400 billion a year. This expenditure involves immediate financial loss as well as post-attack problems interfering with the normal cycle of business. However, some experts estimated the cyber crime’s damages to businesses could reach as high as US$500 billion and even more.
During the IBM Security Summit in New York City last year, Ginni Rometty, IBM Corp’s Chairman, President and CEO, cautioned the security officers of various companies, spanning across over 120 nations, about the long-term damages that a cyber attack could incur to the smooth operations of any company.
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world,†stated Rometty during her address.
Interestingly, even governments are not left out from the bad game of cyber attacks. Considering the gravity of the situation, US President Barack Obama and UK Prime Minister David Cameron have agreed to carry out ‘war game’ cyber-attacks on each other as part of the new joint defence mechanism against cyber criminals. These attacks could be staged on financial sectors, government offices, educational institutes, and stakeholders and companies could learn from them.
The cyber security market is one of the rapidly growing technology sector
worldwide. According to reliable industry estimates, the global cyber security market is pegged at around US$77 billion in 2015 and it is expected to grow to US$170 billion by 2020.
Currently, US is at the forefront when it comes to spending on cyber security
measures and it is expected to spend around $14 billion in this sector in 2016.
The World Economic Forum says a significant portion of cyber crime goes undetected, mostly industrial espionage where access to private documents and data is hard to spot.
Cyber experts say, most of the
unscrupulous penetrations in the systems go undetected by even the sophisticated corporate information security operations. In some cases, the penetration could go
unnoticed for years. In one of the infamous
incidents of cyber attack, one financial institute that was penetrated was spending $250
million every year on cyber defence and had over 1,000 full-time cyber safety staff.
However, there is no sure-shot technology that can promise protection from internet crime all the times. The only panacea to thwart any kind of cyber attack is to always remain prepared for the worst.
United Arab Emirates (UAE), the flourishing ground for businesses, ranging from diverse fields, certainly offers enough scope for cyber criminals. However, enterprises here are quite enterprising and spending huge capital to ensure infallible protection against any kind of cyber attack or online criminal’s
attempt.
In the ever changing and increasingly complex landscape of cyber security, where there has been an increased use of technology, Emirates Business talks to Chester Wisniewski, Senior Security Consultant at Sophos (a leading security software and hardware company), and compiles some interesting trends that could prevail in coming months in the cyber sphere.
Android threats becoming more than just headline-grabbers
This year will see an increase in the number of Android exploits becoming weaponised (as opposed to bugs like Stage fright which was heavily reported earlier in 2015 but was never fully exploited). There are significant vulnerabilities on the Android platform which can take months to patch. Although Google claims that nobody has actually exploited these vulnerabilities to date, it will ultimately be an invitation too tempting for hackers to ignore. For example, some hackers will design an App that loads harmless games if it thinks it is being tested, but then loads the malicious payload when it detects it is ‘safe’ to do so.
Malwares to go mainstream
Apple App Store get hit a few times in 2015, once with the InstaAgent app, which snuck through the vetting processes and which both Google and Apple pulled from their respective app stores, and before that, with XcodeGhost, which tricked Apple app developers into incorporating the code into their apps, thereby infecting them but cleverly hidden behind what looked like Apple code.
With more and more apps coming into the market (both Apple and Google have more than a million apps each in their official marketplaces to date), it is not hard to imagine more criminals trying their hand at getting past the existing vetting processes.
IoT platforms — not yet the weapon
of choice for commercial malware
authors — but businesses beware
Every day, more and more technology is being incorporated into our lives. Internet of Things (IoT) devices are connecting everything around us and interesting new use cases are appearing constantly. IoT will continue to produce endless scary stories based on the fact that these devices are insecure (early 2015 saw many stories focusing on webcams, baby monitors and children’s toys and latterly cars have become a hot topic – researchers hacked a jeep in July).
There could be an increase in data-harvesting/leakage attacks against IoT devices, wherein they are coaxed to disclose information that they have access to, like video/audio feeds, stored files and credential information for logging into cloud services.
SMBs will become a bigger target for
cyber criminals
Throughout 2015, the focus has been on the big glamorous hacking stories like Talk and Ashley Maddison, but it’s not just big businesses that are being targeted. A recent PwC report revealed that 74 percent of Small and Medium Businesses (SMBs) experienced a security issue in the last 12 months, and this number will only increase due to SMBs being perceived as ‘easy targets’.
Ransomware is one area where criminals have been monetising small businesses in a more visible way in 2015. Previously, payloads — such as sending spam, stealing data, infecting websites to host malware — were far less visible so that small businesses often didn’t even realise they had been infected. Ransomware is highly visible and has the potential to make or break an SMB if they do not pay the ransom. This is why, of course, criminals are targeting SMBs.
Lacking the security budgets of large enterprises, SMBs often apply a best-effort approach to security investments, including equipment, services, and staffing. This makes them vulnerable as hackers can easily find security gaps and infiltrate the network. On average, a security breach can cost a small business anywhere up to £75,000 – a significant loss for any business. It’s important therefore that SMBs take a consolidated approach to security. This requires a thoughtfully planned out IT strategy to prevent attacks before they happen. Installing software that connects the endpoint and the network will mean a comprehensive security system is in place.
VIP Spoofware is here to stay
We will see a growth in the use of VIP spoof wire transfers as we move into 2016. Hackers are becoming increasingly talented at infiltrating business networks to gain visibility of personnel and their responsibilities, and then using this information to trick staff for financial gain. For example, sending an email to the finance team that appears to be from the CFO requesting the transfer of significant funds. This is just one of the ways we will see criminals continue to target businesses.
Social engineering is on the up
As cyber security comes to the fore and social engineering continues to evolve, businesses will invest more in protecting themselves from such psychological attacks. They will achieve this through investing in staff training, and ensuring there are strict consequences for repeat offenders. Employees need to be trained on how to be security savvy when on the company network.
There is a need to teach staff about the implications of a phishing email and how to identify one; ensuring staff don’t click on malicious links that might be found in unsolicited emails; encouraging staff to be wary that mis-spelt emails could be a sign of a scam; and to watch out for sites that ask for sensitive information, such as card PIN and national insurance number. Another golden rule is never to share a password. Each of us can help here by sending a signal to the market: let the providers who store your most valuable data (your bank, your health insurance company, your payroll management service, etc.) know that you demand strong security. If they don’t give you the option to use multi-factor authentication, ask them why not? Or better still, just switch to a provider who does.
Both bad and good guys will be more
coordinated
The bad guys will continue to use coordinated attacks but the cyber security industry will make significant strides forward with information sharing. For some time the bad guys have been coordinating and collaborating, re-using tactics and tools, and generally keeping one step ahead of the cyber security industry. But the industry is now evolving and we expect to see the promising activity that has begun around information sharing.
Commercial malware authors will
continue to invest heavily
Commercial malware authors will continue to reinvest at ever greater rates, bringing them towards the ‘spending power’ of nation-state activity. This includes purchasing zero days, which is a hole in software that is unknown to the vendor and is exploited by hackers before the vendor becomes aware of it. These bad guys have lots of cash and they are spending it wisely.
Exploit kits will continue to dominate
on the web
Exploit kits, like Angler (by far the most prevalent today) and Nuclear, are arguably the biggest problems we have on the web today as far as malware goes and this is expected to continue thanks to the thousands and thousands of poorly secured websites out there on the internet. Cyber criminals will exploit where they can most easily make money and therefore exploit kits have simply become stock tools of the trade, used by criminals to attempt to infect users with their chosen
malware.
