With the continued growth and spread of computing, we are close to seeing an increase from around 5 billion users online to 7 billion, as well as 50 billion ‘things’.
In such a world, how do businesses and people ensure their things and data are safe from those of evil intent, when they see today’s high profile, global security breaches accelerating?
At the very least we have to question whether we are adopting the right security approach in an increasingly online world.
The recent Heartbleed attack is one example of the simple flaws in current security systems, as it went undetected for over two years.
Government statistics have shown that whilst ‘detected’ cyber security breaches may have declined in 2014, we have no idea or quantification of what went ‘undetected’.
At modest estimate, the cost of these ‘detected’ security breaches has almost doubled, with hackers becoming evermore sophisticated.
On another level, corporate espionage remains another growing and largely invisible threat. Its power to ruin businesses is highlighted by a series of shocking case studies, including the collapse of telecoms giant Nortel in 2012 after it was breeched at the highest level.
These are just a few of the powerful reminders of the many constant threats pervading the world of bits and bytes. They also suggest that businesses need to think differently about cyber security in order to tighten their defences and get a step ahead of the ‘dark side’.
Businesses can no longer stop hackers from entering their networks and systems with a fortress-like approach – firewalls and malware protection don’t work. It’s time they accepted that today’s naive, passive and retrospective approaches have to be replaced by systems more akin to a biological ‘auto-immune’ system.
Static ‘watch and detect’ has to be replaced by ‘patrol-find-isolate’. Just like white-blood cells provide humans with auto-immunity to incoming infection on a distributed basis, the same strategy is needed for networks and systems subject to malware and other forms of attack.
The fear of cyber attacks is not just about internal damage and inconvenience; devastating breaches of sensitive information almost always lead to reputational damage and major embarrassment.
This has created an almost secretive state of mind – by failing to share information and experience, corporations always remain a step behind the hackers.
Companies and institutions have to share, to learn from each other, to gain insights into prevailing attacks and engineered solutions. In short: the need to share trumps the need to know.
The basic name-password-PIN combination does not work. It is a very weak and easily broken protocol. With growing numbers choosing to bank and make expensive purchases online, we need something much stronger.
So what if we could use information that is specific to each individual user? Something based purely on very personally experiences? For example, a sequence of pictures that the user would recognise but others would not, the line of a poem written by a loved one, or a shared catchphrase.
When working with sensitive information, it seems foolish that we would consider storing it all in one place. When trying to a hide a needle, where better than in a needle stack?
Cloud computing provides this capability. By splitting up sensitive data and storing it on separate clouds provided by different vendors, it becomes virtually impossible for a hacker to find all of it, and even harder to piece it back together.
With vastly more degrees of freedom on the internet of today, networks of clouds and cloud computing is inherently more secure. This is further amplified by the myriad of different types of clouds that include corporate, institutional, government, private, personal, public, local, regional, national, open, closed, visible, invisible, et al.
Comparing this to the basic password protection and data storage on work or home computers, it seems a no-brainer that businesses and people should use cloud technology to cover our tracks.
So much of modern communication takes place online, particularly over Wi-Fi networks. This leaves businesses open to interception as hackers only have one channel to focus on.
However, by periodically coming offline and using many another channels, for instance 3G and 4G, or more focused device-to-device BlueTooth exchanges of information, they can go virtually undetected.
Furthermore, it may take time for organisations to begin revealing less online or communicating undisclosed messages in a more cryptic way. As it stands, we are leaving the doors wide open to interception and espionage.
When dealing with criminals, online governments have a tendency to engage in point-scoring tactics, where gains and motives are made public.
This is a self-defeating approach, as being open about operations involved in stopping web-based crime poses the threat of pushing cyber-criminal gangs further underground.
If governments truly want to safeguard their citizens and stop these people, they have to move away from politically motivated campaigns and be stealthy and quiet in their response. Quiet observation will yield greater results than operations used to beat the publicity drum.
Overall, businesses need to refocus their tactics and adopt a different mindset towards cyber security to combat the new breed of intelligent and strategic hacker.
They must auto-immunise their networks, devices, hardware and software against attack. They must share what they learn about security threats, not become red-faced and cover up useful information.
Communication should be both online and offline, and data should be stored in multiple locations in order to make interception virtually impossible. Finally, when seeking to stop cybercrime, scare tactics don’t work – furtiveness does.
If businesses come together to make these basic changes to the way they work and store information, they can start to redress the balance in their favour – instead of handing it on a plate to the dark side.
Sourced from Peter Cochrane, chairman and CEO of Cochrane Associates, and founding partner at Formicio