From hackers to unencrypted smartphones and the spectre of full-scale cyber warfare, the future of data security is set to be a complex one that will affect us all.
What is the future of data security?
The question is both naïve and unfathomable. Asking the question in the first place means being ignorant of the reality that the battle between victims and those who threaten us is a neverending one. There will never be a full stop.
The World Economic Forum named cyberattacks one of the greatest threats to businesses and ranked it as a risk higher than terrorist attacks, explained Theresa Payton, who was CIO for the White House during the Bush administration from 2006 to 2008 and is now one of America’s leading cybersecurity experts and CEO of Fortalice Solutions. “The world’s leaders know that attacks on private sector companies will damage a country’s economic wellbeing,” she said.
In February 2016, US president Barack Obama gained Capitol Hill support for a budget increase of $5bn in additional cybersecurity spending. This brings the cybersecurity budget to $19bn in 2017 for the US government. “President Obama said that data breaches and cybercrime are, ‘among the most urgent dangers to America’s economic and national security’,” explained Payton.
‘Backdoors are bad ideas. Weakening encryption is an old-school argument and I’m not sure that’s even what the FBI wants’
– THERESA PAYTON, FORMER WHITE HOUSE CIO
“Up until recently, most data breaches did not result in a long-term financial impact on the victim. Once the victim cleaned up the breach and accounted for expenses, usually stock prices or market reputation returned to previous levels. The status quo will change and the financial impact going forward is very real and morphing with today’s threats,” she warned.
Payton cited IBM’s latest study, which revealed the average cost of a breach rose to $3.8m in 2015. A recent study by SkyHigh Networks asked companies if they would pay cyber-criminals in the event of a ransomware attack and almost 25pc said yes, and 14pc of those said they would pay more than $1m to get their data back.
Under constant threat
Terry Greer-King, the director of cybersecurity at Cisco UK and Ireland, revealed that there are 3bn Google searches daily and 19.7bn threats detected in the wild every day. The tech sector is trying to pare down the current industry benchmark for threat detection but, at the moment, the bad guys have an average of 100 days to do their worst before a threat is discovered. Considering that the world in 2030 may have 500bn connected devices through the evolution of the internet of things (IoT), the threats are only going to skyrocket.
“We are now in the realm of shadow IT where the internet and devices from fridges to phones and thermostats are all connected to clouds of clouds, and organisations don’t know what apps employees are downloading, and businesses are buying services without talking to IT,” said Greer-King. “The truth is IT can’t control any bit of technology anymore.”
Paraphrasing Cisco chairman John Chambers, Greer-King added: “There are only two organisations in the world today: those that have been hacked and those that don’t know they’ve been hacked.”
‘There are only two organisations in the world today: those that have been hacked and those that don’t know they’ve been hacked’
– TERRY GREER-KING, CISCO
According to Cisco’s Annual Security Report for 2016, cyberattacks continue to be a profitable business for cyber-criminals, who are refining the way they attack back-end infrastructure.
Last year, Cisco, with the help of Level 3 Threat Research and Limestone Networks, identified the largest Angler exploit kit operation in the US, which targeted 90,000 victims every day and generated tens of millions of dollars a year by demanding ransoms off victims. Cisco estimates that, currently, 9,515 users in the US are paying ransoms every month, amounting to an annual revenue of $34m for certain cybercrime gangs.
The public face of a breach
Greer-King explained that 60pc of the “bad stuff” occurs within the first few hours of an attack happening, when the cyber-thieves gain access to a company system and accounts get stolen or compromised. But remember, the industry average for detecting a breach is 100 days, long after this damage has been done.
At the rate at which attacks are accelerating, it is going to be a case of when, and not if, an organisation’s capacity for crisis management will be tested. How an organisation reacts in the first 48 hours of detecting an attack or breach will be revealing, not only for customers, but employees and shareholders alike.
“It is like that old military analogy: even the best-laid plans fall apart after the first five minutes of contact. Cool heads are important and, unless people are tested and attacks are simulated, you will never know what is going to happen in the heat of the moment,” said Kris McConkey, PwC’s partner-in-charge of cybersecurity.
