The explosion of new devices that connect users to the Internet has been, and continues to be, hugely beneficial for businesses – it facilitates the sharing of information in ways that were previously unimaginable. However, the proliferation of devices has also revealed innumerable weaknesses in the underlying architecture of the Internet and company networks. Unfortunately for business leaders, there is no shortage of attackers looking to exploit these weaknesses and further their own agendas.
Many high-profile attacks on the private sector are carried out for financial gain. Recent attacks by individuals and groups of hackers have often achieved this objective by using ransomware; a type of malware that requires a user pay a ransom to remove the restrictions imposed on their computer. With the advent of these types of cyber attacks, leaders need to be prepared and ready to protect their businesses.
Previously unknown software bugs, or ‘zero day attacks,’ are becoming a mounting security problem for public and private entities.
Zero day vulnerabilities are being discovered with increasing regularity, and while many of them are discovered by ‘white hat’ hackers – who are paid to find and report on bugs they uncover in software code – other vulnerabilities are found and exploited by ‘black hat’ and ‘grey hat’ hackers – who seek out vulnerabilities for criminal or activist purposes. These are points of weakness that can lead to compromised systems and information breaches.
Cyber criminals are concurrently creating more sophisticated and specialised malware, and leveraging the open market to gain faster access to zero day vulnerabilities. For example, the New York Times reported that in 2005 seven malware ‘families’ represented 70% of all malware activity, while in 2014, 20 ‘families’ represented 70% of all malware activity. This proliferation and rapid change in the sources of malware makes traditional firewalls and anti-virus functionality of limited use on their own when it comes to detecting and preventing attacks.
Businesses need to use a number of strategies to improve their defence and minimise threats. Good cyber security starts with educating staff on existing and emerging threats and how to avoid them. With education, employees can improve their ability to identify danger, for instance, a suspect email that is designed to obtain sensitive information. However, this requires a significant and ongoing commitment to training.
Leaders also need to ensure they understand the threats and vulnerabilities related specifically to their business. As the cyber threat landscape evolves, so too does the need for more situational awareness, more robust defences, and more ‘real-world’ testing of those defences. In today’s cyber age, security testing needs to move from a ‘tick-box’ approach to a richer and more contextualised threat intelligence. This informs and guides how the testing should be conducted, what attack methods should be simulated, and where testers should focus their resources. Firstly, it should be carried out through penetration testing as a preventative measure to remove flaws prior to launching a system. Penetration testing should also be used as an ongoing detection measure, through red teaming, to identify any flaws that slip through testing, that are introduced through systems integration and iteration, or that emerge as new vulnerabilities are found.