From Cloudbleed, to Petya, to WannaCry - each major cybersecurity attack of 2017 has exposed new vulnerabilities in corporations and governments with one scary fact: everyone’s data is potentially at risk.
With the digital storage of personal data growing as the norm across every industry, data security officers and CIOs are facing the harsh reality that cyberattacks are no longer rare events, but instead are an inevitability. To get ahead, data security personnel must abandon the view that a major cyberattack is rare, and adopt a stance of readiness that assumes an attack is imminent - it is no longer a question of if, but when.
Kurt Long, CEO of FairWarning, sat down with Inside Counsel to discuss the major trends they represent, and how data security officers can best prepare to counter them in the coming months and years. Long has more than a decade of experience helping companies protect their assets by cultivating a human right to privacy in their workforces through a focus on technological and people-based security solutions.
Organized “Crime as a Service” organizations have grown in maturity as of late. Cyber criminals have morphed into businesses with capabilities to organize and build large attacks. The Wannacry attacks were an example where compromised systems allowed criminals to run attacks off of compromised servers, according to Long.
“We’ve seen the full gamut of attacks this year from ransomware attacks such as Petya and WannaCry to fake news, information leaks, denial-of-service attacks, and large scale malware attacks,” he explained. ‘These attacks have something in common, and that is the fact that the cybercriminals are outworking our governments and corporations. Cyber criminals are now exploiting the outdated systems and infrastructure which government and organizations have been slow to update.”
In fact, the NHS was a sitting duck for cybercriminals due to their outdated infrastructure; their operating systems were so out of date there were barely patches available for their systems. So, there’s a complete mismatch with cybercriminals evolving at a rapid pace and government and organizations moving at a slow pace to keep up.
In today’s world, our data is so far flung that we are unable to know what corporations or government organizations have it. Therefore, we are unable to tell how well the organizations that have our data protect it, per Long. There is a big variation in priority of security and privacy for different businesses. For instance, if Amazon prioritizes data security very highly, but there’s a third-party organization that doesn’t take data security seriously, your data is at risk.
“Governments need to step in and mandate citizen data and hold organizations accountable to protect citizen data,” he said. “Governments need to hold themselves to this same standard, and implement fines to organizations accordingly. Legislation such as the General Data Protection Regulation is groundbreaking from a legal perspective. If it is enforced properly, it stands to be a game changer, globally.”
The attacks are inevitable because the attackers are well organized and thus able to scale their operations. They can empower more attacks through automating systems and obtaining tools that help them carry out their attacks. They think like business people now; they scale, probe, use sophisticated technologies and invest to reach more businesses and vulnerabilities faster than ever before.
So. how can data security personnel become proactive? According to Long, they need to come to work and proactively prove every day that their applications and networks are secure and not broken into, instead of waiting for a breach to then react. Their job is to discover and contain a security incident and prevent it from becoming a full-scale breach.
Unfortunately, Long predicts that the scale of the damages are going to continue to go up.
“Cybercrime will begin to attack the very fabric of our democracy, and fake news can now be produced that is indistinguishable from official video of a world leader such as Barack Obama or President Trump,” he said. “This threatens the trust of our large institutions and is an exploitable tool for our adversaries to use against us.”