The press and internet are overwhelmed with news and views about Cybersecurity. From TalkTalk account details being leaked, to security breaches in Hollywood, and government surveillance speculation, threats seem to be everywhere. In the face of such information overload, people’s opinions polarise. Which camp do you favour? “It’ll never happen to me” or “secure everything now”? As with all extremes, the real threat lies between the two.
It probably will happen to you
For the ‘it’ll never happen to me’ crowd, don’t bet on it. Your data may not be a target for terrorists, or a hotbed of confidential information, but it has a value to someone: specifically, you. At the recent Thinking Digital Newcastle conference, security expert Mikko Hyppönen of F-Secure regaled us with tales of Trojans and Ransomware, invasive software that has been circulating in various forms since before the advent of the Internet. These things turned up on 5 ¼ inch floppy disks, if you can remember that far back.
Ransomware is a particularly interesting field. We all know someone who has had their data locked away after clicking on an unknown email link. If you don’t think you know someone, that’s because they haven’t mentioned it. It’s embarrassing. We are all told never to click on unknown links, to check their URL or verify the source of any email we’re not expecting, but the weak link is always the human factor. Ransomware works on the assumption that people will be unaware of the threat – and it works remarkably successfully. Ransoms are paid in Bitcoin, and the path of money sent to Bitcoin wallets is transparent enough to see the transactions. One such wallet showed €300 million of transactions in a single year. The criminals behind Ransomware take a commodity – data – and sell it back to the customer who values it most: you. That’s one heck of a business model.
Security relies on the weakest link
At the other end of scale, we have the people who focus on installing the latest and best security, fussing over the last detail of protection on their websites and systems, in the belief that these will always keep data safe. However, the weakest link is once again the human element. Changing passwords every month? People will be writing them down, you can bet on it. As long as these are kept safely locked away, that’s probably OK. However, don’t write this month’s password on the office whiteboard, which then appears in a publicity photograph. This has actually happened – fortunately it was spotted by a security consultant reading the magazine in which it appeared.
A large hosting company recently told me they had restored the systems of one client three times in a short period; the same employee had clicked on a link of unknown origin each time. Mikko Hyppönen told us of a Ukrainian power company whose systems were compromised and power generation halted by a Russian attack – which originated from an email click weeks earlier. However strong your system, the human risk is the unknown. Aim to minimse this by awareness and training, because humans will always find a way round artificial restrictions.
So, something is probably going to happen. A tired staff member may click on a carefully constructed fake link in the course of their work. Your website host may crash from a Denial of Service attack; according to Denise Zheng of CSIS, speaking at South by Southwest earlier this year, it costs only a few dollars to launch such an attack through dark web trading. There is a very real threat emerging, says Mikko Hyppönen, in poor economies where skilled programmers have no earning potential other than through cybercrime. How can you fight threats when the barriers are so low?
Simply put? Be prepared, be backed up – and don’t click.