Each security magazine, book or website that I read further lowers my morale with regard to the growing risks associated with cybercrime. Every employee or manager who sits in front of a computer screen should, nay must, now receive regular cyber security awareness training to inculcate a security culture throughout the organisation – in reality, not many do even though most breaches or attacks only succeed because of a human error.
According to recent statistics released by the UK government’s Department for Culture, Media and Sport, over 66% of large businesses in the UK have been subjected to a cyber attack or IT security breach in the past 12 months – I fear that the figure may be higher. In addition, the threat from insiders continues to grow apace – thus vetting and security background checks have never been more essential. Employees are now being offered hard cash to reveal company data and sensitive financial information or to implant malware directly into their employers operating systems.
Our company secrets and data are amongst the most precious jewels which we process. The loss of customer data fractures stakeholder confidence, destroys corporate reputations and makes the armchair criminals’ life far easier. Like all security systems, the protection of our IT networks and the data which sits upon them needs to be built upon a layered approach, like the skins of an onion, involving firewalls, software, middleware, training and awareness underpinned by simple procedures and clear processes to follow if an attack is underway or has just been discovered. Just put Daesh and active shooters aside for one moment, the most likely security risk to industry and commerce, at this point in time, is undoubtedly cybercrime.
And it is going to get worse. Someone explained to me last week that if the current internet equates in size to that of a golf ball, then the future ‘internet of things’ (IoT) will equate to the size of the moon. The IoT describes a new era of technologies which will enable the connectivity of billions of machines, systems and devices to the current internet, uncontrolled by human minds. This allows parts, individual components, machines and whole systems to exchange data and communicate with one another. This will have many benefits – reliability being one of them – where Health and Usage Monitoring Systems (HUMS) will quickly detect abnormal vibrations within a machine, predict a component failure and dispatch an engineer to fit a new component even before a breakdown occurs.
These IoT systems will include sensors and detection systems, data storage devices and, of most concern, command and control networks. The hacker community must be rubbing their hands in delight at the new fields of targets about to be exposed. The number of potential targets available will increase exponentially and the possibilities for them to wreak havoc will expand by an order of magnitude. One-man geeks in dark attics, organised crime syndicates working across international boundaries, state funded groups and terrorist cells alike are about receive a huge boost to their electronic malfeasance capabilities.
In this near-time future, however, it is the potential to attack infrastructure systems which causes the greatest concern. Imagine the hacker who can infiltrate the Gatwick air traffic control (ATC) system and the chaos which he can cause. Meet the 17 year old who likes to play with train sets – call the train set Network Rail’s signalling system and watch the disaster unfold. Greet the cyber terrorist who breaks into a chemical production plant’s safety control mechanism and causes a deadly cloud of chlorine gas to be released over a city centre. For those who are old enough to remember ‘Doomwatch’, then Professor Quist will be good for at least 2 more full series!
These are not fanciful or overly dramatic forecasts – they will become realistic scenarios in the short term and their effects can only be exacerbated by the advent of artificial intelligence where machines, not humans, will be making the decisions. There are 2 critical key points in time to note here. The first is the point of the achievement of ‘Artificial General Intelligence’ (AGI) where machines achieve human levels of intelligence. The second is the point of ‘Artificial Super Intelligence’ (ASI) where human intelligence is exceeded by a machine. Add these together and we have a simple formula of (IoT) x (ASI) = C2
There now needs to be what was called some years ago as a ‘paradigm shift’ in resources, in policing, in sentencing and in attitudes towards protecting the IT systems upon which business, administration, infrastructure and civil order depend. Taking down a bank’s ‘hole in the wall’ cash dispensers will quickly lead to civil disorder if masses of people cannot get at their cash. Combine that scenario with attackers denying credit card payment technology and disorder will rapidly develop. We may believe our IT systems are robust – in reality, they are at most fragile and in many cases, they are brittle. Chairmen, board directors and non-executive directors all now need to start asking their CEOs and IT directors some very serious questions about their present levels of protection and the plans and investment needed to defend their organisation’s jewels and treasure in the future hostile electronic spectrum. If IT security is not a main board agenda item, then you have a serious problem which is about to become a whole lot worse.
As one recent United States Secretary of State for Defence put it, we are heading for a Cyber Pearl Harbour with our eyes wide open!
C = chaos by the way.
Jeff Little is an Associate of nStratagem. We have a great deal of experience in helping organizations through these issues and challenges. Feel free to view our Case Studies and contact us directly to see how we can help you.
Subscribe To Our Technology Impact News Feed
Powerful Resources When You Need Them Most™