Over the years, one of the principal concerns for organizations has been the imminent threats related to cybersecurity. In recent days, we learned that approximately half a billion Yahoo email accounts were hacked. This is just the latest mega-breach to be disclosed, but it has been one of the biggest to date (CNBC, 2016).
Dealing with cyber threats has developed into a key component of corporate strategy, as the majority of C-level executives view cybersecurity as a top concern within their organization (Reconteur, 2016).
Cybersecurity threats extend beyond the corporate walls. Hackers are a foremost concern for governments, as they pose a significant threat to destabilize financial markets. The U.S. Federal Reserve recently reported more than 50 internal breaches within the last five years (Reuters, 2016).
As cybersecurity has come to play such a significant role in our lives, some of the leading universities around the world have been developing programs within their technology and business departments to specifically train experts to assist public and private entities in dealing with these risks. In Great Britain, The Chartered Institute for IT has implemented cybersecurity as a key component of the technological curriculum for students (ComputerWorld UK, 2016). In the United States, universities such as The University of Texas at San Antonio, which was recently ranked as the top cybersecurity program, have received significant funding from the US government to continue to develop cybersecurity solutions. As many cyber-attacks have taken place around the world, UTSA experts foresee a major development among the global terror community, as part of it has evolved into organized crime (UTSA Today, 2016). Cyber technology experts have legitimate concerns regarding an ominous universal threat that could affect the entire internet infrastructure (Fortune, 2016).
For individual users, who rely more and more on their mobile devices, the biggest threat is actually right on their hands (HBR, 2016). The interconnected world of today brings tremendous advantages to all, but individuals fail to realize that not following proper cybersecurity procedures could be detrimental to their daily lives. Culture and education are essential to preserving their data securely.
We approached Raymond Choo, PhD, Associate Professor of Information Systems and Cybersecurity at the University of Texas-San Antonio, and a leading expert in digital forensics, to get his perspective on cybersecurity threats around the world.
1. Organizations continue to be targets of cybersecurity threats and in general they seem to be behind the curve with regards to cyber protection. Is it possible to reverse this trend?
When organizations including government agencies come under cyber-attacks, it is not immediately apparent whether the source of the attack is a skillful teenager, an organized cyber-crime group, a nation state, state-sponsored actors, or a combination. Many of these high profile incidents send a loud and clear message – that is, cyberattacks are getting more sophisticated and ‘going under the radar’ and most victims only realize they are under attack when it is either too late or months later, when data and corporate secrets have been stolen by the intruders.
Why are cyber criminals so successful? Darwinism: Survival of the fittest? The global nature of cyberspace makes it possible for cybercriminals to commit cyber-crime in ways that would not have been possible before; and cybercriminals tend to be very innovative, and are constantly on the lookout for new markets, technologies and opportunities for exploitation.
We need to understand and convey the message that information security is not only a cost or a technology issue, but it can also facilitate economic exchange and deliver real business benefits.
We should be asking ourselves whether our organization is properly structured to assess and manage the cyber security threats and what will it cost us in the event of a major security breach. For example, are we able to afford the cost of cleanup and liability such as legal and reputational risks? And how many of our C-level executives, board of management or head of agency wish to wake up the next morning, and find out that our organization has been involved in a major security breach and appearing in the headlines for the next few days, weeks or even months?
Is it possible to police online content in a cost-effective and timely fashion? I would say no. This is true not only for open and liberal societies like U.S. Even countries such as those in Asia can no longer consider shutting down the Internet and other communication channels as a means of dealing with cyber threat. Instead, governments must find various strategies to build the national resilience needed to maintain and open yet secure cyber space, and to strike the most appropriate balance between the protection of their citizens, national security interests, and democratic freedoms. For example, how do we balance the need for cyberspace regulation and surveillance with fundamental freedoms, such as the right to private life, freedom of expression, right for disabled persons, etc.? I guess this is conversation for another day but certainly an important topic to consider.
2. The expansion of mobile technologies has increased cyber risk for individual users. Future developments such as IoT will pose an even bigger burden in the future. What roles do security culture and education play in all of this?
What we found in our research is that in the rush to attract new consumers and accelerate the product’s time-to-market, many consumer-oriented technologies such as mobile apps were not designed with user security and privacy in mind. For example, we have revealed previously unknown vulnerabilities in the Australian Government healthcare app, video on demand apps, financial apps, and a number of other apps, as well as demonstrating how the identified vulnerabilities can be exploited to expose the user’s sensitive data and personally identifiable information stored on or transmitted from the mobile devices. We also demonstrated that it is possible to exfiltrate data covertly from mobile or air-gapped devices by “listening” to sounds humans cannot hear.
With the increased convergence of technologies whereby a user can access, store and transmit data across different devices in real-time, the potential for cybersecurity risks must be carefully considered. Risks may arise from factors such as IoT system developers and manufacturers not having the requisite levels of security awareness, and not fully understanding the need for security measures to protect intellectual property, and other sensitive data that are stored, accessed, and transmitted from such devices. For example, in a recent research, we examined the security features of several consumer-oriented 3D printers and presented an attack technique that is able to, not only, exfiltrate sensitive data, but also allow for remote manipulation of these devices. Countermeasures to the attack that are implementable by both the manufacturer and the user of the printer were also presented. Also in our survey of 250 smart mobile device owners from Australia, we found that the survey participants generally underestimated the value that their collective identities have to criminals and how these can be sold, or even perceived cyber-crime to be a real threat.
The escalating complexities of our digitalized and data-driven society underscore the need for regular ongoing training programs for basic online security and the promotion of a culture of security among smart mobile device users. For example, targeted education and awareness programmes could be developed to inform or educate users (e.g. smart mobile device users) and correct misconceptions or myths in order to bring about changes in attitudes and usage behavior (e.g. not taking preventative measures such as strong passwords to protect their devices). Such initiatives would enable all end users (including senior management who use such devices to access privileged corporate data and accounts) to maintain current knowledge of the latest cyber-crime activities and the best cyber security protection measures available.
About Raymond Choo
Professor Raymond Choo, PhD, is Associate Professor of Information Systems and Cybersecurity at the University of Texas at San Antonio. He currently holds a Cloud Technology Endowed Professorship. Professor Choo previously taught at the University of South Australia and collaborated with the Australian government through the Australian Institute of Criminology.
These documents are for informational purposes only and all contents are subject to change without notice. The recipient of this information must make decisions according to their interests and under their sole responsibility. EFM Capital S.A. de C.V. makes no representation of warranty, expressed or implied, regarding the accuracy, completeness or omission of the data contained hereof. These writings are private and the information they contain may not be reproduced in any form, be published even in any of its fraction, or make a public reference thereof without prior written consent of a duly authorized representative for this purpose by EFM Capital S.A. de C.V. All images and logos used are for illustrative purposes.