In today’s connected world, it’s not a question of if, but when, a cyberattack will happen – and the costs can be huge. Cyber security solutions firm McAfee estimated the cost of global cybercrime in 2017 as $600 billion.
Cybercrime is a sophisticated business that has been evolving rapidly over the past 40 years.
In the Eighties, hackers were either a ‘hobbyist’, hoping to get free long-distance phone calls, or spies stealing trade secrets, according to the author and cybersecurity researcher Dr Victoria Baines.
Nowadays, cybercrime is operating like a business, with processes and specialized roles for the key players in an underground data economy.
And we’re in a world where anyone who owns a computing device and is on social media can be at the mercy of social scams and state-sponsored attacks.
But in the fight against cyberthreats, being forewarned is being forearmed. And there is plenty organizations can do to protect themselves.
These are the biggest threats facing individuals and organizations today, as well as what to do to counter them, according to a panel of experts gathered at the latest Spark Salon, a Tata Consultancy Services (TCS) initiative to showcase the role of innovation and technology in helping create a sustainable world.
Dr Baines, Peter Apps, Global Affairs Commentator at Reuters, Rosie Slater-Carr, Chief Information Officer at British Red Cross, and Peter Bagnall, security specialist and Interaction Architect at global safety science company UL, gathered in London to discuss Cybercrime to cyberterrorism: security in the fourth industrial revolution.
1. Cybercrime is getting more complex
The past decade has been characterised by what Dr Baines refers to as “cybercrime becoming social” – something that everyone can unwittingly be a part of.
“We are the recipients and vectors of social scams, but also, crucially, state-sponsored activities,” she says.
“When we share fake news or disinformation, effectively, we’re getting involved in activities that only spies were in the Eighties.”
It’s becoming harder for law-enforcement agencies to work out who the criminals involved are, and to follow the breadcrumb trail back to their paymaster.
While law enforcers can only react to attacks, rather than being able to pre-empt them, continued vigilance will be key in the fight against complex cybercrime for individuals and organizations alike.
Peter Apps adds that cyber has become a weapon of war. While power structures have been battling each other throughout history, cyber gives states new ways of interfering with critical infrastructure and supply chains.
“Nation state power structures have dictated warfare and conflict for hundreds of years. Now, big tech companies are able to influence the decisions of governments as independent, non-representative actors, causing fundamental changes in global and local power structures,” Apps says.
2. Cyber physical convergence
The WannaCry ransomware attack on the UK’s health service in 2017 is the most obvious example of how people’s health was literally in the hands of cybercriminals. Some 19,000 NHS appointments, procedures and operations were affected or cancelled. And this rapidly evolving type of attack can also be used to manipulate critical infrastructure, such as power stations and water supplies.
But for Dr Baines it’s more personal than that.
She’s on a mission to make people aware that Internet of Things (IOT) security is not abstract and we can take simple measures to ensure we protect our bodies from cyber threats.
After a triple heart bypass in his 30s, in his 60s her dad was fitted with a subcutaneous pacemaker defibrillator that was connected via a base station to his home router and could report back to the hospital with data on his heart health.
“He said, ‘It’s brilliant, this thing is keeping me alive’, but in the same conversation, he said the computer had been running a bit slowly ever since the grandkids downloaded some games.”
It rang alarm bells for Dr Baines, but the solution was simple: “He had to update the antivirus software on his computer in order to protect the thing that was inside him keeping him healthy.”
We also have to remember that the most important aspect of the WannaCry attack on the NHS, says Apps, was that the NHS was never the original target, but they became one because their IT systems hadn’t been properly patched.
3. The issue of trust - are our devices secure?
The safety of our children is paramount, so when using a connected baby monitor, which has the express purpose of reassuring parents about their child, you’d expect it to be secure.
But no, says Peter Bagnall. “We can’t really trust in how secure these devices are yet.”
He gives the example of a couple whose internet-connected baby monitor was hacked, so that the hacker could not only see the live footage of their child, but could also access the audio channel to scare the parents by saying they were in the baby’s room.
Bagnall suggests we need more regulation for devices and “a mark that says this device has been built with security best practice in mind”, in the same way that building work gets a stamp of safety approval.
4. Balancing the importance of digital transformation with data security
In the era of Business 4.0, every organization, from multibillion-dollar firms to charities, has had to go through a digital transformation of some kind, and each comes with growing pains, of which data protection is a big one.
But how can we ensure our own and our customers’ data is safe?
Bagnall takes the extreme example of DNA testing kits – and the databases of the companies that sell them holding your genetic makeup, which could be used by insurance companies and even the police.
He says the answer lies in how we regulate the protection of data, much like with the safety of devices, by having a mark that says, ‘No data shall leave this device’. For a service, this could be a guarantee that data is not going to be shared with third parties.
“Put these marks on so that people can clearly see the guarantees in a way they understand – if you use these marks, you do so under licence. We don’t need governments to do anything, we can do it through contract law.”
5. The digital divide – how can we keep everyone safe?
As Rosie Slater-Carr points out, there is a digital divide between those who can afford cybersecurity measures and those who cannot, as much as between those who understand tech and those who don’t.
“We need to make sure we’re taking everyone with us in our journey around cyber,” she says. “That we’re not making the digital divide worse by some of the current spending and thinking on cybersecurity.”
For the British Red Cross, some of the data they have can literally be life or death for vulnerable people in places of conflict. “If you are running from a conflict zone and have lost touch with your family, then we will help you find them. But it’s important that other people don’t get hold of that data.”
In addition, there is a perception charitable organizations won’t be targeted. As Slater-Carr adds: “The national cybersecurity centre report pointed out charities in the UK and abroad are particularly vulnerable. Part of that is because we don’t believe we would be and that we don’t have the vast budgets to spend on cybersecurity. And we’re a large charity – small charities have even less.”
“The cost of digital transformation is being put up for all of us because of the increased risks of cyber.”
There are both short-term and long-term, simple and complex solutions that individuals, organizations, industry leaders and governments need to consider.
Technology is not the answer, either, as Baines explains: “We’ve been saying that we can solve a societal problem, which is crime, espionage, terrorism with the technical silver bullet. But what we’ve seen over the past few years is it’s not enough. We need to put the people, the end users, back into the holy trinity – people, process and technology.”
Cybersecurity is not an issue for the state or for governments to tackle alone – it’s something we can all take steps to improve.