Technological advances put business data at greater risk
Cyber Security From computer chips in our bodies to smart fridges, criminals are targeting technology, says Mark Johnson, a CISI cybercrime trainer and CEO of The Risk Management Group.
How can cyber criminals target the technology that improves our lives?
We all use technology, but many people do not understand how their devices work or the potential security threats. Even wearables to help with our fitness or technology that will be implanted into the body to improve our health are computers that can be targeted by hackers. Data could be stolen in the same way it is taken from a desktop computer or smartphone.
Cyber security is an important issue for businesses because it affects the entire organisation. Protection becomes more complex when employees are connecting the different devices they are using at home and work. The Internet of Things means connecting various devices which all carry sensitive data.
Other threats to businesses include ransomware, where companies are told to pay to decrypt hacked data or to stop the publication of embarrassing information; the practice known as ‘Doxing’.
Organisations also need a better understanding of the Dark Net where stolen data, including intellectual property and other commercial secrets, is traded by criminals.
Can you expand on how technology worn on and in the body puts businesses at risk?
We are seeing great advances in biomedical science where computer chips are implanted into the human body to repair damaged organs and to help people who are paralysed. Yet the personal and security information held on future generations of these devices could be stolen, or the devices could be hacked – ransomware within the body.
There are already millions of wearables being used, such as fitness bands and smartwatches, and these are transferring sensitive data about individuals and businesses. The information is often not encrypted or adequately protected and, if the devices are connected to smartphones, data is being transferred wirelessly.
Companies should check their internet security is tough enough and that employees are aware of the potential dangers.
What about the risks around other technological advances that businesses might invest in?
There are a number of potential security risks around delivery drones, for instance. We are already seeing these machines being trialled by Amazon but there are risks because criminals can bring the drones down using blocking software, or simply by hanging a rope net beneath an interceptor drone. Products could be lost and consumer trust and the brand’s image seriously damaged. Customer data could also be stolen. In future we might see medical supplies being delivered by drones containing confidential and sensitive information.
Business and consumers should also be worried about what information is stored in vehicles. Car connectivity will be big business and should make driving more pleasurable and economical. However, many of a car’s electrical components are connected via an internal network which could be hacked. There is also the risk that hackers could take control of driver-less cars.
If someone takes a company car into a garage and some of the components are connected to the driver’s smartphone there is also a risk data synched with the car could be stolen. Someone working at the garage might have been bribed to steal information.
Businesses need to understand their data footprint – where all their data is – and ensure their data protection policies are robust. There should also be standard protection, such as firewalls and anti-virus, in place in car computer systems.
What about the Internet of Things?
Businesses need to remember that their cyber security must go where the data goes. The Internet of Things is where different physical ‘smart’ devices are connected and embedded with software, analytic tools and sensors, all of which can be targeted by hackers. This is already happening.
If people have an extended computer network there are potential security risks. For example, if an employee’s work laptop is connected to the same home Wi-Fi as their smart fridge, or their car and smartphone are linked, there could be many security holes to plug. With a growing number of suppliers providing these various devices it is difficult to maintaining basic security standards.
Cloud computing is the platform for the Internet of Things so businesses must ensure the employee’s cloud provider has robust data security procedures in place.
Many people have heard about the Dark Net. What is it and how should businesses react to it?
Businesses’ websites sit on the open web so everyone can see them, but dark net sites use anonymising software which hides the user’s IP address.
The Dark Net is the marketplace where stolen business data is sold. This includes intellectual property and codes enabling hackers to access sensitive data. One of the most famous dark net market places to be closed down by the FBI was Silk Road. Companies should monitor the dark net marketplace for signs of data breaches.
Ultimately corporations cannot stop dark net marketplaces but they need to know if their data is being offered for sale
What other threats should business be aware of?
The number of ransomware attacks where hackers encrypt corporate computer files and charge businesses a fee to release them rose significantly last year. This has been a profitable class of malware for criminals who send an organisation a message demanding money to decrypt their data. Yet in recent months companies have started to fight back by refusing to pay a ransom. Instead they back-up their important data.
If no-one pays the hackers the threat diminishes. However, we have seen the initial threat replaced in part by Ransomware Doxing. This is where criminals simultaneously steal and encrypt a victim’s data and then threaten to publish any embarrassing information they have found. They typically demand a ransom payment in bitcoin.
So how important is it that businesses invest in cyber security and receive training on the risks?
There is not only a financial implication if company data is stolen company. The brand will be damaged and customers will become less willing to share their personal information if trust is lost. Organisations are only as strong as their weakest link.
Look at The Panama Papers debacle. This was one of the biggest online data hacks where the criminals targeted the computers of a small Panamanian law firm and stole sensitive financial data belonging to dozens of world leaders. Again, when data moves, security must move with it.
Companies should consider sending their executives on relevant training courses, many of which are held in partnership with the police.
The Chartered Institute for Securities & Investment (CISI) is the professional body of choice for professionals in capital markets, corporate finance, compliance, risk, financial planning, Islamic finance, operations and wealth management in the UK and in a growing number of major financial centres globally. Formed in 1992 by London Stock Exchange practitioners, the CISI has a global community of more than 40,000 members in 116 countries and last year more than 40,000 CISI exams were sat in 80 countries.
The Institute’s mission is to set standards of professional excellence and integrity for the securities, investment, wealth and financial planning professionals, providing qualifications and promoting the highest level of competence to its members, other individuals and firms.