2017 was a pivotal year in the world of cybersecurity. The Internet of Things (IoT), digital disruption, digital convergence, the growing trend of flexible working – all brought significant change; and risk. Add to this the sharp rise in the number of high-profile ransomware attacks and it’s easy to see why cybersecurity has become a key topic of discussion, and cause for concern, for many businesses.

In a recent Kordia survey of 225 IT decision makers, more than half believe their business is at risk of cybercrime. A further 54 percent said they expected the budget set aside for cybersecurity to increase in the coming year. This comes as no surprise to security experts, particularly as we see first-hand just how bad the situation really is. As businesses become more reliant on the Internet and networks for how they operate, the more we see attackers taking advantage of the hidden flaws in these systems; and it’s getting increasingly difficult for businesses to defend themselves against the ongoing onslaught of cyber-attacks.

Over the past 12 months, the attacks have been relentless – NotPetya and WannaCry are just two well-publicised examples of how easily, and quickly, ransomware attacks can spread and stop businesses from functioning. They can also be very costly from both a reputational and financial point of view. Forbes recently reported that global shipping giant A.P. Moller-Maersk, which was significantly affected by the NotPetya attack in June, estimated the financial impact of this attack to be in the vicinity of $200 million USD. And New Zealand wasn’t immune either. In the same Kordia survey, a quarter of New Zealand businesses stated they were directly affected by the NotPetya and or WannaCry attacks,  however this figure is likely to be higher.

2018: What to expect

Unfortunately in 2018 we expect to see the trend of increased attacks continuing. For hackers, every business is a potential source of income. Despite your best defences, if they are determined to get past your security walls they’ll find a way, especially as we see a worrying increase in the amount of organised cyber-crime.

While it’s difficult to predict which attack methods cybercriminals are likely to turn to over the coming year, it’s likely that ransomware and social engineering will continue to feature heavily. However, there’s also another method that security experts are keeping their eye on – botnets.   

Botnets are essentially a network of Internet-connected devices infected with malicious software that can be controlled by an attacker without the owners’ knowledge. Using an ‘army’ of connected devices, the attacker can then carry out distributed denial-of-service (DDoS) attacks, steal data, send spam and control private devices. Because botnets are generally associated with politically or financially motivated attacks, many businesses don’t believe they are at risk. This couldn’t be further from the truth. In fact, in 2016 we saw a local example of botnets in action when several schools in New Zealand had their computer systems hi-jacked.

In 2018, it’s likely we’ll see even more examples of botnets being used to carry out ‘downstream’ crimes. Just last month researchers at Check Point discovered a brand new Botnet, called ‘IoTroop’, which was evolving and recruiting IoT devices at a far greater pace than ever seen before. The company warned that if successful, this Botnet had the ability to take down the entire Internet.

The key questions every business should be asking

With online threats rising at a rapid rate, 2018 needs to be the year that every business puts cybersecurity on the agenda. It’s not a matter of if your business will be breached, it’s when (and in fact, if you are not checking your logs regularly, it may already have happened without you knowing). Preparing for an attack – from both a defensive and offensive point of view – will help to ensure you are one step ahead.  These are the key questions every business should be asking themselves in 2018:

1. What’s our level of risk?

Cyber security should be treated the same as any other risk to the business (for example health and safety). Unless you understand the risk a security breach would pose – the impact it would have on day-to-day operations, your customers and your reputation – then you can’t adequately formulate a or strategy for defence.

2. Are our staff cyber-aware?

Hackers know where weaknesses lie, and it’s with people. Their inability to identify risks, and their often lax approach to security makes them easy targets. Ongoing education of staff is an essential component in establishing a sufficiently secure organisation, and should be a mandatory focus for all businesses in the year ahead.

3. Are we getting the basics right?

It may sound simple but many businesses often overlook the basics and head straight for the more complex technology. Make sure your business gets its IT hygiene house in order (the Australian Signals Directorate’s Essential 8 outlines some of the basics: application whitelisting; patch applications; disable untrusted Microsoft Office macros; daily backup of important data and more). Do just this and you are already more secure than many of your peers.

4. Do we have a plan in place to deal with a breach?

If your business was breached, what would you do? Who would manage communications to the business, to customers; and media? How fast could you get systems back up-and-running? Would you need to set up a war room? What if it happened at 10pm at night and the CIO couldn’t be contacted? How your business responds to an attack is often the greater determinant of damage and fallout. A failure to plan is a plan for failure.

If the answer to any of the above is ‘no’ or ‘I don’t know’ then you are potentially leaving your business wide open to attack.

A vicious circle?

For many businesses, addressing cyber security can seem like an endless loop. Thankfully, by reviewing the cybersecurity climate over the past 12 months and keeping a close eye on the ever-evolving threat landscape, security experts are in a good position to provide advice to businesses in what is an increasingly turbulent climate.

The approach Aura recommends is focused on the fundamentals of solid information security: improving policies and processes, education, making information security an integral part of everyone’s job, system monitoring and regular testing of networks and applications. Above all, a change in attitude is the key, and is what will equip your company for a better security posture. Being sufficiently secure depends on a ‘risk’ approach, with defined policies backed by constant vigilance, repeated reinforcement of good habits, and preparedness for an attack.

Peter Bailey is general manager of Aura Information Security.