Consider this: in the past year cyber thieves have stolen $81m from the central bank of Bangladesh, derailed Verizon's $4.8 billion takeover of Yahoo, and even allegedly interfered in the U.S. presidential election. Away from the headlines, a black market in computerized extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse, especially as computers become increasingly entwined with physical objects and vulnerable human bodies thanks to the Internet of Things and the innovations of embedded systems.
A recent survey has once again highlighted the urgent need for UK business to take cyber security more seriously. The survey found that 65% of companies don’t have any security solutions deployed onto their mobile devices, and 68% of companies do not have an awareness program aimed at employees of all levels to ensure they are cyber aware. In addition to this, the survey found that 76% of companies still don’t have controls in place to detect and prevent zero-day/unknown malware entering their organizations, and 74% don’t have an incident management process established to respond to cyber incidents and prevent reoccurrences.
The most common attack is still a structured query language (SQL) injection. SQL injections feature heavily in breaches of entire systems because when there is a SQL injection vulnerability, it provides the attacker with access to the entire database.
There are a number of factors. One is that companies are always very cost conscious, so they’re always trying to do things on a budget in terms of the development cost.
What that often means is that they’re getting under-skilled people. It doesn’t really cost anything more to build code that’s resilient to SQL injection. The developers building it have got to know how it works. For example, if you’re offshoring to the cheapest possible rates in another country, you’re probably going to get inexperienced people of very minimal security prowess.
Companies generally don’t tend to take it seriously until after they’ve had a bad incident. You can’t miss it. It’s all over the news every single day about different security incidents, but until it actually happens to an organization, the penny just doesn’t seem to drop.
This is not a counsel of despair. The risk from fraud, car accidents, and the weather can never be eliminated completely either. But societies have developed ways of managing such risk — from government regulation to the use of legal liability and insurance to create incentives for safer behavior.
Start with regulation. Government’s first priority is to refrain from making the situation worse. Terrorist attacks, like the ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guard bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.
The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that Internet-connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.
There are a number of different ways of looking at it. Arguably, the most fundamental thing that makes a big difference for security is the training of technology professionals. If you’re a business owner, ensuring that and you’ve got people working for you who are building these systems, making sure they’re adequately trained and equipped is essential.
Data breaches are often related to coding errors. A perfect example is an Indian pathology lab, which had 43,000 pathology reports on individuals leaked publically. The individual who built the lab’s security system was entirely unequipped. Though it may not be the only solution, a good start in improving cyber security is ensuring that there is investment in the development of the people creating the code.Let us know where you’d start!
Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.