The increasing digitisation of business and society has already brought us online shopping, fintech, cryptocurrencies, social media, the potential of blockchain-based decentralization, and many other transformative technologies. With continued growth of hyperconnectivity, the digital economy and society overall will increasingly rely on the internet – and metaverses – to transform the way companies conduct their business and the way we all live. Better cybersecurity (the practice of protecting critical systems and sensitive information from digital attacks) must become more important as the frequency and sophistication of cyberthreats will challenge many organizations and indivduals.
We all know the pace of digitization accelerated during pandemic lockdowns and social distancing, and many more organizations and individuals realize the scope and scale of the issue. In just a few years the topic of cybersecurity has moved from being a relative back-burner to heated confrontations between the U.S. and Russian presidents.
PwC survey results released in November 2021 found 66% of UK business leaders expect the threat from cyber criminals to increase over the next 12 months. 63% were increasing their cybersecurity budgets over the coming year, compared to 56% in the previous year’s survey.
Though the question of “What action to take?” is one few people can answer readily. The range of risks faced run from a UK phishing scam which appeared to offer competition prizes of 5,000 cooler boxes full of Heineken beer, to company data breaches which in 2020 cost U.S. corporate victims an average $8.64 million, and state-sponsored Russian hackers who disabled Ukrainian government, military and bank websites prior to their army’s invasion.
Cybersecurity at National Government Level
Central Government protection of digitized national infrastructure and assets are of vital importance, particularly in the face of growing international belligerence. But are they up to speed? In the UK, the proposed digitization and centralization of patient records held by the state-run National Health Service cost over £10 billion before the plan was dropped without successful completion in sight. This was followed a few years later by attacks that blocked patient records and appointment systems within NHS regional organizations, paralyzing the use of operating theaters and costing an estimated total of £92 million.
Cyber attacks on energy suppliers, transport infrastructure or medical services could cost lives, not just inconvenience. Similar matters are certainly being addressed around the world and the UK’s poor performance does not mean other Governments cannot do better. Singapore’s coordinating minister for national security has said that cybercrime already accounts for half of all the city-state’s criminal activity. Their comprehensive Cybersecurity Strategy 2022 initiative is intended to keep Singapore at the forefront of tech-driven economies.
Cybersecurity at the Corporate level
Corporate bosses seem to have a more direct mandate to instigate effective cybersecurity through their legal obligation to pursue maximum profit and returns for their shareholders. Maintaining operational efficiency and staving off expensive ransomware attacks are part of that process. Devastating impacts of cyberattacks on a business’s ability to operate will become more severe in the future for organizations that fail to treat cybersecurity as a necessary business investment.
A report from the management consultancy firm Gartner on IT trends says the true extent of the problem is hard to estimate. Many corporate victims want to keep it to themselves to avoid eroding customer, supplier, employee and shareholder confidence.
Also, the extent and quality of third party cybersecurity will become a determining factor in who to do business with. Given that the issue will then become perceived as a wider business risk rather than solely a technical IT problem, Gartner expects to see formal accountability for the treatment of cyber risks shift from a security leader to more senior business leaders who are going to have to acquire new knowledge.
Who will actually design, install, monitor and maintain cybersecurity, and handle the fallout from breaches? Increased consumer use of online healthcare and wellness providers, online banking, crypto and NFT investments – all create higher cyber risks for the providers and the end-users. However, 45% of cybersecurity professionals claim to be considering quitting the sector due to relentless stress and unrealistic expectations for them to be available 24/7.
A skills shortage appears inevitable, so maybe the provision of crowdsourced resources on an on-demand basis will grow. Crowdsourcing Week has previously covered cybersecurity provided by crowd-based specialists who operate on a freelance basis, sometimes in addition to fulltime employment. An example is BOLD Awards’ Blockchain and NFT Partner Venly, which uses the crowdsourced cybersecurity platform Intigriti. Other notable crowd-based providers include Synack and Bugcrowd.
Cybersecurity at a Smart City/Community level
Smart cities collect data from cameras and sensors that record and communicate it for analysis and management of resources (such as water and energy) and infrastructure (including traffic/mobility management. The aim is to improve delivery of public services in more environment-friendly and economic ways.
This is particularly important given the United Nations predicts almost 70% of the world’s population will live in cities by 2050.
There is a risk that hyperconnected city-wide networks can be hacked through a multltude of entry points. Research by a tech provider revealed city officers and utility managers recognize cyber threats against IP cameras, arguably the most vulnerable entry point, as real and ongoing. Hackers have three main reasons.
- They may want to target specific individuals and track their movements.
- They want access to the infrastructure a camera is connected to.
- They want to tap in to computational power for crypto mining or botnet attacks.
Weaknesses in cameras are frequently found by hackers before manufacturers are aware of them. What should city officials do? Cybersecurity should not be added on to completed systems, it should be fundamental in the planning, design and installation process. As part of the procurement process the purchaser should check that manufacturers take security seriously and incorporate it in their products, not just add it on at the end; that they have staff dedicated to security issues; and that they conduct audits to monitor the security performance of their units installed by other customers.
They should also check on a manufacturer’s data encryption protocols; multi-factor authentication for network access control; that monitoring will begin as soon as units are installed, without waiting for a warranty period to expire; and that documentation is available confirming a manufacturer’s obligations and commitments. Can their devices be updated over the air or do they require a physical visit?
Civil authorities of larger cities should cooperate with each other to share best practices, maintain a high state of vigil, and share information on how their dedicated teams are handling risks and alerts. Smaller cities are more likely to need a third party partner who can safeguard their systems. Either option requires setting a budget, and prevention is always going to be cheaper than putting things right after an attack.
Cybersecurity at an individual level
Using or carrying smartphones or tablets in a public place, whether outdoors or in a café, restaurant, or shop can expose people to a number of risks. People need assurances of citizen privacy through the analysis and management of the threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of their data. Who should take responsibility for cybersecurity – civil authorities, hospitality business owners, retailers, employers, individuals themselves?
The main security risk associated with using a device in a public place is that the Wi-Fi may not be secured, your connection to it may not be encrypted, and unauthorized people will be able to intercept anything you are doing online. These are known as man-in-the-middle attacks, where cybercriminals intercept and relay messages between two parties in order to steal data. On an unsecure Wi-Fi network, an attacker can intercept data being passed between a guest’s device and the network. Cybercriminals target our personally identifiable information (PII) — names, addresses, national identification numbers (e.g. Social Security number in the US, fiscal codes in Italy), and credit card information — and then sell these records in underground digital marketplaces.
Simple tips include turning off Bluetooth if you’re not using it; don’t leave devices on show if you’re not using them; check the settings to be sure of what information is being sent by the apps on your devices; connect to the internet via VPN; lock your devices with a password.
At home, the increasing connectivity of devices in our domestic networks can provide hackers with a vast amount of information. Apps to control heating, lighting and equipment to prepare for arriving home are multiplying at pace, and they are another hacker entry point to personal data. With many more employees working online from home this could endanger company systems. It would be in employers’ best interests to be more involved in their employees’ online behaviors.
Have you had any cybersecurity experiences, whether good or bad? Please share them with us.