18/05/2017 03:56 SAST | Updated 18/05/2017 03:56 SAST

Cyber Security Is A People Problem

The low level of security awareness took itself into the enterprise, and businesses are faced with the task of educating the workforces on an ongoing basis.

A hooded man holds a laptop computer as cyber code is projected on him in this illustration.
Kacper Pempel / Reuters
A hooded man holds a laptop computer as cyber code is projected on him in this illustration.

Cyber-crime is a big business - estimated to cost over $3 trillion (R40 trillion) annually across the globe, according to cyber-security firm Fortinet. And threats from increasingly sophisticated criminals are becoming more severe. The WannaCry (aka WannaCrypt) ransomware attack that has infected PCs in over 150 countries since Friday, 12 May is testament to the escalating nature of threats - both in terms of the scale of the attack as well as the speed at which it spread. It had hit 74 countries within hours of its release and was estimated to be spreading, at one point, at around 5 million emails per hour.

WannaCry encrypts all the files on an infected machine and threatens to destroy them unless a ransom of hundreds of dollars is paid in Bitcoin. Compounding the problem is the lack of security skills and expertise. Market research and analysis firm Frost & Sullivan estimates the shortfall will be as much as 1.5 million skilled people by 2020. For businesses this means they need to commit increased resources to keeping up to date with the changing threat vectors, keeping their infrastructures patched and secure, and educating both employees and consumers on how to keep their data protected.

Several key trends have emerged for 2017 that enterprises should be paying particular attention to:

Ransomware, DDOS & IoT device attacks

IT security company ESET is predicting an uptick in ransomware attacks, dedicated denial-of-service (DDOS) attacks and attacks against Internet of Things (IoT) devices. IoT devices pose a particular threat as they are frequently unsecured and use the default password setting out of the box. This makes them vulnerable for use in DDOS attacks, which have increased in scale and scope to frightening proportions, like the Mirai botnet attack against DNS provider Dyn late last year, which disrupted the internet across Europe and America and made use of IoT devices.

For enterprises, this will increasingly become a problem as they seek to secure these devices, which are showing up in everything from smart TVs and cameras to medical devices and air-conditioners. Ransomware threats have also escalated, as evinced by the WannaCrypt attack which has affected, amongst others, the UK's National Health Service, Spanish teleco Telefonica, FedEx and others. Organisations, public and private, in over 150 countries have fallen victim to the attack so far, which holds affected PCs for ransom for roughly $300 worth of Bitcoins per PC.

Ransomware, a malicious program that locks down files and data in order to extort money, is particularly associated with the healthcare industry, according to Fortinet's research, with a prevalence rate of 47 percent over other industry sectors.

Hacks and leaks of private information

Following several high-profile information leaks, and if recent history is anything to go by, hacking and data leaks are set to escalate. In 2016, LinkedIn's systems were hacked and some 117 million records stolen, Tumblr leaked 65 million accounts, while a MySpace hack saw 427 million accounts leaked. As attackers get smarter, the average person on the street is still relatively uninformed about how to protect themselves and their information from criminals who seek to exploit it for commercial gain. This low level of security awareness takes itself into the enterprise, where businesses are faced with the task of educating their workforces on an ongoing basis.

While technologies like machine learning can certainly help to mitigate some of the skills problem, and the human error problem, cyber-security is ultimately a people problem.

They also need to engage customers to teach them how to keep personal data safe, and not fall prey to phishing attacks that see criminals spoofing company communications to steal private data. Phishing is still used very effectively to compromise corporate networks too. ESET suggests cyber-security education needs to take place across all sectors of society - from primary through tertiary education, on a governmental level and throughout the private sector.

Legislation and regulation

One of the challenges for governments and regulators is that legislation and regulation isn't keeping up with the rapid pace of change in the cyber-security sphere. Additionally, there are costs associated with compliance, and organisations may either choose to or only be able to do the minimum needed to avoid falling foul of legal or regulatory requirements.

The Cybercrimes and Cybersecurity Bill aims to improve South Africa's cyber-security posture and assist in dealing more effectively with cyber-security threats. The Bill is deeply flawed, however, highlighting a further challenge - the need for lawmakers and policymakers who have deep insight into how the online world works, how cybercrime works, and how to effectively respond without curtailing basic freedoms.

It's a people thing

The common thread in all of these trends is people - the cyber-criminals themselves, the people who use ICTs, people who develop laws and policies, people who may or may not be aware, be educated, be compliant with company policy and procedures, and a shortage of people with desperately needed security expertise. While technologies like machine learning can certainly help to mitigate some of the skills problem, and the human error problem, cyber-security is ultimately a people problem. And companies who aim to tackle it effectively need to target more of their efforts in that direction.