If you were asked to picture your biggest cyber threat, chances are you’d see an image of a hooded attacker in a faraway country. But you’d be wrong. The greatest danger isn’t posed by an anonymous criminal, it’s more likely to be somebody across the office unsuspectingly clicking on a malicious link.
This disconnect between perceived threat and reality is hardly surprising because these hacker images are shown repeatedly in the media. In the past year alone we’ve seen a number of high-profile cyberattacks featuring prominently in the news cycle, focusing the attention of business leaders on these external threats.
Yet in Verizon’s latest Data Breach Investigation Report, two out of every three examples of malware linked to data breaches were installed via malicious email attachments. Research from Microsoft found that almost one in four recipients will open a phishing email when they receive it.
These emails are no longer something your aunt clicks on to send money to some African prince who promises a share of the family fortune. They’re sophisticated and personalised messages – often claiming to be from your bank, a government department or your employer’s HR department. In some cases it takes a trained eye to see through the charade.
At a recent Microsoft roundtable, featuring a number of chief information security officers (CISOs) from top Australian organisations, this emerged as the key universal threat. IT departments have been talking about the need for security education for as long as people have had personal computers. But when it comes to minimising cyber risk, it’s important to make everybody in your organisation understand they have a role to play.
While it’s human nature for people to click on malicious links, Steve Glynn – a former CISO for ANZ Banking Group who now consults on privacy and cybersecurity as a Principal with elevenM Consulting – advises clients to shift focus. “We should be measuring the number of people who report a phishing attack because that turns everybody into a potential early warning system like canaries in a coalmine,” he says.
The internet of threats
Billions of sensors are being embedded into almost everything around us. Research firm IDC predicts the number of connections to this internet of things (IoT) will grow from about 15 billion at the end of 2016 to more than 82 billion in 2025.
It has huge potential benefits in healthcare, allowing patients to be monitored from the comfort of their homes. More broadly, these sensors are powering the development of smart cities that help people accurately measure electricity usage and will eventually guide driverless cars.
The biggest concern for many security leaders is that it’s moving too quickly for security to keep pace – providing a huge number of potential entry points for hackers to access sensitive data or even gain control of critical infrastructure.
“IoT is growing at an astonishing velocity and creating a massive attack surface,” Telstra CISO, Craig Hancock, says. “It’s moving at an incredible pace and the entire industry is now playing catch up to embed security.”
Just think about the ability to hack remotely into people’s homes or take control of a plane during its flight. Shared connectivity is one of the great benefits of building this global sensor network but it must be supported by adequate security measures.
One of the biggest cybersecurity challenges is that those with malicious intent have the same access to tools as everybody else. In fact due to policy, legislative, and procurement limitations they often have access ahead of those charged with keeping us safe. Emerging technologies promise great benefits but also bring new risks that must be addressed. None is greater than artificial intelligence (AI).
The ability to weaponise AI is a huge problem. Hackers can use it to mine large amounts of social network and other public data to find personally identifiable information. The potential use of AI to creative adaptive malware that changes in the wild is the sort of nightmare scenario that brings any CISO out in a cold sweat.
But the biggest threat for many is the unknown. Narelle Devine, CISO at the Department of Human Services, is responsible for sensitive data for critical Australian service delivery agencies including Centrelink, Medicare and Child Support. She’s more worried about the threats we’re yet to see than those she manages on a daily basis.
“Everything is moving so quickly but my biggest concern is that The Shadow Brokers are sitting on some clever stuff right now and just waiting to pull the trigger,” she says. “Some of the global attacks we’ve seen recently were really unsophisticated. What’s coming next?”
While there will always be new risks in the digital world, mitigating known areas of vulnerability is the first logical step. This means ensuring everybody knows to call IT when they receive an unsolicited email, rather than clicking on the link.
Download our industry report now for in-depth analysis of how to navigate the new cybersecurity threat landscape.