All you have to do is have a quick sift through the major headlines of the past year to see a number of stories surrounding high profile data breaches.
Despite this focus on big brands, ‘security’ is something of a concern for businesses of all sizes, as well as any consumer that owns tech products and has their own bank account.
Greg Aligiannis, senior director of security at Echoworx, reveals that the Internet of Things (IoT) is growing at breakneck speeds, ‘from two billion objects in 2006 to a projected 200 billion by 2020’, while Tom Gaffney, security advisor at F-Secure, calls 2015 ‘the year of password hacks’.
Couple all this with stats from Norton that shows malware increased 26 per cent in 2014 and there are now one million new threats across the globe per day. PCR thought it was about time to speak to a number of security experts to find out exactly what some of the biggest threats are, how retailers and resellers are still making money from the changing security landscape, and how businesses should be protecting themselves.
IN WORKING ORDER
The Sony hack and Ashley Madison data breach are recent examples of the damage that can be done to businesses that are breached. As Duncan Brown, European security practice research director at IDC, puts it: “Without a doubt, the most significant threat to a business is a persistent, targeted attack. There is a near-certainty that such an attack will be successful.”
While the Sony hack focused on circulating unreleased films and employees’ personal information, and the Ashley Madison breach appeared to be a name and shame campaign, a lot of attacks are centred around collecting bank cards and banking details. “Whether it’s raids on banks or retailers’ servers, the trade in stolen credit card and banking details is thriving on the dark web,” says Steve Bell, security expert at BullGuard.
“Ransomware is evolving and continues to grow – increasing 113 per cent last year.”
Gareth Lockwood, Norton
It seems the culprits of these attacks are no longer mere individuals as they once were thought to be. “These are large-scale co-ordinated attacks, highly sophisticated and driven by groups of cyber criminals distributed across the world,” explains Raghuram Gorur, program director at Happiest Minds.
Rob Hall, director of PXS Distribution, points out that the changing working environment can lead to companies being exposed to cyber crime too. “The BYOD phenomenon coupled with mobility has increased the malware and phishing landscape drastically,” he says. “Vulnerability in general is higher than ever.”
LIFE’S A BREACH
It’s not just organisations that have to continue to ramp up their security. Consumers continue to be affected by various cyber crimes, and last year saw increases in the number of different targets, including healthcare and National Insurance numbers.
“Having a person’s NI number allows cyber criminals to get high-demand prescription drugs in the consumer’s name and have the potential to blackmail those people,” explains Brendan Rizzo, technical director for EMEA at HP Security Voltage.
Social media-based threats have also caught the attention of security firms. “This is a stand out area,” says Bullguard’s Steve Bell. “Hackers are continually developing new techniques to exploit social networks to send users to dubious web sites and malware infected links. From the criminals’ perspective, it’s a relatively risk-free endeavour, which can bring lucrative rewards.”
As well as the increase in these more uncommon threats, ransomware and bank detail theft have continued to be problematic for consumers.
Gareth Lockwood, EMEA consumer product specialist at Norton, tells PCR: “Ransomware is evolving and continues to grow at a rapid rate – increasing 113 per cent last year.
“This is where a victim’s data is captured and/or encrypted, then a cyber criminal will extort a ‘fine’ in exchange for the safe return of consumer or business data.”
IDC’s Duncan Brown adds: “Ransomware has risen dramatically in the last year or so, and it is extremely distressing for victims. Phone and bank card fraud scams, though not pure cyber security threats, are often enhanced through online profiling of targets.”
One of the biggest threats for consumers, and eCommerce businesses, over the past year has been the increase in Card Not Present fraud (CNP fraud), according to Jackie Barwell, head of fraud products at payment systems firm ACI Worldwide.
“CNP fraud has grown with the widespread adoption of EMV (so-called smart cards, also called chip cards or IC cards, which store their data on integrated circuits rather than magnetic strips).
“The adoption of EMV has seen more and more fraudsters move from the more traditional channels of card theft and domestic counterfeiting to CNP and cross-border counterfeit fraud,” says Barwell.
With all the ever-increasing threats to individuals and businesses, and more large- scale cyber crimes being reported on, does it make it any easier to sell antivirus?
As Happiest Minds’ Raghuram Gorur simply puts it: “Security is no longer seen as a cost but it is an essential enabler.” So as security stops being considered as an ‘add-on’ product and taken more seriously, what does that mean for those selling security software, products and services?
“At the consumer level it’s an easier sell. Very few people today would go onto the internet without some form of security,” Steve Bell tells PCR. “At the business and especially SME level, security needs simplifying. Vendors who can offer simple comprehensive security in one package, from mobile protection to network safeguards and malware detection, will hit the jackpot in the SME market.”
IDC’s Duncan Brown adds: “Security used to be sold as an optional add-on, purchased in the same way that people buy insurance for consumer appliances. Today, it is increasingly being integrated as a core component within other solutions, or even the starting point for some companies as they seek to re-architect their IT infrastructure.”
