The terms “cybercrime” and “cybersecurity” conjure up images of teens in hoodies and impenetrable lines of code. It’s tempting to glaze over and trust that the technical experts will keep us safe. But as our digital footprints expand, and hackers upskill, that approach is becoming increasingly risky.
The methods and motivations of cybercriminals are evolving. To be sure, bank accounts are still emptied through identity theft, and we still occasionally click on those malicious email links despite knowing better.
Cybersecurity systems deploy several defences to thwart everything from ‘petty’ to nation state grade cyberattacks. None is used more widely than data encryption. But encryption standards currently considered best-of-breed may no longer be a barrier to hackers using increasingly powerful processors in future.
Within 10 to 20 years’ time, we will reach a level of computing power that will most likely be able decipher all encrypted data as it stands today. That includes the numerical trickery protecting credit card details, intellectual property and government secrets. Even the cryptography protecting your Bitcoin is at risk.
The motivation of attackers is also changing. Private hackers extorting money via ransomware or other forms of blackmail are top of mind for IT departments the world over. But reports of pro-Russian hackers using ‘wipers’ to permanently delete sensitive Ukrainian information, without asking for so much as a hryvnia, illustrates the growing versatility of cybercrime. While such attacks may not be financially motivated, they can result in significant financial harm to companies who are increasingly reliant on the availability of systems distributed in the cloud.
Listen to the podcast
Prefer to listen on the go?
Click play to listen to the full discussion between Investec's Herman Young and CYE's Reuven Aonashvili on future cybersecurity trends.
Hackers with quantum computing
“Encryption that we consider unbreakable today will be easily broken with quantum computing in future,” says Reuven Aronashvili, CEO of CYE, an industry-leading cybersecurity platform, during a recent Investec Focus Talk. (Disclosure: Investec is a client of CYE).
Unlike the Y2K bug that caught the world napping when it came to preparation, the cybersecurity industry is already working hard to develop post-quantum cryptography (PQC) and quantum resistant ledgers (QRL) because the risks run so high. As Aronashvili points out, those defending against cyberattacks have to be vigilant at every level of the organisation and of every form of attack, while attackers only need to exploit a single vulnerability in order to do untold damage.
Quantum computing (QC) will initially be in the relatively safe hands of governments and large corporations like Google and Amazon, but ahead of it going mainstream, hackers will undoubtably be storing encrypted data collected today for cracking by QC tomorrow.
Even more sobering is the fact that QC will give attackers the power to hack your biometric signatures – from facial features and fingerprints to voice recognition profiles. Old school usernames and passwords can simply be reset, but the same is not true of biometric data, which is unique. Once compromised, it is compromised forever.
“Biometric protection is considered to be very complex. But that’s not right. Quantum computing will be able to break it. In the army, that’s called a one-time risk because there’s no way back,” continued Aronashvili.
It’s therefore incumbent on the cybersecurity industry, and any companies using biometric data, to secure data and permissions and review their methods in order to remain ahead of a faceless and increasingly powerful enemy.
For the man on the street, keeping your device’s security software updated and using multi-factor authentication, from passwords to one-time pins and biometric information is your best form of defence today.
What are banks doing to protect your biometric data?
While the threat of quantum hacking is at least a decade away, Herman Young, Global Chief Information Security Officer (CISO) at Investec explains that banks are getting ahead of the curve when it comes to protecting their clients’ digital identity.
Top level security testing
“First of all, we treat biometric data like any other data: we must make sure that attackers can't get to it. Secondly, we partner with world-leading cybersecurity firms like CYE to perform security assessments on those systems in order to pro-actively identify and remediate any security weaknesses.”
“We ensure that biometric and other sensitive data is always encrypted and access strictly controlled and monitored. We take the threat of quantum computing seriously and as an industry are working towards quantum-resistant encryption so that we are ready when the time comes.”
“If you use your fingerprint or face recognition on your iPhone for online banking, for example, we don't have access to that biometric data, it’s stored and encrypted in a super secure enclave on the device itself. As a bank, we simply put a certificate on your device and you unlock that certificate with your fingerprint or face to access our online banking applications. We never touch your biometrics.”
