Dr. Hugh Bradlow, Australian Academy of Technology and Engineering, shares his insights on the growing cybersecurity war, and how to manage risks and resilience in a world of unknowns.
My wife tutors English to Year 12 students and connects with her students via Facebook. Recently one of her ex-students contacted her to say that she had received a message ostensibly from my wife starting a conversation with her. At first I wondered whether my wife’s account had been hacked but then I discovered that this was a clever piece of social engineering. The attacker had created a fake profile in Facebook Messenger using my wife’s name and a picture of her scraped off the web. She had then started contacting people in my wife’s Facebook friends list (which by default is available to anyone on the web) pretending to be her. Fortunately the ex-student was sharp enough to detect that the conversation was out of kilter and alerted my wife.
Why is this relevant to cybersecurity? The point is that a very understandable mistake by my wife (not changing the default Facebook friends list setting) exposed her friends to ‘phishing attacks’. The attacker intended to lure people into clicking on a link which would have infected their computers and/or exposed their security credentials. While this attack was almost certainly done by a human (most likely, a low paid worker in a developing country), we can expect that in the future such attacks will be automated through the use of Artificial Intelligence enabling them to be conducted on a massive scale.
Phishing is just one form of attack (although the most common) in a bewildering array of attacks that are possible in the cyberworld. The results can be devastating. In 2014,
a gang managed to use phishing to load malware into the computers of bank employees and stole a billion dollars from 100 banks around the world.
90% of Australian businesses experience cyber attacks yet only 40% of businesses have implemented 6 out of the 8 ‘essential’ security measures recommended by the Australian Signals Directorate, according to the Canon Business Readiness Index 2018: Information Security.
So, can we win the cybersecurity war? The short answer is (to quote President Obama) “Yes we can”, but not by ignoring the problem.
Three quarters of cybercrime is financially motivated. If you are a business you are a target, so you need to deny the criminals any opportunity.
So how can you protect your business?
Protect your environment and make allowances for the fact that human error (such as the example I gave above) is inevitable. Invest in people, processes and technology tools to protect the identities of your employees, computers, smartphones and networks that you need to conduct your business. Have someone responsible for managing your cybersecurity, ensuring that you are up to date on the latest threat intelligence, are monitoring and logging all the activity on your network, performing daily versioned backups (for example, to protect yourself against ransomware), that your employees are using 2-factor authentication to access your systems and that your computer systems are up-to-date with the latest security patches.
If you don’t, the results can result in an existential crisis for your business. For example,
Equifax did not perform a timeous update to one of their web servers systems and managed to lose the personal details (including social security numbers) of 143 million customers.
It’s time to treat cybersecurity as a major business risk. If you can’t manage it yourself find someone who can like Canon Business Services.
Please join Dr Hugh Bradlow, President of The Australian Academy of Technology and Engineering as he discusses how to manage cybersecurity threats in a world of unknowns at our upcoming
webinar.