Cyberattacks and espionage – Risks and Prevention

It’s not quite as cool as Bond in his Tom Ford suit leaning on his wonderful Aston Martin while he plots his next move to unseat some despot. All the same, Germany’s recent apparent spate of typewriter purchases points to a renewed sense of fear of being overheard and compromised in an era of digitally pervasive content, vulnerable networks and indelible conversations. Spying and intelligence concerns coalesced with subject matter we’ve previously written about – including online privacy, governance, security and the internet of things – in a special report in last week’s The Economist, which produced eight articles on the subject of security in a digital landscape. Some highlights:

• Cybercrime is costly. The Centre for Strategic and International Studies estimates the annual global cost of digital crime and intellectual-property theft at $445 billion – a sum “roughly equivalent to the GDP of a smallish rich European country such as Austria”.

• Focus on prevention rather than reaction. As with many things, the best way to make sure cyberattacks aren’t too damaging to your business is to make sure they never happen in the first place. It’s more difficult (and costly) with digital security because the process can easily feel like a Sisyphean struggle; businesses invest in new technology only to see it circumvented by more hacking, perhaps exposing a different loophole or vulnerability. But an iterative approach is better than leaving the door open and spending more money after the fact.

• Honesty is the best policy. After being hacked, a company can find it hard to admit it. This is understandable. Not only is it somewhat embarassing, it admits to customers and shareholders that the company is vulnerable, but it also suggests that their data is not safe with said company; perhaps they should shop elsewhere. However, transparency in such a situation is paramount if others are to learn how to combat such attacks. One suggestion is that the US government “create a cyber-equivalent of the National Transportation Safety Board, which investigates serious accidents and shares information about them”.

• Who to complain to? The perpetrators of cybercrimes are no longer limited to the teenaged hackers of yesteryear. Though ideological groups like Anonymous serve as a disruptive influence, often the biggest problems are caused by the governments charged with protecting things like individual privacy, security and freedom of speech. From the US to China, authorities “do not hesitate to use the web for their own purposes, be it by exploiting vulnerabilities in software or launching cyber-weapons such as Stuxnet, without worrying too much about the collateral damage done to companies and individuals”.

• External trends point to a worsening of the problem. The Internet of Things as a trend will have billions of devices connected to each other via the Internet over the next few years. With one of the fundamental ideas being that the user isn’t really aware of the connection, the likelihood of spotting a hacked device becomes all the smaller. This isn’t a huge problem in cases like a connected fridge receiving spam email, but it becomes more of a problem when hackers can gain remote control of your car. One of the barriers to improved security for everyday devices is that the margins are razor-thin, as are the chips to connected to the devices, in order to keep the product small. Any added security software or hardware and the cost and size of the product increases.

Zeitgeist believe the risk to IoT devices will be one of the key areas that businesses and regulators will need to focus their efforts in the future. Because it is still a relatively fledgling sector, the issue is not being discussed yet in many places. Deloitte, in association with the Wall Street Journal, recently reported on the nature of cyberrisks and how companies can help mitigate them. Well worth a read.