From my past experience in cybersecurity, I have seen the growing trend towards cybercriminal organisations employing extremely gifted talents.
They include ex-members of the international intelligence community who, having often served nation-states, are able to turn their former training on its head in order to develop new ways to hack and disrupt systems for criminal purposes.
The truth about cybercrime
The unfortunate truth is that nation-state level technologies have now found their way into the open market – and are available to anyone with the drive and resources to pay for them.
For example, did you know the noise or heat of your laptop’s processor could provide a way for experts to find a way to infiltrate your business’ system?
This is known as a side-channel attack and is one of the alarmingly sophisticated and technical ways in which hackers are exploiting security vulnerabilities.
With no regulation surrounding cybercrime, this is just the tip of the iceberg for an industry that is able to innovate at an extremely fast rate.
– So why has there been a shift from hobbyist hackers looking to cause mischief to organised cybercrime businesses?
The simple answer: data.
Whether it is customer data, valuable intellectual property or financial information, critical data is the jewel in every business’ crown. These “digital diamonds” offer a prize of enormous value.
With data being such a prized asset, it can be argued that no business can afford to be hacked. Multi-dimensional attacks, which target software and hardware, both on the endpoint and the server-side are increasingly part of the game.
Instead of going after one route of entry, determined criminals will simultaneously use a range of techniques to gain access to a system.
Without getting too technical, a few examples of the new types of attack being explored and used by cyber criminals include (but are not limited to) hardware attacks, side-channel attacks, insider threats (from employees who may be acting for criminal gain or under duress), as well as more familiar attacks such as phishing emails and cracking weak passwords.
There is a real problem around the disconnect between the reality of the threat that exists and the business world’s understanding of the extent of the threat.
Where’s the guidance for SMEs?
The issue is further exacerbated by a lack of guidance on and availability of tools for businesses to take effective action on protecting against and resolving cyber attacks. This needs to be addressed.
With regard to the last point in particular – the action taken to thwart cyber criminality – there is a massive need for an industry-wide overhaul around how everyone, from individuals to multi-nationals, tackle modern cyber threats.
Unfortunately, simply throwing money at the problem will no longer work as a way to resolve it. Even in large companies, which invest tremendous resources in cybersecurity, these issues still exist. And the reason? All current security systems are failing by design.
Attacks are getting increasingly sophisticated
They were created for a different online environment; one before data misuse was a profitable business that people would change careers to pursue.
They don’t take into account the changing nature and sophistication of attacks. And, maybe most importantly, they do not work together – you probably have one provider addressing your password protection, one for hardware authentication and another system completely for your cloud services – and the rest.
While application-specific security software may be evolving and improving to protect its niche, the capabilities of cyber attackers to exploit disconnects between the different cybersecurity solutions have far outstripped the barriers the solutions themselves impose.
What’s the solution?
So what can be done if even buying the best solutions on the market still doesn’t provide full security? We need to flip the model on its head and implement security by design.
The onus really is on my sector, the cybersecurity industry – from companies like mine right up to nation states – to develop a less siloed, comprehensive, holistic solution that covers all the modern IT components, across hardware and software.
A full solution, from keyboard to cloud that keeps sensitive data safe without disrupting the usability of data.
This is no mean feat, to make a comprehensive system the security industry needs to work together and re-build the cyber security market from scratch, combining expertise from regulators, legislators, customers, and other companies.
We’re not there yet, but I hope that by explaining how cybersecurity could be approached differently, you can plan for the new era of cyber threats – because these new threats require a completely different way to thwart them.