Is emerging tech outpacing cyber security?
30 July 2019
Dr Guy Bunker, CTO at Clearswift,says that businesses need to be made aware of the dangers of adopting emerging tech which offers great value, but may not have the security features required to ensure their safe integration into a network.
Business digital transformation is happening quickly and we’ve already seen a quarter of large enterprises take up blockchain technology while 37% of businesses are using IT automation. A scramble for the latest tech has meant we’ve seen everything from AI to cloud tech and edge computing implemented wherever possible.
Of course, much of this early adoption has helped increase efficiency, profits and improved service in organisations but each new development brings a new threat, leaving forward-thinking firms wide-open to unexpected treats.
Hackers found a way around your anti-spam and anti-virus filters, so it is to be expected that they will also get around your new tech. We are seeing AI solutions being applied on everything from the office ‘smart fridge’ to workplace applications such as Skype, making the possibilities for exploitation seemingly endless.
The pressure on businesses to mitigate cyber threats has never been higher, but how is this done?
Also of interest: Why new cyber tech is not enough
“Know Your Threats”
Rather than rushing to implement every new technology available, it is vital that firms first assess the risks that come with them in order to avoid possible attacks. Consider what the new technology can access, such as critical networks, servers, applications, and files.
Progressively, firms are beginning to understand the problems associated with cloud-based storage and file sharing applications such as OneDrive and Dropbox. These applications are teaching firms that just because a file is coming from a trustworthy location, it is not necessarily safe.
Despite technology being in place to mitigate risks, it is becoming increasingly common for weaponised documents to be shared through a link in an email, or even on social media. Once the link is clicked and the malware is inside a system, it can transform itself, and be used to download new payloads using steganography to receive its instructions from anywhere which hosts innocuous looking images.
Organisations must ensure that any applications with access to their network have been thoroughly vetted to ensure they pose no threat from any of their requests for access. The issue is the ease of downloading apps.
Employees regularly download and install new apps, unwittingly granting access to everything from the device’s camera, microphone and contacts without the knowledge of the IT department. Once an app is installed, it is difficult to know what it is doing with the access you have granted it.
How would you know if the app you have downloaded is listening in to your surroundings, and selling your information on? An app could even take all of your business contacts and other critical information and upload it to the cloud without you being any the wiser.
Also of interest: Is it time for security to go back to basics?
“Watch every detail”
It is not enough to just assess the threat of an application or devices intended use. Organisations must continue to monitor new threats, such as published vulnerabilities (aka bugs) or unexpected side-effects.
Often overlooked are small IoT devices, despite them being frequently attached to the corporate network to upload or download information. If this, seemingly harmless, information is compromised, they can be repurposed to collect and send critical information. It is therefore vital to remember that all information is valuable to someone.
Recent breaches have exposed the vulnerabilities in even the most obscure pieces of IoT tech, such as the exposition of the exact location and perimeters of a top-secret US military base by a Strava fitness device. This breach could have had catastrophic consequences if it had it been an overnight base in a conflict zone.
However, malicious activity is not always initiated by an unsuspecting tech user who clicks a link or opens a file. As the recent AI-powered cyber-attacks identified by Darktrace against one of its customers showed, we can see disastrous consequences if AI is hacked by a malicious player. A customer used AI to observe and learn the patterns of user behaviour inside a network so that it could go on to mimic this and blend into the background so as not to be spotted by security tools.
Even the most trivial devices can pose a threat to the network as a whole. In another case, pirates hacked into IoT-enabled freights in order to access the larger network to steal bills of lading and identify the most valuable cargo aboard specific container ships. The data stored by any company using IoT is more extensive than ever, making the risk of hacks all the greater.
Also of interest: Five key considerations for CISOs that are easily overlooked
“Is it worth the risk?”
The nature of AI data security threats mean they are hard to predict, and therefore it is difficult to imagine the range of backdoors and loopholes we may see appear by integrating entirely new solutions into our business processes.
The exponential adoption of AI in business in the last few years means that now over 37% of businesses have embraced some function of AI. Of course, AI-augmented workplaces are propelling efficiency and decision making, and with the more data we collect, the more useful AI becomes.
However, the positive uses of AI are also matched by its exploitation by cybercriminals. Anticipating attacks on a data storage server and having solutions in place to mitigate it will not help if a firm’s own AI solution is manipulated and used to access and transfer data using its own permissions.
Another growing threat comes from the developments in ‘deep-fake’ video and audio. This development could theoretically see hackers send a seemingly authentic video directive from the CEO, deceiving employees into sharing critical information or paying a bill.
Even without deep-fake, fraudsters are already stealing large quantities of money. While firms are envisioning the value of emerging tech to their business, careful consideration is needed from the risks they will bring.
Also of interest: Is it time for the cyber security industry to grow up?
Regulatory bodies are unable to keep up with the speed tech is developing and changing at. Vigilance is therefore key. Existing audit abilities on laptops need duplicating on mobile devices. What apps have employees already freely downloaded and given permissions to?
It is possible for organisations to lock down the mobile devices they provide their employees, but it is potentially more dangerous to information security if employees start to bring their own devices. Personal devices would then be hidden from the IT department completely.
It is necessary to use virtually segregated networks and USB control software in order to protect organisations from IoT devices that might cause chaos, with no knowledge until it is too late.
Of course, there is no need for firms to run away from emerging tech. What is important is that organisations go above and beyond to be fully aware of the threats brought by emerging tech, and know how to mitigate them.
On a personal level, you could speak to your IT partners and solution providers about the potential dangers, and use their feedback to shape your decision making process. Being aware of threats is just as important as being optimistic about the solutions tech can bring.