TEISS Head of Consulting Jeremy Swinfen Green looks back at 2017 – and takes a peek into next year.
If 2016 was “the year of ransomware”, then 2017 was perhaps the year of cloud hacks.
We had data breaches in abundance of course. Nothing particularly new there although there were interesting features to some of them.
Equifax, the credit reporting agency, suffered a huge cybersecurity incident, affecting 143 million consumers in the US (well over half the adult population). The data of some 15 million UK customers was also reported as being compromised.
The hackers are thought to have stolen names, Social Security numbers, birth dates and addresses: information that taken together can be used to steal identities and set up fraudulent loans. The size of this hack together with the sensitivity of the data stolen makes this potentially one of the worst cyber security incidents in history, one that could devastate the lives of many people.
Quis custodiet… One of the world's biggest accountancy and consulting firms Deloitte was hit by a cyber attack.
The hackers seem to have stolen detailed information about the firm’s blue-chip clients, including usernames, passwords and personal details. Most damagingly confidential emails detailing private plans may also have been stolen from cloud based storage.
The attackers are said to have gained access via an administrator's account. IT administrators, especially in a firm that offers cyber security advice, really should be more careful.
Taxi app company Uber suffered an old fashioned hack on data held in the cloud. Data affecting 57 million customers and drivers worldwide including 2.7 million users in the UK, was stolen.
The interesting part of this story though is the way the company apparently kept the breach hidden, and even went so far as to pay a substantial sum to the hackers in exchange for them deleting the data. (I wonder if they did.) This behaviour will have done little to enhance the degree to which consumers, drivers and regulators (including Transport for London) trust the company.
Also of interest: The art of keeping mum
The cloud isn’t (totally) safe
Given the move to cloud computing over the past few years, perhaps it isn’t surprising that all three of the hacks described above involved access to data stored on cloud computing systems.
In another major incident, this time involving voter data, more than a terabyte of voter information involving nearly 200 million US voters was made publicly accessible to anyone on the web.
This wasn’t a hack. The data firm Deep Root Analytics hosted the database on an Amazon S3 server. Unfortunately they misconfigured it, proving that, however strong the security of software, if it is badly implemented then there are still huge risks.
At TEISS we don’t say “there’s no patch for stupidity”. But we do say “Recognise the risks that your employees, especially your IT staff, represent to your organisation. And make sure they are fully trained.”
Data: is it all it’s cracked up to be?
With GDPR looming ever closer, was it surprising that pub chain Wetherspoons decided to delete its entire customer database?
Following a security breach in 2015, when more than 650,000 emails were stolen, the pub chain decided to delete its entire customer email database and minimise the amount of personal data it collected. Instead Weatherspoons now directs customers to its website, where their competitions and special offers can be found
Overkill? Fear of GDPR fines? Or simply an acknowledgement that keeping customer data comes with costs and risks, and these can outweigh the benefits, especially when other communication channels are available?
After all, whoever went to Weatherspoons because of a special offer!
Getting the basic right
The Wannacry ransomware spread to 150 countries in hours and the UK was certainly not immune. As well as several large corporates, a few NHS hospitals were hit and suffered disruptions to their operations for many days.
A lot of commentators cried “foul”. This was a cynical attempt to hit unpatchable medical devices like CT scanners that were running ancient and unsupported software.
Except that wasn’t the case. The vast majority of devices affected by Wannacry were running Windows 7, a reasonably up-to-date and fully supported operating system.
The failure here was simply a failure to patch. If you don’t get the basics right, you will never be cyber secure.
Also of interest: 13 things to keep you safe
Is it war? Propaganda has been around for centuries. Now, under the name of “fake news” it seems to have been heralded as a new kind of cyber threat. Buying advertising, even misleading advertising, is hardly an act of war. Nor is making and spreading lies on social media.
Happily, fake news has pushed determining authenticity more firmly onto the cyber security agenda. And if DMARC’s email authentication come of age because of fake news then that surely is a good thing.
Also of interest: Easy ways to spot fake news
And our tips for 2018
There will be a lot more of the same next year. But we think there are a few special things to look out for in 2018.
The GDPR will come into force accompanies by a new Data Protection Act in the UK and a new ePrivacy directive across Europe. Expect panic in the spring and unscrupulous software companies taking advantage by hawking snake-oil compliance solutions
More and more companies will minimise the data they hold as they realise that the risks of holding it outweigh the rewards
Internet of Things
We’ll see continued attacks on IoT devices, in homes, offices and factories. Drones and autonomous vehicles will be singled out. The GDPR may force IoT device manufacturers to take greater care over security but in the meantime many systems will remain vulnerable. Terrorists and state actors will target critical infrastructure. A hapless family will be locked out of their home as their online security system is hacked.
Machine learning will be used by attackers to deliver more and better phishing attacks. At the moment it can be hard work gaining the intelligence to game senior executives. Expect AI to make this easier with big data being used to create false narratives that deliver successful confidence tricks.
On the upside we’ll see the good guys using AI more and more to identify and close down threats before incidents happen.
A major successful attack on one or more crypt-currencies will cripple it, damaging or even destroying confidence in a commodities market that is underpinned by no real value.
Millennials will continue to be addicted to social media, with all the dangers it represents. Savvy teens will focus more on one-to-one and one-to-few messaging apps instead. And older folk will simply get bored, deserting Twitter and Facebook in favour of healthier activities such as drinking red wine.
A Happy Christmas to everyone, and keep safe online.
Jeremy Swinfen Green is Head of Training and Consulting at TEISS. He has worked as a digital strategist for over 20 years. His latest book The weakest link (Bloomsbury Press, 2016) explains why employees are a threat to cyber security
Software image under licence from iStockPhoto.com