With internet capability being built into everything from cars to fridges, the “attack surface” for hackers is expanding rapidly.
It’s about 9.15pm when you head out of the office. You’ve been working late to catch up on work for the end of the financial year. The office is dark – you’re the last to leave, again.
You swipe your key card to open the lift, and lean tiredly against the wall as the doors slide shut. Suddenly the lift lurches to a halt and the lights flicker out. In the warm, airless darkness, your phone lights up. You have a text from an unknown number, saying: “If you want to get out of the lift tonight, deposit 200 bitcoin in the following account…”
The threat of hacking and cyber-security breaches crossing from the digital realm into everyday life will become more commonplace as more than 250 billion devices – from cars and manufacturing robots to fridges and fitbits – go online in the next decade as part of the new internet revolution known as the internet of things.
That explosion of internet-connected devices will vastly increase what the industry calls the “attack surface” for hackers armed with increasingly sophisticated viruses and hacks, and a long list of potential vulnerabilities to exploit.
Despite years of development work focusing on security, the software sector is currently in an arms race with an increasingly sophisticated hacker industry.
This was originally characterised as a small network of disaffected teens, getting a thrill out of breaking into large networks to prove their hacking prowess and expose vulnerabilities. In reality, it is a highly organised industry running international criminal enterprises that constantly work to exploit loopholes in rapidly developing systems, while trading lists of the latest weaknesses through the nefarious dark net.
At their disposal are millions of computers owned by ordinary users, enslaved through a variety of malware, to create a botnet designed to help them probe systems and launch attacks.
And while most people believe that hackers are most likely to target large businesses or systems – and even governments – the reality is that every computer connected to the internet is constantly under attack.
We are all targets
Unfortunately, the sense of being too small to target leads many businesses to leave their systems open to attack. Mainly this is by failing to install the latest software patches – upgrades designed to remedy known faults in the system – and choosing and repeating simple passwords.
While cloud-based software can be automatically upgraded to keep systems secure, businesses are now adopting technology so quickly that there are always some gaps to exploit in the literally millions of moving parts that go into a programme.
One of the latest trends we are seeing in hacking is a particularly invasive practice of installing ransomware on a business’ systems.
In an early echo of the scenario described in the introduction, hackers exploit a loophole to install encryption software that locks the business out of its server.
Hackers understand that many businesses aren’t particularly good at backing-up and storing these back-ups in a secure location (that is not accessible online). By cutting a business off from valuable data, client records, IP and other systems, they can then demand a ransom – often in an amount that a business would pay to avoid the stress and expense of trying to recover their system – to unlock access.
This is just one of the many ways hacker organisations are looking to make money out of what they do. But not every attack is so dramatic.
Even simple things like email lists have value on the dark web. Other personal data, like banking codes, credit card details and even tax file numbers are also harvested and freely traded between organised crime groups in what is a multi-billion dollar industry.
Hacking is, of course, not only the preserve of criminals. State-sponsored hacking is also on the rise in a new cold war that sees attack and counter-attack on military systems and hardware, as well as national infrastructure and essential industries.
For businesses, particularly those in low-volume, high-value sectors, even trading data (such as who their customers are and what price their goods are trading at) is has value to competitors who may wish to create an economic advantage.
While software providers focus enormous investment into combating hacking, as more and more of our systems move online, the sheer volume of potential vulnerabilities – our attack surface – increases. Small businesses are often behind the security curve, being slower to update security system, patch software, and back-up data. This makes them a lucrative source of small but high volume attacks, which are targeting their systems everyday.
For business owners, and their trusted financial advisors, recognising hacking is not only a very real risk but a constant reality of our new, highly connected world, is one of the responsibilities of successful management.
The software developers locked in the arms race with the hackers are doing their part by investing millions into security, but businesses also have a responsibility to ensure their own practices give them the best possible chance of protecting their valuable data.
Staying safe in an online world
For accountants and financial advisors wanting to talk to business owners about cyber security, here are some areas to focus on.
Patching – patching is the new mantra for best practice security. Patching means going to your vendor and asking them for the latest software releases for the software you have – from your routers to your Microsoft Office suite. These patches are designed to fix known vulnerabilities. These are holes in your system that hackers are most likely aware of and are prepared to exploit. So if you’re not constantly patching, you are leaving your business open to attack.
Phishing – most businesses will get many spam emails every day. Buried within those are often links or programmes designed to slip into your system to lift data or incorporate your machine into a botnet. Make sure that all your staff are aware that they should not click on everything that comes their way, even if it seems like it’s from a trusted source – such as your bank.
Backing up offline – the first thing a hacker wants to do if they get into your system is bleed your back-ups. So keeping back-ups offline and managing who can access your system from the VPN is vitally important.
Keep anti-virus protection up to date – ensure you are running the latest security software and regularly sweep your system to ensure no one has taken over your machine.
Get a security advisor – find someone who can review your systems, check for malware, keep your patch levels up to date and be aware of any vulnerabilities.
It takes some effort and resources to maintain business cyber security. It is also easy to become complacent because you feel your business is too small to interest a hacker.
Remember, they are not attacking you personally. They are automatically scanning and coming back with lists of tens of thousands of machines with all the versions of all the software that you’ve got, and they are running automatic hacks on them. If your machines fall to the hackers, it will likely happen without them being aware you exist.
There is a lot of misunderstanding around what works and what does not in this space, says Ernest Stabek.
“Cyber security is not something you do yourself. Get someone involved to give you advice – an external security consultant.”
Stabek notes that thinking about cyber security should not be restricted to ICT systems but should include the flow on effects of potential issues – with damage to your brand or reputation, or potential loss of key clients, classic examples.
“It’s not enough to identify vulnerabilities in your ICT environment, you also need to prioritise those risks and assess the best responses to them.
“So it’s not just an ICT problem. Cyber security should be on the board level risk register.”
Solutions must be developed by ICT and other business units, he says.
“It’s very important that your chief risk officer and chief information officer have an open dialogue and that they work together… so that ICT can get involved in the broader business context.”
Cyber security is more than “stopping stuff getting in”. It is about minimising the business risk through good planning and staff education.
“Don’t treat cyber security as a cost. Rather, it is a way to negate risk. It’s about the level of risk that the business is prepared to take.”