Cybersecurity for your brain
“Naysayers of the metaverse point to the madness of wearing goggles all day. But in time goggles will become glasses, then contact lenses and eventually a brain interface. And because it’s a fully immersive experience where your brain can’t distinguish between reality and virtual reality, nefarious actors could implant memories or thoughts,” says Young who believes that the fantastical world of Leo DiCaprio’s Inception may no longer be the realm of science fiction in the future.
The underlying challenge is fundamental: market forces drive digital innovation faster than cybersecurity measures can be built. Aronashvili and CYE are working to change that paradigm: “The future we see is one of security by design. That means you don't plant a chip in your brain before making sure that the cybersecurity capabilities are already there.”
One of the most effective tools for putting said defences in place is through “ethical hacking”.
What is ethical hacking?
Remember 2017’s WannaCry? It was a worldwide ransomware attack – an export from one of North Korea’s few thriving industries – which infiltrated computers running Microsoft operating systems. It used encryption to render the data it accessed unusable. Damage was estimated in the billions of US dollars.
If not for Marcus Hutchins, a 23-year-old hacker who found and flipped the worm’s kill switch, it could have been so much worse. His was a now legendary act of ‘white hat’ or ethical hacking.
Businesses like CYE use ethical hacking, also known as ‘red teaming’, to probe organisational cybersecurity defences for weakness. Where they find them, security is optimised. They can also step in to limit the damage and ensure business continuity if a cyberattack occurs.
What needs to be appreciated is that exercises like ethical hacking are not once-off activities. “We see quite a lot of business reach a point where they think they can stop investing in cybersecurity,” says Aronashvili. “They are not necessarily bad organisations, but because cyber threats are continuously evolving, they are putting themselves at risk.”
The risk extends beyond the immediate threat of being hacked; businesses without a strong cybersecurity posture also risk losing market share to those that continuously mature and improve their posture.
Cybersecurity as a business differentiator
“A bank like ours ultimately deals in trust and reputation,” says Young. “Ransomware attacks that render client data temporarily unavailable would undermine confidence.”
From this, Young infers that trust in cybersecurity measures is becoming a key business differentiator.
Aronashvili concurs: “We’re already seeing that trend. Consumers and businesses want to know that the data they share with you is protected at the highest level possible level. The need for trust extends beyond your bank to any service or product connected to the internet. In future that could include things as vulnerable as your pacemaker, smart cars or airlines.”
But as businesses become increasingly reliant on data and processes distributed across global networks like AWS and Microsoft Azure, one of the biggest weaknesses could be the cloud itself.
Clouds and continuity
Having your data and software in the cloud has clear advantages for business continuity, lowering the threat of localised events like fire and theft resulting in irredeemable damage to business processes or systems.
But relying on the cloud brings its own risks.
Aronashvili explains: “Cloudflare had availability issues recently recently. So has Azure and AWS. Those are single points of failure that effect whole industries, not just the odd organisation. In the business continuity and disaster plans we see, few organisations are taking cloud risk seriously. The attitude is if Microsoft goes down, then it’s the end of the world and the game’s over in any case.”
And it’s not simply technical failures that one needs to plan for. With global tensions on the rise and the spectre of a nation-level cyberattack looming large, it’s not implausible that entire countries may take the defensive step of shutting their infrastructure off from the Internet, with potentially disastrous consequences for companies relying on servers located within their borders.
Aronashvili’s conclusion is that it might be worth having a local backup of your mission-critical data and software, even if it’s just the bare essentials to keep your business running in the case of a cloud outage.
First mover advantage
“Nation-level attackers are considered the top of the pyramid. But more of their capabilities are spilling into the commercial world, often wielded by less experienced hackers who then create messy, chaotic situations,” Aronashvili continues.
In other words, the cyberattacks in the commercial sphere, increasingly in the shape of ransomware, are likely to become more sophisticated.
It pays to remember that the perpetrators are just as concerned with return on investment (ROI) as their legitimate business counterparts – they will take the path of least cyber resistance.
“If you're going to react after something happens, you're going to spend the money that you saved over the years on not investing in cybersecurity. You will pay at some point, there's no way around it,” concluded Aronashvili.
Get Focus insights straight to your inbox