ASK ANY IT DEPARTMENT about the state of its defences and you will hear reassuring words that all is well. But that is unlikely to be true. Firewalls and malware protection packages are, at best, leaky and, at worst, transparent to the latest generation of attackers.
Even the biggest organisations are not safe – just look at Twitter. A quarter of a million users had their accounts compromised when emails, passwords, usernames and other data were stolen.
Those persisting in a DIY approach are most at risk; unaware while the unseen hand of spyware trawls through their files. It doesn’t do damage; it comes to gather information. It encourages the host to consume and use more, lulling it into a false sense of security.
Let’s put this into perspective: The lone hacker might be expending a few thousand pounds, while a gang of organised hackers would use tens of thousands, and criminal gangs spend a few million. However, rogue states come in at a much bigger spend, between £100m and £1bn. So, as a crude measure of your defences, just add up your entire company spend on cyber-crime protection. Then reflect on the huge imbalance and consider – is all well, and are you really safe?
A recent case involved The New York Times which was invaded by over 40 species of malware with a suspected origin in China. A specialised company let the malware work for a month so it could identify all points of access. It then blocked all ports and repaired all infected machines. The NYT is now thought to be clean. But is it? I’d put money on the table that says it is not.
These attacks are difficult to detect, and they infuse networks with malware of different grades – some you can find and some can only be detected with massive resources. The bar has been raised even higher and the threat never sleeps.
So, where are we? First: no company can go it alone. They don’t have the people, technology or money to defend themselves against state-sponsored threats. And viruses are available on the internet for anyone wanting to do damage.
Second: the methods of the past cannot possibly work in the face of a growing bring-your-own-device culture and faster people, technology, product and market changes.
Third: IT departments are already overloaded. People are the biggest risk. The personal mobile phone, tablet and laptop present backdoors that are wide open. Leave a memory stick on a coffee shop table and it will be in someone’s pocket within 20 minutes and on the network within two hours. Far easier than breaching a firewall.
What to do? Get into the cloud fast. But be smart and go with multiple suppliers, internet service providers, devices, operating systems and apps. Compound this with multiple fixed, mobile and transient clouds. And create dirty clouds (public) and clean clouds (corporate). Encrypt all important files, parse and store on several unrelated servers in different physical locations. Employ a priori knowledge and use cryptic conversation styles. And beef up all access points beyond a password and a PIN.
Additionally, ask your IT department about URL hopping and anonymity software. Consider simple but cost-effective biometrics involving hand, eye, face, voice, typing, locations and habits. This isn’t rocket science, and it is far better than assuming the hackers have been held at bay.
The only recourse is to create large groups capable of developing sophisticated defences to counter the new enemies. Make it difficult for them through mobility and obscurity. Engage with the cloud and embrace multiple layers of protection. And don’t think for a moment you are safe. Assume that is not the case, and act accordingly. Remember – the primary aim of the new threat is not to do damage. It wants you to succeed so it can profit from your knowledge – it really is parasitic in every sense of the word. ■
Peter Cochrane is an IT consultant and former chief technologist at BT
Digital transformation is not about introducing new technology or digital processes. It must come hand-in-hand with a changed mind-set
The number of prosecutions for white collar crime increased to 9,401 over the last year, law firm Pinsent Masons finds
IT integrations have derailed many mergers over the years, but if done right they have also proven to be the fast-track to a blissful union
The People’s Operator FD Matt lea has stepped down from his role due to personal reasons