‘It is like that old military analogy, even the best-laid plans fall apart after the first five minutes of contact’
– KRIS MCCONKEY, PWC
Evidently, the march of technology is creating chaos for CIOs and CSOs to keep on top of, but the narrative is changing. CEOs and boards are now the fall guys rather than IT professionals. McConkey posited that cyberattacks are now a boardroom issue, citing the high-profile attack on Talk Talk’s servers last year.
“In the UK, breaches like [the Talk Talk breach] have seen the CEOs of companies suddenly propelled onto [current affairs show] Newsnight and radio shows,” said McConkey. “This was a seminal moment because it made boards realise that breaches are no longer something that can be offloaded to the chief security officer, but it is actually the boards themselves that are on the spot when things can go wrong.”
You are the weakest link
Ultimately, the triggers for the biggest attacks and vulnerabilities are people. No matter what elaborate security defences are put in place, Accenture’s Bill Phelps explained that it is people – AKA the ‘wet firewall’ – who let the intruders in.
“There were con artists long before technology was ever on the scene,” said the managing director and global lead for Accenture Security, who tracks a natural evolution from this to the infamous emails from Nigerian royalty and, today on social media, where users try to persuade others to transfer money. “Today, we are seeing mid-level executives being conned into allowing the bad people in using phishing attacks.”
‘100pc defence is impossible, but it is good to constantly test yourself against mock adversaries’
– BILL PHELPS, ACCENTURE
Even senior US government officials who ought to have been at the pinnacle of awareness and protection – such as the head of the CIA, John Brennan – were compromised and embarrassed by amateur hackers. Individuals, as well as businesses, need to be street smart, but also realise they can’t protect everything.
“The battle space is so vast and takes in every person and organisation,” said Phelps.“There are criminal gangs out to steal your information or credit card numbers. Organisations are staving off industrial espionage and front-running trading. There are attacks on banks just to understand M&A activity, and all of this is very specialised.”
And yet, all of the sophisticated defences in the world can still be undermined by a human weakness, like falling prey to a spear-phishing attack.
“It is an asymmetrical problem in which the defender has to close every loophole, but the attacker has to only find one way in. 100pc defence is impossible, but it is good to constantly test yourself against mock adversaries.”
The devil is in the data
Mark Hughes, president of BT Security, said he believes organisations need to prioritise what it is they are trying to defend rather than locking down everything. He warned that the era of security beyond the firewall will require granular controls and privileges that define who can do what with the data and where they can go with it.
“We are at a juncture where there is only a nuanced understanding of the differences between sophisticated and unsophisticated attacks,” he said. “Organisations are often so busy trying to protect against mainstream, everyday malicious activity that they are unprepared for the more sophisticated targeted attacks.”
‘Organisations are often so busy trying to protect against mainstream, everyday malicious activity that they are unprepared for the more sophisticated targeted attacks’
– MARK HUGHES, BT SECURITY
The head of enterprise at Dropbox, Ross Piper, is responsible for driving the US company’s growth in the enterprise market, building on its presence in 97pc of Fortune 500 companies. Like Hughes, he believes the perimeter is no longer the defensible part of the network. It’s all about the data.
Cloud services like Dropbox allow everyone from small teams of creators right up to thousands of individuals in a corporation to collaborate and share data on any device. In the past, this would have given a CEO or CIO a heart attack, but the productivity benefits and the inherent security to protect data in the cloud have evolved in ways that could frustrate attackers.
‘This is a precursor to a fundamental shift in security models that we’ve been talking about for decades but which is finally coming to fruition’
– ROSS PIPER, DROPBOX
“If you take a 400MB video as an example. What we do when a user saves that into Dropbox is we actually break that into a hundred 4MB file blocks. Each of those file blocks is individually encrypted. They are stored at random within the storage service with 1bn new files per day. Imagine 1bn files – that’s well more than 10bn file blocks,” Piper explained.
To illicitly access a specific file on this service, a hacker would have to get through the encryption tunnels, find the right 100 4MB blocks amongst tens of millions of file blocks saved that day, and individually unencrypt each one of them. This intelligent breaking up and sequencing of blocks of data represents the future of security in the cloud.
