The earliest recorded example of a cyberattack was Creeper, a 1971 computer worm that turned up on a number of mainframe computers attached via the pre-internet ARPANET. Although Creeper did not create digital wreckage — it merely generated the taunting message “I’m the creeper: catch me if you can” — it laid the groundwork for a seemingly endless stream of assaults aimed at the global computer environment.
But at the start of a new decade, cyberattacks are showing no signs of abating. According to Al Alper, CEO of a pair of Wilton-headquartered information security firms — Absolute Logic and CyberGuard360 — cybersecurity will always be a problem as long as computer users make the same mistakes while online.
“People are creatures of habit,” lamented Alper. “They know that they don’t have Nigerian uncles, but they still open those emails. They aren’t expecting a package delivered to their front doors, but they still open a PDF of a packing slip. You really can’t stop it. The No. 1 cause of breach is people. People do today what they did yesterday and until they are willing to change their behavior, the breaches are going to go on.”
One might imagine that in-house IT teams are ready for the new decade’s cybersecurity challenges, but Alper observed that many of these professionals are not up to speed on the always-evolving nature of this problem.
“The discipline demands that you have a real understanding of what an attack surface is,” he continued. “Over 80,000 new variants are released every day. If your job is just in IT, you’re not exposed to the threat vectors of today or tomorrow. And by the time it has gotten into the four corners of your company, it has already metastasized across the world.”
Complicating matters, Alper added, is the preference for immediate convenience over long-term security concerns. He noted this raises endless concerns in a business setting through the use of mobile devices and Internet of Things (IoT) technology in the workplace.
“IoT and mobile devices are the frontier of choice for hackers because they tend to be unprotected and they tend to be forgotten by internal IT,” Alper stated. “Mobile devices are, right now, green fields for hackers.”
While Alper noted that some federal government agencies issue their employees mobile devices that can only be used for work-related messaging and internet access, that strategy would not work in the private sector.
“Here’s the problem with corporate America: you have to balance convenience with security,” he said. “
As for IoT, Alper argued that while this technology creates a greater convenience in monitoring various aspects of the corporate environment, it can also be the back door to costly trouble when unsafe vendors join the digital circle. He recalled how the 2013 data breach involving Target was created through an unprotected opening created by an HVAC vendor that was part of the retailer’s IoT network. Target’s data breach impacted more than 41 million of the company’s customer payment card accounts and the company paid $18.5 million in a multistate settlement, the largest to date for a data breach.
“The single biggest threat today is IoT,” Alper warned. “We are always in search of the easiest way to do things, but these are often employed without any consideration to security.”
Alper noted that he saved a client from a potential IoT-rooted breach during an audit of the company’s headquarters. While walking through the lobby, Alper and his team realized a potential entrance for hackers in the least likely of places: two vending machines that were connected to the building’s IoT setup. The machines were online so the vendor would know when the supply of snacks was running low.
“If we can do one thing to warp the threat, awareness and training is the single-most effective mechanism of doing that,” he said. “But people are numb to it to some degree. The headlines will help and hurt. Every day headlines decry somewhere there is another breach. They don’t necessarily know there is a recourse.”