Every day the news carries stories of companies being subjected to the destructive and costly affects of cyber-attacks. Like all organizations with an online presence, SGS is targeted by these criminals but, so far, we have been lucky enough to avoid a breach. This isn’t just a case of being fortunate. Successfully keeping cyber-attackers out of your systems requires a considerable amount of effort and planning, but the first step is to know the threat.
Email: The Cyber Criminal's Friend
One of the cyber-attackers’ main weapons continues to be email. It represents a clear and present danger to users, with security software company, Symantec, estimating that one in every 131 emails contains malware. Scams utilizing these spear-phishing emails target over 4,000 businesses every day and are estimated to have cost around $3 billion over the last three years. Criminals are now finding ways to automate this form of attack by utilizing tools designed for legitimate use, for example Microsoft’s PowerShell. This speeds up the process for the attacker, making the threat all the more worrying for users.
Another common threat, which we should all be aware of, is phishing, or identity theft. This targets users in an attempt to acquire their banking details. Commonly, the approach will come via an email, purporting to be from the bank itself, asking for log-in details and passwords. Research suggests that less than half of one percent of customers oblige, but when you consider the millions of emails that are sent out, this still represents a significant number of victims. Criminals have now developed a more sophisticated version of phishing, called cross-site scripting. In this case, users think they are accessing a genuine bank website with their log-in details, when it is actually a counterfeit site set up by the criminals.
The Rise of Ransomware
An increasingly popular form of cyber-attack is ransomware – a type of malicious software that threatens to publish a victim's data or perpetually block access to it via encryption. The criminal will demand a ransom to remove the encryption, and current figures suggest around 60 percent of Americans yield to this form of extortion, which explains its increasing popularity. It is reported that ransomware attacks have seen a 35 percent increase in 2017, with some estimates suggesting a further ten-fold increase over the next year. This is not a problem restricted to just private citizens, businesses (regardless of size) are susceptible to these threats.
Perhaps more worrying still are the threats to our power plants, electrical grids and telecommunications networks from nation-states, terrorists and organised cybercriminals. Our infrastructure has increasingly been targeted in recent years and it is trend that is likely to continue. These attacks obviously create inconvenience and can be extremely expensive to fix but, more worryingly, they threaten our way of life and can sometimes prove to be fatal.
New Threats in The Cloud
With companies ceding more and more of their data and processing power to the cloud, cybercriminals are increasingly looking for ways to exploit the cracks in its security. Last year, thousands of MongoDB (an American software company that develops and provides commercial support for open source databases) files were hijacked and held for ransom after users left outdated versions exposed without authentication enabled. Certification for cloud vendors is available, from companies like SGS, to help mitigate this risk.
The largest retail breaches from the last few years, however, and the cause of multi-million dollar losses, have been malicious software and malware, installed on point-of-sale (POS) systems. These collect clear-text credit and debit card numbers automatically for the criminal. Kaspersky Lab, the antivirus provider, recently reported that around 323,000 new malware files are identified each day. There are a number of ways to mitigate this risk, including the adoption of PCI DSS, the Payment Card Industry Data Security Standard, an information security standard for organizations that handle branded credit cards.
New Opportunities in the “Internet of Things”
As technology advances, the adoption of network enabled devices is rapid and widespread. Everything, from your car to your refridgerator will soon be on the ‘net’, leaving them vulnerable to cyber-attack. The IoT, “Internet of Things”, offers convenience and connectivity, but it also comes with its own vulnerabilities, which can be exploited. In 2016, IoT devices faced their first major Distributed Denial of Service (DDoS) attack.
The US Government has acknowledged the threat, with a recent bill submitted to the U.S. Senate seeking to improve IoT security. The bill requires device makers to meet basic security standards, if they want to do business with the federal government. The bill mandates that any internet-connected device provided by government contractors must be free from known security vulnerabilities, can receive regular software updates, and use up-to-date communications and encryption industry standards. The IoT can be a good business model to pursue but organizations implementing IoT technologies must be aware of the current tradeoff between security and convenience.
This article provides an introduction to the issues surrounding cyber-security but it is by no means an exhaustive list of all threats. Technology evolves rapidly, meaning companies like SGS are constantly expanding their range of cyber-security offerings, in order to meet each new challenge.
For further information, please contact:
Edward C. Beesley
Global Head of Digital Services
t: +201 508 3071