An analysis of the main risks for businesses, public entities, and citizens
In the field of the Internet of things, the topic that has generated the most interest in the field of technological advances in recent months is cybersecurity. News articles and studies agree on the importance of alerting against the risks and the urgency of implementing measures in light of the growing importance of digital resources in businesses and in society in general. It is calculated that attacks cost €14 billion in 2015 in Spain alone.
Threats have a global dimension and can affect any individual or entity connected to the Internet at any location. They are also difficult to eradicate due to the absence of efficient legal mechanisms in cyberspace and because they evolve at the same pace as digital advances, hindering their prevention.
To understand the scope, we will analyze the main risks, threats, and types of responses in three areas: companies, public entities, and citizens.
Detecting threats, containing their impact, and understanding how they operate in order to prevent attacks are the keys to increasing trust
“Cybercrime is the biggest threat for all the professionals, industries, and businesses in the world,” states Ginni Rometty, CEO of IBM, regarding the threat of cybercrime on data, “the world’s new natural resource.”
The aerospace, technology, and banking industries face the greatest risk against attacks. However, the threat is transversal throughout industries. Digitization is transforming processes, thereby making them vulnerable to cyberattacks unless appropriate measures are taken. In companies, the threat or destruction of intellectual property is the most common attack.
The defense strategy should not be solely based on protection. Instead, it must also include monitoring in order to prevent attacks as well as defining response mechanisms that minimize the impact.
An important source of risk is attributed to human factors. The actions of employees who use digital services and systems without proper knowledge of security are some of the top risks that have been detected.
One example of the solutions being implemented to protect businesses is to hire managed security service providers (MSSP) that offer a range of services, including protection against spam and viruses, management of virtual private networks (VPN), and system updates.
Another option is to hire cloud-based security services to improve e-mail access, identity management, and data encryption.
The combination of big data and analytics can also help increase security levels if the data is used to identify anomalous activities or to predict attacks.
Another protection strategy is ethical hacking, which consists of performing penetration tests on systems with the aim of detecting vulnerabilities. Simulating these incidents is one of the most efficient ways of improving defenses and anticipating responses.
IBM recommends that companies should install continuous security monitoring software, share incidents in order to improve protections within the industry, identify assets and develop a plan for each one based on the risk level, and include cybersecurity as a fundamental part of business processes and decision making.
The Cisco Annual Security Report highlights the outsourcing trend, especially audits and incident response services, and the main barrier in implementing defense strategies is budget limitations. Detecting threats, containing their impact, and understanding how they operate in order to prevent future attacks are the keys to increasing the trust of a company’s security.
The Internet of things is based on interconnected smart objects, and these systems can be accessed fraudulently to manipulate how the services are used
As far as the human factor risk in companies, the BYOD (bring your own device) trend is a threat that is shared with users outside of the workplace due to the extensive use of applications and connected services. Mobile devices are vulnerable to cyberattacks through the use of apps and by accessing content or networks without the appropriate protective measures. Most cases are resolved with an update from the manufacturer, as long as the manufacturer has the knowledge and the solution for security breaches, or they will depend on service providers, which leads to the need to anticipate risks and guarantee infallible communications in sectors that are particularly vulnerable, such as banking, telecommunications or retail.
On the other hand, the Internet of things is based on interconnected smart objects, and fraudulent access to these systems can be used to monitor data and user activity, and to manipulate how services are used. This can occur in homes or in vehicles (it has been discovered that a car can be turned off remotely while it is being driven), as well as in smart cities, so the scope of this threat is very extensive. The entry points for these attacks are software and protocol vulnerabilities (errors that the manufacturer is not aware of), and also improper server configurations. According to Gartner, in 2016 the use of these devices will be 30% higher than in 2015.
The usual recommendations for users are based on adding antivirus protections, improving passwords to make them more secure, and not installing applications from unknown developers. The leading operating systems and browsers already suggest measures along these lines.
Personal identification systems, which are a key trend due to the growing number of services offered via mobile devices (such as payment methods), are making progress to guarantee security in transactions as well as the use of wearables or smart home controls. Identification models are currently based on biometric data like fingerprints or facial recognition, as well as innovative solutions such as vein readers, as proposed by VISA.
“Laws are always a step behind reality when it comes to classifying and pursuing computer crimes”
A massive attack on critical infrastructures, such as power grids, transportation networks or financial systems, could cause a social and economic crisis by paralyzing essential services. A cyberwar is the greatest fear on a state level, although there are other risks that are less fatalistic but with serious consequences that could result from using e-government and remote services.
Countries are adopting defense strategies and defining collaborations between entities in order to face cyberattacks and cyberterrorism. The U.S. Government has established the NCTC (National Counterterrorism Center) as well as the Cyber Threat Intelligence Integration Center (CTIIC), which is responsible for coordinating actions and sharing information.
In Spain, the Joint Cyber Defense Command of the Armed Forces (Mando Conjunto de Ciberdefensa del Ejército) has a number of organizations that work in this field, including CERT (Information Security Incident Response Team), INCIBE (National Cybersecurity Institute), and CCN (National Cryptology Center).
The report on The State of Cybersecurity (U-Tad, 2015) highlights the concept of sharing information between organizations, public entities, and citizens as one of the fundamental factors in facing the risks and providing an appropriate legislative framework.
In its Annual Report, the Public Prosecutor’s Office points out that the updates made to the Criminal Code by the Organic Law 1/2015 will result in more prosecutions for these types of crimes, but it warns that “laws are always a step behind reality, and this is more evident when attempting to classify and pursue computer crimes.” This highlights the importance of Law professionals being continuously up-to-date on technological advances.
In summary, public entities must promote initiatives, coordinate information and responses, regulate the legislative framework, and provide protection through the State’s security forces.
Along these lines, the European Union is working on a directive (pending approval for spring 2016) that will impose a minimum level of security for technologies, networks, and digital services in all the member nations.
- BYOD (bring your own device): the use of personal devices (such as mobile devices) in the workplace adds vulnerabilities to a company’s security.
- Smart grid: smart grids that are connected to the Internet require a specific risk analysis in order to prevent power interruptions and consumption espionage.
- SCADA (supervisory control and data acquisition): protecting this industrial process control software is a priority in preventing the remote control of elements such as production systems, satellite communications or public infrastructures.
- Malware: malicious applications that damage computer systems, and ransomware (a form of malware) sequesters document access and forces victims to pay a ransom in order for their systems to be released.
- Phishing: identity theft (of a service provider, for example), which is used to steal passwords or banking information, has evolved into spear phishing. This allows attackers to take advantage of a user’s public information (via social networks, for example) to perform fraud with increased authenticity.