Last year Fortinet’s global security strategist, Derek Manky, put forward his 2017 cyber-security predictions. In this “intelligent, autonomous and difficult to detect” were the words he used to describe the next generation of malware.
However, there was one particular statement that Manky made which sparked my interest. He described most malware today as ‘dumb’ – that is, it may have some evasion techniques built into it, but it is programmed with a specific objective - the hacker points it at its target and it either succeeds or it doesn’t.
Essentially, to increase the chances of success the hacker relies on sheer volume to eventually find its way onto a device to exploit. However, for this approach to succeed it also relies on a few end users to be ‘dumb’ as well. As Albert Einstein said “only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” While this sounds a little harsh, it does help me make my point – we already know that many security breaches are a result of social engineering with employees being fooled into either providing information they shouldn’t, or clicking on links that subsequently infect their network. In many cases this is smart people doing dumb things.
While training and awareness of the risks may decrease the risk of being infected hugely, asking employees to pause and think before they click is still the most simple, cheap and effective way to improve your security posture.
So what about the next generation of intelligent malware? I believe the first line of a good defence remains the same; employee training and awareness, robust security policies and a good security perimeter - such as a firewall - that is maintained and kept up-to-date and regularly tested. The greater risk from more intelligent malware comes from the damage it does when you are already infected and so to a certain extent spending more money on your perimeter will have diminishing returns. So what should you do? To my mind the focus needs to change from prevention only, to that of early detection of a breach. This is best achieved by having good systems and processes in place to deal with potential threats, as well as the ability to retrieve lost or locked data from a back-up.
Many managed security providers are already offering these sorts of services, there is no shortage of solutions to help businesses combat the problem – they simply need to ask for help. I think how you decide to approach the problem must start by putting cyber-security on the management or Board agenda for your business. It should be discussed and managed like any other risk to your business. The amount of time and money to spend on this issue should be directly related to the cost to your business if you were suddenly offline, unable to transact, or your customer information was compromised. Good cyber-security is something you can’t afford not to have.