As A Cyber Armageddon Looms on the Horizon, Are Organizations & Individuals Equipped To Navigate the Cyberworld Minefield?

From Verizon's Data Breach Report, 2014

Cyber attacks and DDoS (Distributed Denial of Service) assaults are no longer something that happens to a select few. For most, the question now is no longer a 'What If' but rather a 'When'. 

The infographic above is excerpted from Verizon's 'Data Breach Investigations Report, 2014'. Based on  1367 breaches and more than 63,000 security incidents in 95 countries, the key takeaways from the report are:

1. Corporate espionage is on the rise 
2. Internal employees, business partners and collusion threats make up less than 10% of data thieves. 
3. Hacked stolen credentials led the way in root cause. 
4. Hacks were discovered more often by internal employees than by outsiders. 
5. Physical tampering of ATMs is heavily on the increase.

A 2014 McKinsey report on the issue made the following rather worrying observations:

In an increasingly digitized world, the vulnerability of private, public and civil institutions, not to speak of individuals, to cybercriminals, 'hacktivists' of various kinds, nation-states and even internal employees and associates has increased progressively over the last decade.

The study by McKinsey, together with the World Economic Forum (WEF) had the following findings:

• Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks—and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation. 
• Enterprise-technology executives agree on the seven practices they must put in place to improve their resilience in the face of cyberattacks; even so, most technology executives gave their institutions low scores in making the required changes. 
• Given the cross-functional, high-stakes nature of cybersecurity, it is a CEO-level issue, and progress toward cyberresiliency can only be achieved with active engagement from the senior leaders of public and private institutions.

A Profile of Data Theft

It is evident that the defenders are losing ground to the attackers. Nearly 80 percent of technology executives said that they cannot keep up with the increasing sophistication of attackers. 

Large institutions lack the facts and processes to make effective decisions about cybersecurity. Larger expenditures have not translated into an increased maturity, and many institutions appear to be merely throwing money at the problem without making much progress.

Controls required to protect against cyberattacks are already having a negative business impact. Security concerns are delaying mobile functionality in enterprises by an average of six months—and are dramatically limiting the extent to which many companies are using public-cloud services. For nearly three-quarters of companies, security controls reduce frontline productivity by slowing employees’ ability to share information.

In the case of individuals who have invested considerably in digital estates & properties and have moved a good bit of their data on to the cloud, this account from a tech. journalist about how his digital life was taken over and destroyed by hackers should tell you a fair bit about the dangers one runs even if one is reasonably tech-savvy. The detailed article can be read here.

In addition to secure sites and second-factor authentications, complex passwords, generated by a variety of apps available for the purpose are at times not deemed foolproof security. Considerable work is going on in the matter of replacing passwords, and the options range from biometrics to USB devices to photos and even heartbeats. Check out this article to learn more about the current status of password alternatives.

There is also a vigorous debate on about the onus of protecting and removing personal information before sharing data about cyberthreats. Representatives from the financial and energy sectors in the U.S.A., for example, have affirmed that they are capable of protecting personal information available in their databases. This is important, since the personal information contained in Internet records is some of the most sensitive out there. It can reflect the political organizations people belong to, what they read, where they go, what they study and worship among other things. It can't be left to the whims of companies, who hold this information, whether to share this data or not.

The other growing menace faced by sites regularly accessed by hundreds of thousands of users are DDoS attacks which effectively take the site out of commission and make it inaccessible, at times for several hours. A DDoS attack can be described as throwing the kitchen sink to plug a relatively small hole and as the diagram here will show, doesn't need a great degree of sophistication or specialized hardware and software.  The increasing frequency of such attacks can be gauged from the digital attack map visible by following the link in the post below.

Adoption of many of the measures, outlined earlier, are no longer an option for most organizations and agencies dealing with large databases and sensitive data. Likewise, for individuals, getting on to the internet without adequate layers of protection is like getting on to a minefield without a detector. As digital properties and estates become all pervasive and clouds, both public and private, increasingly become the repositories of huge databases and datasets, lax cybersecurity could lead to major catastrophes. In any case, recovery and disaster management processes, no matter how good the cybersecurity, should be in place.