Fraser Kyne, principal systems engineer at Bromium, comments: “There’s been a shift around where the security is implemented. For a long time people have tried to do it at the network perimeter, but the definition of a perimeter has evaporated with the internet, mobility and cloud. So now we’re seeing a re-focus on security on the endpoint device.”
“Security is no longer seen as a cost but it is an essential enabler.”
Raghuram Gorur, Happiest Minds
It seems the successful vendors are taking a consultative approach, helping their customers understand the potential risks then provide appropriate recommendations.
“This is why the channel is still so successful,” says F-Secure’s Tom Gaffney. “Almost no security vendor can provide a one-stop shop solution, so the trusted partner who has relationships with a number of vendors can be best placed to provide the right set of products for the end user.”
James Vyvyan, regional VP for the UK and Ireland at Sophos, goes as far as to announce the specialist point of sale as ‘dead’: “Sales people need to understand the wider context that the customer operates within and sell a whole solution that deals with the complex advanced persistent threats of today’s environment.
“Security sales today need to help enable and support IT across all products rather than just focus on preventing specific threats.”
MAKING MONEY FROM SUBSCRIPTIONS
One of the most noticeable ways that selling security has changed is the shift from one- off boxed products to the sale of subscriptions and auto-renewals.
While this is good news to the end-user, who now has more options to pick from when it comes to updating software, what does that mean for those who have built up a business around selling these products?
“Shifting from a licensing business model to a subscription-based one has transformed security into a comprehensive service,” says Catalin Cosoi, chief security strategist at Bitdefender.
“Auto-renewal is a strong way to show customers that they are continuously protected and that they don’t need to be concerned with the expiration date of the licence and thus, any exposure to e-threats.”
These offerings present repeat business with little investment required. “The right security software that provides rigorous and easy- to-manage protection at the right price will have people clicking the renew button,” says BullGuard’s Steve Bell. “To really benefit from this, retailers need to have a revenue share deal on renewal business with the vendor, like the one BullGuard has with its partners.”
“A huge potential for threat in any country is the ubiquitous Internet of Things.”
Brendan Rizzo, HP Security Voltage
IDC’s Duncan Brown comments: “Consumers are more likely to buy security features if they are integrated and embedded in other online products or services.”
Bromium’s Fraser Kyne likens renewals to car insurance, saying that vendors rely on consumers’ apathy and inertia in the knowledge that a certain percentage will just renew without thinking. “Smart/ good vendors will continue to provide sustainable value to warrant the renewal,” he says.
Subscriptions also give those who offer them an opportunity to engage with customers directly.
“In addition to financial incentive such as competitive pricing, rebates and revenue share, retailers have the option to add value for new customers and renewals,” explains Norton’s Gareth Lockwood. “This can be through offering separate paid add-ons such as additional backup capacity or utilities/tune-up software, for example.”
THE FUTURE OF SECURITY
So now we know what businesses and consumers should be protecting themselves against now and in the near future, but the security landscape never stops changing.
We asked the industry experts how we can expect cyber threats to evolve in the near future, and what new tech is most likely to cause the most security issues. IoT was mentioned by nearly all that we spoke to, and many were in agreement that mobile-based threats are set to continue to gather greater momentum.
“A huge potential for threat in any country is the ubiquitous Internet of Things,” says HP Security Voltage’s Brendan Rizzo. “IoT devices themselves were not designed with security of data in mind. Most devices have a minimum protection over a default password, but consumers are not aware they need to change it or go over security settings for their devices. This allows the cyber criminals to access wider systems as the insecure device or router allow them in.”
BullGuard’s Steve Bell believes that we are set to see more mobile malware aimed at Android-based devices: “As the world increasingly moves towards mobile computing, so do hackers driven by the opportunities. Research has already uncovered huge rises in instances of Android specific malware – we’re talking a predicted two million instances by the end of 2015.”
PXS’ Rob Hall agrees: “The search for and phishing for personal and critical business data will continue to increase. Connected devices, mobile devices and the connected home ensure that the speed of the phishing and malware attacks are infinitely faster.”
Given the synergies between mobile devices and other internet-connected devices, Norton’s Gareth Lockwood expects ransomware to quickly permeate smartwatches, refrigerators, TVs, surveillance cameras and even cars. “We’ve already demonstrated a proof-of-concept attack on a Moto 360 smartwatch,” he says. “Apps that push data from smartphones to smart devices create an open playing field for attackers when left unsecured.”
F-Secure’s Tom Gaffney adds: “IoT threats will make the news. We’ve seen multiple vulnerabilities highlighted by security analysts that show how attacks can be triggered on anything connected to the internet, from cars to light bulbs. Too many things are going online without security built in by design.
“The first major attack will happen on a widespread consumer device, this year next year? Who knows – but it will happen.”
Throughout November, PCR is running a dedicated Sector Spotlight on Security – Click the logo below for more articles