Businesses are now facing cyber threats via vectors, which just a few short years ago would have seemed like something out of a Hollywood science fiction movie. When you plug into the world, it's easy to forget the world is also plugged into YOU.
Risk Management, in a business context, is defined as the forecasting and evaluation of financial risks, together with the identification of procedures to avoid, or minimize their impact. But how can 'management' be made to understand, manage, and mitigate today's cyber risks?
Unfortunately, outside of the IT department, most managers simply don't understand, (or don't want to understand), the very real-risks posed by cyber-threats. And IT managers often don't have the influence required to force through much needed changes, in both corporate thinking, and corporate spending, on cyber security.
Recently, 40% of the population in South Korea had their personal details stolen. How bad do things have to get, before people sit up and take notice?
By 2020, there will be more than 50 billion devices connected to the internet, and one million new devices are being connected every three hours. In the world of the Internet of Everything, we are faced with smart phones and tablet computers which can bypass an organization's firewall, if the office network is not setup securely.
In the office, more and more smart 'connected' devices are being installed, often without any planning, resulting in office printers, fax machines, telephones, video surveillance, web cams, and copiers, which can be leveraged to both spy inside the office network, as well as attack third-parties outside the office network.
Examples of such attacks, range from the almost comical discovery that a Samsung refrigerator, which was compromised, and had become part of a spam bot-net that had sent out more than three-quarters-of-a-million spam emails, before the breach was discovered. More sinister examples include IP Teleconference Phones being hacked to spy on organizations' board meetings, and far worse than that, hacked webcams (and even baby monitors) used to spy on people (and their children) in their homes.
One of the largest recent successful cyber-attacks, on the retail sector, is believed to have been made possible by a security breach of the victim's Heating and Ventilation systems. Researchers have since discovered over 55,000 such HVAC systems connected to the internet, and have noted that in most cases, these systems contain basic security flaws. Not to mention the fact that, "the security at such companies tended to be poor, and that vendors often used the same password across multiple customers."
Once hackers find your devices, many can be compromised just by logging in using ADMIN / 123456.
The SHODAN search engine for internet devices, has been called, "the scariest search engine on the Internet," by CNN. The engine itself advertises that it can help you find exposed online devices, including, "Webcams, Routers, Power Plants, iPhones, Wind Turbines, Refrigerators, and VoIP Phones." Forbes calls SHODAN, "terrifying." The system collects information on more than 500 million internet-connected devices and services each month.
Medical equipment such as surgical and anesthesia devices, pacemakers, insulin pumps, and lab analysis tools, can all be hacked.
The stark reality, is that major corporations and government departments, are moving at the speed of corporate red tape, while hackers and criminal organizations, are moving at the speed of the internet.
It doesn't take much to realize who has the upper hand right now. And one shouldn't forget the other unfortunate reality, which is the fact that the potential victim needs to successfully defend themselves from a never ending onslaught of attacks; while the hacker only needs to successfully get in once.
Yet despite all these facts, and despite the ever growing number of media headlines, highlighting successful attacks on companies and governments right across the globe, most senior managers are still all but ignoring cyber threats.
Sometimes it seems that the bigger the successful attacks are, often counting breaches of personal data accounts in the multi-millions, the more numb the entire world seems, to the shocking realities involved. And while you can usually change your password fairly easily, you can't as easily change your passport number, or your home address, or your mobile phone number. As the number of successful breaches grow, we are all becoming more vulnerable, as the criminals get a clearer and clearer picture, of our personally identifiable information.
Unfortunately, time and again, organizations are only looking seriously at their cyber security, after they become a victim of a cyber-attack. Sometimes, not even then. This is simply not acceptable anymore. Cyber-attacks can, and do, cause very tangible damage in the real world.
Michael Gazeley is managing director and co-founder of Network Box Corporation.
This story, "The Vulnerability of Everything" was originally published by Computerworld Hong Kong.