Digitalisation is fun. Which is fortunate, since it is practically unavoidable these days. The digital age is a time of new possibilities – with everything getting faster, more colourful, but sometimes louder, too. We can all agree that digitalisation has become part of our day-to-day life, and yet it doesn’t always work very well. Suddenly plunged into the world of home schooling, no doubt some of us are beginning to see that not everything runs as smoothly as it ought to. And then, just as Covid-19 appeared to be improving our interaction with the digital world, we also started to see the negative impacts, like the sudden onset of "zoom bombing". In short, cybersecurity, or rather the lack of cybersecurity, has forced many of our digital pioneers to face the harsh realities of the cyber world.
A swathe of hackers
In old (and even in some more recent) films, the hacker is often portrayed as an elusive sort of character, who wears a hoodie and sits eating pizza in a dimly lit room, typing away in some mysterious-looking code and using all sorts of cool applications. However, the attackers taking on IT systems nowadays – whether they’re targeting large or small companies, private homes, medical practices, hospitals, construction companies or window manufacturers – are not sitting alone in their basements. The ones threatening our digital security today are part of a whole swathe of hackers and, as in industry, they work in a division of labour. One group organises distribution – after all, the program code that supports the attack has to be delivered to those implementing it.
Other people then organise the use and functionality of this "malicious code", while yet another group of people takes care of the monetisation – such as the collection of payment in the case of ransomware, or the resale of intellectual property in the case of money laundering. They work in shifts and often the proverbial basement we’ve seen in the movies is actually more like an infinity pool on an Asian beach.
That said, some hackers also use artificial intelligence that has been specially trained to break into a digital system. In this sense, digitalisation is not only making us more susceptible to attacks, but it also making the attackers more powerful. This criminal industry has existed for quite some time now, and the damage to the national economy is now greater than the economic damage caused by the drugs trade.
What motivates hackers?
You may be wondering why we are so concerned with this. The point is, it is really important to understand what motivates the attackers. The procurement of foreign currency by isolated states leads to ransomware attacks, some of which come with breathtaking ransom demands.
The predominant form of cyber crime and one that has been regularly observed over the past few years, involves hackers stealing company data and selling it on to competitors – or, in some cases, companies directly commissioning the theft of data from their competitors. Data theft has also recently been linked to ransomware and is used to add more weight to ransom demands. In this respect, the "business model" – so to speak – behind data theft has expanded from an approach to gaining intelligence to an approach that aids extortion.
Unfortunately, data destruction has also become part of the hacker’s repertoire, with ransomware attacks now offering the greatest potential value for the lowest risk of detection. Companies that operate in more controversial industries, such as the arms trade, oil production or banking, for example, often provide an additional motivation for attackers, other than the monetary incentive. Attackers often claim that they have some sort of moral duty to target these sorts of businesses, due to their detrimental effects on the environment and society. The better our understanding of why we’re being at-tacked, the more efficiently we can protect ourselves.
The predominant form of cyber crime and one that has been regularly observed over the past few years, involves hackers stealing company data and selling it on to competitors – or, in some cases, companies directly commissioning the theft of data from their competitors. Data theft has also recently been linked to ransomware and is used to add more weight to ransom demands. In this respect, the "business model" – so to speak – behind data theft has expanded from an approach to gaining intelligence to an approach that aids extortion.
Unfortunately, data destruction has also become part of the hacker’s repertoire, with ransomware attacks now offering the greatest potential value for the lowest risk of detection. Companies that operate in more controversial industries, such as the arms trade, oil production or banking, for example, often provide an additional motivation for attackers, other than the monetary incentive. Attackers often claim that they have some sort of moral duty to target these sorts of businesses, due to their detrimental effects on the environment and society. The better our understanding of why we’re being at-tacked, the more efficiently we can protect ourselves.
Where is my data?Who else contributes to
the data universe I use?Risk management as a central line of defence
These considerations are all elements of the core risk management strategy that organisations need to establish. Only then is it worth thinking about which processes and technologies might provide you with a level of security that is commensurate to the level of threat. In all cases, the key thing here is to start by fixing the basics. Patching, patching and more patching is essential when it comes to digital security. And yet this still isn’t firmly implanted in the collective mindset, as this security gap from Windows demonstrates: using an "Internet of Things" search engine, several thousand systems on the internet in Germany can be identified, which could have been secured many months ago simply by importing Microsoft security patches. This is where another mechanism of a successful attack comes into play. To use the hotly debated issues of Covid-19 and measles as an analogy – just as any individual who hasn’t been vaccinated has an impact on our herd immunity, any unprotected system affects our collective security. These unprotected systems are welcome gateways for potential attacks, and are exploited as such.
Another question we have to ask ourselves is, "Where is my data?" And for those using BIM systems: "Who else is sharing the same data platform as me?" In principle, cloud environments are no worse than systems in your own data centre. In fact, they are often better, because providers like Amazon have much higher security budgets than any medium-sized company; plus the fact that standardisation also makes it easier to manage security. That said, even with the most cutting-edge technology out there, there is always the risk of it being used incorrectly, thus weakening the system. In many cases, weak points in large cloud systems have turned out not to be the fault of the cloud provider, but rather improper implementation – on the part of the user – of things like administrative access. This is what happened a few years ago in a security breach involving Microsoft’s Azure cloud.
When it comes to cloud systems, certain questions arise on the issue of compliance – i.e. the observation of data protection regulations such as GDPR. This issue not only affects Europe, however, but also countries like China and the USA, which have their own data protection legislation. The question of compliance poses significant problems for companies, and in fact every organisation would be well advised to actively comply with data protection laws and cybersecurity legislation, rather than leaving it up to chance.Typical gateways for hackers
As well as weak points in an IT system, which can be identified with the help of so-called Internet of Things search engines like Shodan.io, there are two major weak points that have proven to be particularly effective for attackers. You will not be surprised to discover that the first of these is human error. In an approach known as phishing, where emails are sent containing malicious file attachments or links, individual users become the point of weakness through which attackers gain access into a company. The second major gateway is the supply chain. Companies" increasingly cost-driven purchasing behaviour means that suppliers" margins are becoming ever tighter, which in turn restricts their budget for establishing effective security measures.
Ultimately, this allows attackers to install their own applications onto the system. This undetected software then prepares the ransomware attack, in the case of data theft, send data in the background.
It only takes a quick glimpse at the statistics to see the impact of this (self-induced) vulnerability: almost all successful major attacks in the last three years can be traced back to attacks that were initiated via the supply chain.What can I do to protect myself?
As well as the basic measures already mentioned, employee training courses are very helpful in making users better equipped to recognise phishing attacks. Failing that, the company should consider using intelligent systems to detect attacks. As well as the expensive threat detection systems available for in-house operation, there are also externally managed threat detection ser-vices available, which always offer better value to medium-sized companies than the in-house options.As long as you take on board these few basic considerations, any organisation should be able to put effective measures in place to achieve an adequate level of data security.
Jörg Asma is the Cyber Security & Privacy Partner at PwC. He studied electrical engineering, with a particular focus on automation. He has more than 20 years’ experience in the field of cyber security/information security, and advises customers of all sizes from a variety of industries. Jörg Asma was a member of the standardisation committee for the NI 27A ISMS standards. He has co-written various books on cloud security and security governance. He also teaches cyber security and cyber warfare at universities.
