The terms “cybercrime” and “cybersecurity” conjure up images of teens in hoodies and impenetrable lines of code. It’s tempting to glaze over and trust that the technical experts will keep us safe. But as our digital footprints expand, and hackers upskill, that approach is becoming increasingly risky.

The methods and motivations of cybercriminals are evolving. To be sure, bank accounts are still emptied through identity theft, and we still occasionally click on those malicious email links despite knowing better.

Cybersecurity systems deploy several defences to thwart everything from ‘petty’ to nation state grade cyberattacks. None is used more widely than data encryption. But encryption standards currently considered best-of-breed may no longer be a barrier to hackers using increasingly powerful processors in future.

Within 10 to 20 years’ time, we will reach a level of computing power that will most likely be able decipher all encrypted data as it stands today. That includes the numerical trickery protecting credit card details, intellectual property and government secrets. Even the cryptography protecting your Bitcoin is at risk.

The motivation of attackers is also changing. Private hackers extorting money via ransomware or other forms of blackmail are top of mind for IT departments the world over. But reports of pro-Russian hackers using ‘wipers’ to permanently delete sensitive Ukrainian information, without asking for so much as a hryvnia, illustrates the growing versatility of cybercrime. While such attacks may not be financially motivated, they can result in significant financial harm to companies who are increasingly reliant on the availability of systems distributed in the cloud.

Hackers with quantum computing

“Encryption that we consider unbreakable today will be easily broken with quantum computing in future,” says Reuven Aronashvili, CEO of CYE, an industry-leading cybersecurity platform, during a recent Investec Focus Talk. (Disclosure: Investec is a client of CYE).

Unlike the Y2K bug that caught the world napping when it came to preparation, the cybersecurity industry is already working hard to develop post-quantum cryptography (PQC) and quantum resistant ledgers (QRL) because the risks run so high. As Aronashvili points out, those defending against cyberattacks have to be vigilant at every level of the organisation and of every form of attack, while attackers only need to exploit a single vulnerability in order to do untold damage.

Quantum computing (QC) will initially be in the relatively safe hands of governments and large corporations like Google and Amazon, but ahead of it going mainstream, hackers will undoubtably be storing encrypted data collected today for cracking by QC tomorrow.

Even more sobering is the fact that QC will give attackers the power to hack your biometric signatures – from facial features and fingerprints to voice recognition profiles. Old school usernames and passwords can simply be reset, but the same is not true of biometric data, which is unique. Once compromised, it is compromised forever.

“Biometric protection is considered to be very complex. But that’s not right. Quantum computing will be able to break it. In the army, that’s called a one-time risk because there’s no way back,” continued Aronashvili.

It’s therefore incumbent on the cybersecurity industry, and any companies using biometric data, to secure data and permissions and review their methods in order to remain ahead of a faceless and increasingly powerful enemy. 

For the man on the street, keeping your device’s security software updated and using multi-factor authentication, from passwords to one-time pins and biometric information is your best form of defence today.

Cybersecurity for your brain

“Naysayers of the metaverse point to the madness of wearing goggles all day. But in time goggles will become glasses, then contact lenses and eventually a brain interface. And because it’s a fully immersive experience where your brain can’t distinguish between reality and virtual reality, nefarious actors could implant memories or thoughts,” says Young who believes that the fantastical world of Leo DiCaprio’s Inception may no longer be the realm of science fiction in the future.

The underlying challenge is fundamental: market forces drive digital innovation faster than cybersecurity measures can be built. Aronashvili and CYE are working to change that paradigm: “The future we see is one of security by design. That means you don't plant a chip in your brain before making sure that the cybersecurity capabilities are already there.”

One of the most effective tools for putting said defences in place is through “ethical hacking”.

What is ethical hacking?

Remember 2017’s WannaCry? It was a worldwide ransomware attack – an export from one of North Korea’s few thriving industries – which infiltrated computers running Microsoft operating systems. It used encryption to render the data it accessed unusable. Damage was estimated in the billions of US dollars.

If not for Marcus Hutchins, a 23-year-old hacker who  found and flipped the worm’s kill switch, it could have been so much worse. His was a now legendary act of ‘white hat’ or ethical hacking.  

Businesses like CYE use ethical hacking, also known as ‘red teaming’, to probe organisational cybersecurity defences for weakness. Where they find them, security is optimised. They can also step in to limit the damage and ensure business continuity if a cyberattack occurs.

What needs to be appreciated is that exercises like ethical hacking are not once-off activities. “We see quite a lot of business reach a point where they think they can stop investing in cybersecurity,” says Aronashvili. “They are not necessarily bad organisations, but because cyber threats are continuously evolving, they are putting themselves at risk.”

The risk extends beyond the immediate threat of being hacked; businesses without a strong cybersecurity posture also risk losing market share to those that continuously mature and improve their posture.  

Cybersecurity as a business differentiator

“A bank like ours ultimately deals in trust and reputation,” says Young. “Ransomware attacks that render client data temporarily unavailable would undermine confidence.”

From this, Young infers that trust in cybersecurity measures is becoming a key business differentiator.

Aronashvili concurs: “We’re already seeing that trend. Consumers and businesses want to know that the data they share with you is protected at the highest level possible level. The need for trust extends beyond your bank to any service or product connected to the internet. In future that could include things as vulnerable as your pacemaker, smart cars or airlines.”

But as businesses become increasingly reliant on data and processes distributed across global networks like AWS and Microsoft Azure, one of the biggest weaknesses could be the cloud itself.

Clouds and continuity 

Having your data and software in the cloud has clear advantages for business continuity, lowering the threat of localised events like fire and theft resulting in irredeemable damage to business processes or systems.

But relying on the cloud brings its own risks.

Aronashvili explains: “Cloudflare had availability issues recently recently. So has Azure and AWS. Those are single points of failure that effect whole industries, not just the odd organisation. In the business continuity and disaster plans we see, few organisations are taking cloud risk seriously. The attitude is if Microsoft goes down, then it’s the end of the world and the game’s over in any case.”

And it’s not simply technical failures that one needs to plan for. With global tensions on the rise and the spectre of a nation-level cyberattack looming large, it’s not implausible that entire countries may take the defensive step of shutting their infrastructure off from the Internet, with potentially disastrous consequences for companies relying on servers located within their borders.

Aronashvili’s conclusion is that it might be worth having a local backup of your mission-critical data and software, even if it’s just the bare essentials to keep your business running in the case of a cloud outage.

First mover advantage

“Nation-level attackers are considered the top of the pyramid. But more of their capabilities are spilling into the commercial world, often wielded by less experienced hackers who then create messy, chaotic situations,” Aronashvili continues.

In other words, the cyberattacks in the commercial sphere, increasingly in the shape of ransomware, are likely to become more sophisticated.

It pays to remember that the perpetrators are just as concerned with return on investment (ROI) as their legitimate business counterparts – they will take the path of least cyber resistance.

“If you're going to react after something happens, you're going to spend the money that you saved over the years on not investing in cybersecurity. You will pay at some point, there's no way around it,” concluded Aronashvili.