Article by Steve Durbin, Managing Director of Information Security Forum
In both the current and future climate, organisations will encounter growing disruption as threats from the digital world impact the physical. Invasive technologies will be adopted across both industrial and consumer markets, creating an increasingly turbulent and unpredictable security environment. The requirement for a flexible approach to security and resilience will be crucial as a hybrid threat environment emerges.
The impact of cyber attacks will be felt on an unprecedented scale as ageing and neglected infrastructure is targeted, with services substantially disrupted due to vulnerabilities in the underlying technology. Mismanagement of connected assets will provide attackers with opportunities to exploit organisations.
There are three dominant security threats that businesses need to prepare for. Let’s look at each.
5G technology broadens attack surfaces
The arrival of 5G, with significantly faster speeds, increased capacity and lower latency, will change existing operating environments. However, these benefits will come at the expense of an exponential growth of attack surfaces. The 5G-enabled devices and networks that underpin society will be compromised by both new and traditional attacks, causing chaos and plunging businesses into disarray.
The impact of attacks on 5G technologies and infrastructure will be felt across a range of industries which leverage 5G to become more operationally efficient or to automate and speed up processes. There will be countless opportunities to target 5G infrastructure, including billions of previously unconnected IoT devices and new private networks.
Millions of new 5G-enabled masts, built and operated by a plethora of companies and governments to varying levels of assurance, will have new vulnerabilities exposed and create new ingress points for attackers to exploit. The step-change in available bandwidth will act as an accelerator to existing attacks and amplify new ones, stretching organisational resilience to its maximum.
The UK’s critical national infrastructure (CNI), IoT manufacturers, businesses and citizens will all be heavily or entirely dependent on 5G to operate. From nation states aiming to cripple CNI – to hackers spying on private networks – 5G technologies and infrastructure will become a key target. The issues surrounding Huawei, and its access to the UK’s CNI as its products are used to support aggressive 5G and other technology roll outs, will continue to occupy the minds of politicians and business leaders as economic tension continues to grow and protectionism increases.
Data privacy and IoT
Highly sophisticated and extended supply chains, including cloud technology, present new risks to corporate data as it is necessarily shared with third party providers. IoT devices are often part of a wider implementation that is key to the overall functionality. Since so much of our critical data is now held in the cloud, this creates an opportunity for cyber criminals and nation states to sabotage the cloud, aiming to disrupt economies and take down critical infrastructure through physical attacks and operating vulnerabilities across the supply chain.
Against this backdrop, there must be a balance between handing powers to the authorities to protect its citizens whilst also ensuring the protection of the individual’s right to privacy. But what is the right balance and how do we achieve it? This debate has been ongoing for some while, and there is clearly a need to protect the rights of the individual around the collection, processing and storage of personal data. The answer, as embodied in legislation such as GDPR for instance, would seem to be that any such collection should only be for specified, explicit and legitimate purposes and limited to what is necessary as defined by the courts and that the data once collected should not be stored for longer than is necessary. That said, I see no short-term end to the debate over concerns about gathering and processing personal information, whether it be through surveillance programmes, such as that undertaken by the National Security Agency, or more recently by other authorities around the world via facial recognition systems.
We live in a world of increasing surveillance, therefore guidelines and laws to protect the rights of the individual will need to continue evolving to reflect the advancements that technology brings. Transparency and oversight are fundamental requirements and striking an acceptable balance will be an ongoing challenge in our increasingly cyber-enabled world.
Nation states and the insider threat
Criminal organisations have a massive resource pool available to them and there is evidence that nation states are outsourcing this as a means of establishing deniability. Nation states have fought for supremacy throughout history, and more recently, this has involved targeted espionage on nuclear, space, information and now smart technology. Industrial espionage is not new and commercial organisations developing strategically important technologies will be systematically targeted as national and commercial interests blur. Targeted organisations should expect to see sustained and well-funded attacks involving a range of techniques such as zero-day exploits, DDoS attacks and advanced persistent threats.
Additionally, the insider threat is one of the greatest drivers of security risks that organisations face, as a malicious insider utilises credentials to gain access to a given organisation’s critical assets. Many organisations are challenged to detect internal nefarious acts, often due to limited access controls and the ability to detect unusual activity once someone is already inside their network.
The threat from malicious insider activity is an increasing concern, especially for financial institutions, and will continue to be so in the years to come.
Preparation begins now
As new technologies emerge, organisations will need to adapt to the changing norms and values of society. Information security teams will need to consider the suitability of implementing evolving or poorly secured technology within the organisation. Failure to protect against pervasive attacks will leave operations exposed to significant negative financial impacts and damage to brand reputation.
Above all, organisations rely on trust – and in the digital world, innovative technologies can be misused to erode that trust and digitally naive employees can be exploited, endangering the relationships between organisations and their key stakeholders.
Attackers will be presented with the tools and opportunities to ruthlessly target and exploit those who are unprepared. As the digital and physical worlds collide, only organisations that take decisive action will thrive.