Cyber-security is a people problem
It’s easy to fall into the trap of seeing cybercrime as a technology problem. You could say technology has enabled cyber-criminals, therefore technology is to blame for this ever increasing security problem – a cyber-security problem if you will. And it is escalating . . .
But don’t be fooled into thinking this is all caused by technology; humans have as big a role in enabling cybercrime.
In its 2016 Threat Landscape Report , Fortinet estimates cybercrime to cost over USD3 trillion annually across the globe. IT security company ESET is predicting an uptick in ransomware attacks, dedicated denial-of-service (DDOS) attacks and attacks against Internet of Things (IoT) devices.
Incidents involving ransomware, a malicious program that locks down files and data in order to extort money, have escalated, as evidenced by the recent WannaCrypt attack which affected, amongst others, the UK’s National Health Service, Spanish telco Telefonica, FedEx and others. Organizations, public and private, in over 150 countries were victims of the attack, some of which no doubt paid the ransom of $300 worth of Bitcoins per PC to get their systems back online.
Last year saw several high-profile information leaks; LinkedIn’s systems were hacked and some 117 million records stolen, Tumblr leaked 65 million accounts, while a MySpace hack saw 427 million accounts leaked.
Humans are the biggest enablers . . .
But don’t be fooled into thinking this is all caused by technology; humans have as big a role in enabling cybercrime. Besides the cyber-criminals themselves, uneducated users are the largest perpetrators, as they engage in risky behavior that puts themselves and the organizations to which they are connected at risk.
As attackers get smarter, the average person on the street remains relatively uninformed about how to protect themselves and their information from criminals who seek to exploit it for commercial gain. This low level of security awareness takes itself into the enterprise, where businesses are faced with the task of educating their workforce on an ongoing basis. The organization may have good security policies and train staff on best practice, but you cannot police every person, all the time.
On the other hand, companies may not prioritize data security, because there are significant costs associated with security and organisations may opt only to do the minimum needed to avoid falling foul of legal or regulatory requirements.
Then there are the people who develop data security and privacy laws that are meant to help society combat cybercrime, but mostly they just battle to keep up with the pace of innovations like the Internet of Things.
IoT devices are great, until … your fridge spies on you
IoT devices pose a particular threat as they are frequently unsecured and often installed with the default password setting out of the box. This makes them vulnerable to attacks like the Mirai botnet last year which disrupted the Internet across Europe and America. As more appliances and gadgets become connected such as smart TVs, fridges, cameras and air-conditioners, the need to secure such devices becomes more and more important.
Some IoT devices are becoming increasingly fundamental to industries such as healthcare, energy and motor cars. The increasing application of IoT in these industries unfortunately makes them more attractive as attack targets.
Hired an information security person lately?
Compounding the problem is the lack of appropriate skills and expertise in information security and related roles and it’s not getting better. Market research and analysis firm Frost & Sullivan produced a report that estimates the shortfall will be as much as 1.5 million skilled people by 2020.
This means businesses need to commit increased resources to keeping up to date with the changing threat vectors, keeping their infrastructures patched and secure, and educating both employees and consumers on how to behave online in a way that keeps their information protected.
According to ESET, cyber-security education needs to take place across all sectors of society – from primary through tertiary education, on a governmental level and throughout the private sector. Everyone who is active on the Internet and who is not a cyber-criminal needs to fight back.
While technologies like machine learning can certainly help to mitigate some of the skills problem, and the human error problem, cyber-security is ultimately a people problem. And companies who aim to tackle it effectively need to target more of their efforts in that direction.
Note: This blog post is based on an article originally featured in Huffington Post of the same title