“This is a precursor to a fundamental shift in security models that we’ve been talking about for decades but which is finally coming to fruition,” said Piper.
Protection vs privacy
It’s not just the growth of data that concerns security professionals and consumers, but the growth of data-collecting devices. “More devices will simply mean more ways to attack. Nothing is going to be safe,” said Cisco’s Greer-King. “There will be sensors everywhere to collect data, connect cities and ultimately change the way the world operates. But not every data point, not every sensor, will have a firewall.”
With the advent of IoT and machine-to-machine (M2M) technology, threats against seemingly harmless consumer and industrial devices are already accelerating. According to PwC, the number of attacks on embedded IoT devices among companies it surveyed increased 152pc in 2015, yet only 36pc of these companies had a security strategy for IoT.
‘We have smart TVs that we didn’t realise had microphones built in. They are invisible to us and we don’t know who captures this data and what it is being used for’
– DR DIRK PESCH, NIMBUS CENTRE
Dr Dirk Pesch heads up the Nimbus Centre at Cork Institute of Technology, where more than 80 researchers are working on the future of the internet of things. He believes the Stuxnet attack on industrial SCADA control systems in nuclear plants foreshadowed the world that is to come, but instead of factories and utilities being attacked, it will be the systems we invite into our homes.
Pesch offered the example of remote meter readings, where an M2M device with a SIM sends your data to the electricity or water company. “If hackers know what they are doing and can breach the system, it won’t take long for an attacker to know if your house is occupied or not,” he said.
“We have smart TVs that we didn’t realise had microphones built in. They are invisible to us and we don’t know who captures this data and what it is being used for. There are huge issues of privacy ahead.”
How the information stored on the multitude of personal devices set to occupy our homes in the future will be treated could well be defined by the outcome of the present legal wrangle between Apple, the FBI and the US Department of Justice. The San Bernardino iPhone case could be the defining issue of our age, technologically and personally, but former White House CIO Payton said the issue may not be resolved to the satisfaction of Silicon Valley.
“This is historic. The decision that comes out of this ultimately decides how we fight terrorism in this country,” she said.
Payton said she thinks it is important to note that other industries compelled by a court order to produce records have implemented methods of compliance. “The banks had to create processes and systems to respond to anti-money laundering requests and more. The phone companies have had to create ways to respond,” she explained.
While Apple CEO Tim Cook described the opening of backdoors into encrypted devices as the “software equivalent of cancer”, offering no guarantee that the keys will remain in the hands of the so-called good guys, Payton had a different view of this analogy.
“Backdoors are bad ideas. Weakening encryption is an old-school argument and I’m not sure that’s even what the FBI wants,” she said. “The FBI is not asking Apple to unlock the phone or to create a master key to use to unlock all phones. What the FBI is asking for is for Apple to remove a barrier, to remove one step, so the FBI themselves can attempt to unlock the phone.”
Non-stop security
It’s no surprise that a smartphone has taken a central role in defining information security, as millions of people are now living their lives through these devices. With the evolution of mobile wallets, fingerprint biometric security – once seen as sci-fi – is now a reality, and companies from Amazon to MasterCard are experimenting with even more new ways to authenticate payments.
“Payment technologies have never been safer, but criminals have never been smarter,” said Bob Reany, executive president of Identity Solutions at MasterCard. “Most of us can agree that passwords are a real problem. “People forget them often and it’s a pain to go through the retrieval process.”
Conceding that there is no silver bullet to fight fraud, Reany said MasterCard implements multiple layers of protection to protect users every time they pay. Following a trial in the Netherlands, the credit card brand is rolling out a selfie security system in 14 territories this summer, in an effort to move away from the prevalence of passwords.
“I wish passwords were passé!” said Payton, though she’s not yet satisfied with the proposed alternatives. “I am quite wary of biometric data until the vendor devices, the storage, and collection of biometrics are locked down and safe.”
And even if biometrics technology is a step in the right direction, it is likely cyber-criminals are already working on a way to circumvent it. “The moment we roll out selfie and big data, behavioural-based analytics for authentication, it’s time to go back to the drawing board to invent the next approach,” concluded Payton.
Future of security image via Shutterstock