As we look back over the last year, we have seen the highest ever rates of cyber crime across some very high profile victims. The most recent Cyber Security Breaches survey from the UK Department for Culture, Media and Sport in April 2017 stated that 46 per cent of all businesses had identified an attack or breach, which increases to 65 per cent as the company size increases beyond £2 million.
It is safe to assume that attacks will continue in 2018 and that they will probably increase as more people copy other successful attacks, until such a time when the risk taken is greater than the potential reward.
Although there are many ways to combat cybercrime, they span multiple countries, organisations and even ideals. All things considered, the journey needs to work towards a time when people’s needs are aligned from the end-user all the way to the top of corporates and governments. Only a combination of measures and the desire to work together is going to achieve something that will work.
Government regulation is important but it’s usually only applicable to a single country at a time, not useful if your attacker is based offshore or if they work for a foreign government with no interest in stopping the attack. That is not a reason to avoid them however, if governments set out a workable set of rules that leads people to trust software from one country over another, perhaps it will help to segregate internet traffic between trusted zones and non-trusted zones.
Industry organisations can add value to the work as well. People like the ISC2, IISP, and the IEEE have whole chapters devoted to information security. The hard work of these organisations is how to avoid duplication of similar but different – and confusing – guidelines.
In the equipment domain we have competing standards, little standardisation and seemingly zero security in their products. Manufacturers need to up their game. I can see a day when a certification of a product for cybersecurity becomes a requirement for selling in countries like the UK.
Features such as fixed passwords or storing some types of data unencrypted would fail the certification. Even though this can be faked, at least a company can be blacklisted or fined.
So where does that leave end-users? I hope that our organisations will become much slower to adopt technology for the sake of it and that our suppliers will be more honest and objective about security. We need to stop using firms to provide IT services that cannot provide proof that they understand how to configure our networks and make them secure from attack.