Historians will look back at 2016 as the year that cybersecurity moved from being an important issue to a critical one on both sides of the Atlantic. In the United States, the two main presidential candidates traded insults over email security and claims that Russian hackers were trying to influence the election’s outcome by leaking stolen data.
Democrat candidate Hillary Clinton was under fire for allegedly using a private email server for classified documents while working as Secretary of State. Republican candidate Donald Trump was accused of encouraging foreign powers to hack his rival and publish whatever incriminating or embarrassing information they could find. But both candidates agreed that cyber security was a vital issue of national security.
In Britain, the Chancellor of the Exchequer, Philip Hammond, unveiled a new £1.9billion cybersecurity strategy to ensure the country could “retaliate in kind” against any digital attacks on national infrastructure like the electricity grid or air traffic control systems. But behind the politics, what were the real security lessons of 2016?
- The Internet of Things is vulnerable
An attack on Dyn, one of the companies behind the infrastructure of the internet, in early October revealed how the new generation of connected devices has created fresh opportunities for hackers. Major websites – including Netflix, Twitter, Spotify and Amazon – all came under attack. Security analysts revealed that compromised Internet of Things (IoT) devices such as digital cameras and video recorders had been the entry point for hackers. A basic security vulnerability with these devices – factory-default security settings – had allowed hackers to disrupt the internet infrastructure.
The message for manufacturers, consumers and businesses was self-evident: The Internet of Things needs an urgent security upgrade.
- Rise and rise of ransomware
You can trace the early origins of ransomware to the days of pop-up bogus “official messages” warning that your computer has been infected, or that you’d been caught doing something illegal. Today, the tactic has evolved into attempts to lock businesses out of their own network, critical files or services until money is handed over. What has made 2016 different is a step-change in the scale of the problem.
The analyst firm Gartner reported $209 million was extracted through ransomware attacks in the first three months of 2016, compared to $24 million that was extracted from US businesses in 2015. Businesses, hospitals and universities have all been targets and an increasing number of victims are paying up to regain control of their network or vital files. A recent survey also revealed that 1 in 3 businesses were clueless about ransomware: either not knowing what it was at all, or misunderstanding what it was.
The lesson for business is clear: understand what it is and its possible impact on your business, and have a plan in place that outlines what to do if a ransomware attack happens.
- Rise of encryption
One of the tech stories of the year was the clash between Apple and the FBI over access to data in the iPhone of one of the San Bernardino bombers. The public debate about privacy and security that followed saw the instant messenger (IM) service WhatsApp decide to add end-to-end encryption to users’ messages.
In theory, the move meant that no-one apart from the sender and intended recipient can read messages – not even WhatsApp itself. The move put pressure on other IMs, email services and social channels to reassure users that messages were snoop-proof and encrypted. The need to use encryption to secure your data has never been stronger. Cybercriminals are becoming more sophisticated and as they do so we need to step up and take proactive steps to stay ahead of them.
There was a two-fold lesson for businesses: firstly, to understand how data was being shared inside and outside their organization; secondly, to consider encrypting the most sensitive files.
- Reinvention of the log-in
The password isn’t quite dead yet, but 2016 saw a broad effort to push users towards more secure log-in procedures. Both Google and Apple rolled-out improvements to multi-factor verification and authorization –using multiple devices or security steps to approve a key action or transaction.
A growing number of banks and financial institutions began testing biometric verification – fingerprint and voice recognition – seeing it as an important way to reduce fraud. The lesson of the year was that the days of logging in with just a username and password are coming into an end.
Businesses need to think of how they can create and encourage employees and customers to use more secure pathways to access account, order or profile information.
- The threat from inside
Reports about cybersecurity tend to be dominated by headlines about hackers, whether individuals, criminal gangs or countries testing other nations’ cyber defences. Looking back at some of the biggest security breaches of 2016 you’ll find a common factor: the loss of data involved someone from inside the business.
In some cases, the leak started with the loss or theft of a company laptop, memory stick or mobile phone. In others, employees shared data they shouldn’t have, either accidentally or by deliberately trying to sell confidential information. According to the Ponemon Institute, the cost to businesses of clearing up data leaks is going up year after year.
The lesson for businesses is to ensure that staff understand security risks, have regular training, and that procedures are in place to cut the chance of confidential data leaking out. Restricting access to only those employees that need it also helps businesses reduce the risk of loss of data and reputation.
- No-one is immune
2016 was the year that saw millions of user account details stolen from some of the best-known tech brands – Yahoo!, LinkedIn, Twitter – go up for sale on the Dark Web. It was also the year that the presidential campaign put the spotlight on government security – with a stream of leaked data and questions about unsecure email servers allegedly being used for classified information.
But don’t be fooled into thinking that big brands or big targets are the only game in town. Research by the Federation of Small Businesses in the UK in 2016 found that two out of three small firms had been victims of cybercrime in the previous two years. According to the FSB, the financial costs suffered by small firms from an attack are “disproportionately bigger” than larger firms.
One of the biggest lessons to take from the year is that no business is immune from cyber threats – and the risk to business survival is higher the smaller the company is.
Senior Security Evangelist, Tony Anscombe of AVG Business said: “Cybersecurity has had a high political and media profile this year, thanks to the US presidential elections. But businesses shouldn’t make the mistake of thinking that the issue is all about nations waging digital warfare or politicians being hacked. The key lessons of the year are about the rise in ransomware, and the new attack vectors that are being created for hackers by the increasing number of connected devices, often with poor built-in security. Business owners need to be thinking harder than ever about internal security, training and procedures, the tools and tech they are bringing in to their organisation, as well as the security they deploy across their network.”