Could you be your organisation’s biggest cyber threat?

As 2020 draws to a close, we have crossed a threshold in digitisation – one which happened far faster than anyone anticipated, or was adequately prepared for. Spurred by a pandemic – but adopting technology already in use by businesses – the world shifted large chunks of its lives online: many workers found themselves adapting to working from home and communicating with colleagues via Zoom or Teams; bricks-and-mortar high street shops crumbled as people moved to mass online shopping; and children increasingly received education online and remotely.

It demonstrated an admirable flexibility and resilience, but for cybersecurity professionals, the digital rush accelerated all the challenges that were expected over the coming decade to 2020 and 2021, not least in protecting us from ever more sophisticated cyber crimes.

With a ten per cent increase in cyber attacks during Covid, and remote or hybrid working set to be here to stay, the need to protect our society is greater than ever. So, how can we do this? How have cyber threats evolved? What will they look like over the 2020s? And how can organisations protect their customers, clients and workforce in the future?

To explore these questions, WIRED and Capita hosted a roundtable that convened leading voices in the cybersecurity field to discuss the current and future threat landscape.

Four major themes came out of the conversation: first, that nothing has substantially changed – the latest cyber threats have been amplified and are more potent than ever, but they’re not unrecognisable from their forebears. Second, the bigger worry is that cybercrime has become industrialised – it’s an expanding economy with complex supply chains. Third, that focusing on the technology alone is a red herring – the biggest point of pressure is around people, and that has only grown as technological flaws are resolved. And fourth – we need to be thinking more broadly and to adapt to challenges by becoming more diverse and collaborative in our anticipation, planning and execution.

Same threats, more sophisticated attacks

Despite growing worries about cyber attacks on overstretched hospitals or from foreign governments, the nature of online threats has been remarkably consistent for years. As Mark Roberts, head of cyber at Capita Consulting, points out, these are: “phishing, ransomware, spoofing and social engineering”. These are not new threats but the difference is that “the camouflage has changed.”

That camouflage is the way in which criminals persuade people to let them inside their system, both at home and at work. As Wi-Fi hotspots are secured and the web moves to tougher safety protocols such as HTTPS, social engineering – persuading your way into systems by tricking humans – has become the focus for cyber attackers. Desperation, coupled with the lack of colleagues in close proximity to ask about a suspicious email, can help open the door. Promises of Covid cures, for example, are targeted for the anxiety of our times. Nicola Whiting, Chief Strategy Officer of Titania Group, stresses the point: “phishing is just neuromarketing done well. We are well past the ‘Nigerian Prince’ emails into very sophisticated neuromarketing for criminal profit.”

Better masking by the cyber-criminals, and the creation of more doorways into systems as we accelerated online during the pandemic, spells an ongoing and looming threat to our security. Our cyber-leaders concurred that these threats are neither new nor unpredictable – they have just been amplified by the shift to mass remote working. In their view, protecting against future threats will see businesses needing to move away from a short-term mentality of quick fixes, and instead focus on longer term cyber strategy. They clearly saw a growing need to form a long-term strategy amidst great uncertainty – and doing that will mean confronting the vulnerabilities of our remote economies.

Industrialisation of cyber crime

Perhaps the deeper worry is not about new cyber-camouflage and threats to our data – it’s the complexity and sophistication of the criminal infrastructure that those attackers can now tap into. The ability to parcel out assets stolen in cyber-heists to specialist teams to dissect and profit from now creates new economies of scale in the black market.

Mustafa Al-Bassam, co-founder of the hacker group LulzSec turned cybersecurity researcher at University College London, stresses this concern about what looks like the industrialisation of hacking: “the long-term trend that I've seen over the past decade or so is that the hacker economy has become a lot deeper. The supply chain has become much more fine-grained”.

This is a threat to consumers and businesses alike. Over the last decade alone, the ability to breach corporate systems and then sell stolen databases to a developed market has grown considerably. Cyber-crime has been commoditised and upgraded.

Al-Bassam points out “that’s how Dropbox found a [security] compromise – a researcher saw someone selling on the dark web”. In such a growing economy, it’s the sophisticated logistics and supply chains that surround cybercrime that are the new threat, mainly because they act as force multipliers for attacks.

People are the pressure point, not technologies

There is the sense that the bigger the organisation, the more vulnerable its people are to manipulation and attack, simply because there are a greater number of people to approach, and because bureaucracy often creates anonymity. For Roberts, people can be viewed as a double-edged sword: “people are our first and best line of defence – but they are also responsible or involved in about 90 per cent-plus of all security incidents.”

For many cyber security professionals, stressing the pressure points around people is key. But combatting cyber-attacks is about more than just the people, it’s about organisations designing systems and processes that enable their employees to be less susceptible to cyber-risk.

Kevin Jones, Group Chief Information Security Officer for Airbus, illustrates this. He stresses that “all the time I hear that ‘humans are the weakest link’ and we need to really get away from that”. Putting the cybersecurity "pillars" into practice, Jones stresses that “for us it's very much about people, process and technology, preferably in that order.”

In a world where people are the targets, it is important to use people-focused techniques to strike a balance between technical and human solutions. Governments and companies also need to think differently about the people-factor in cybersecurity, and that puts a greater emphasis on human design.

We don’t need to start with a blank sheet of paper, though. Mieke Kooij, former Chief Information Security Officer at Trainline and an experienced digital and travel security professional, thinks there are already lessons to be learnt from public health practices and efforts to change people’s behaviour during the Covid pandemic. “They look at culture, they look at the spread of things and they look at how to curb and to control that spread. They are often delivering very hard messages, because they're the ones saying ‘we need to lock down to stop this’.” A similar mentality needs to be taken in order to change behaviour in response to cyber threats.

Diverse threats require diverse counter-thinking

One of the biggest risks, especially during the hothouse of a pandemic, is that we end up in a groupthink where everyone sees the same problem. In that world, cybersecurity becomes an echo chamber, missing the real threat. One answer is to become more diverse, to seek out different perspectives and views within and beyond the security industry and to work collaboratively in developing solutions. This approach is also likely to help organisations move away from short term fire-fighting and help them develop solutions that will better prepare them for future attacks.

Holly Foxcroft, a lecturer in cybersecurity at Chichester College and a neurodiversity consultant, echoes the need for diverse thinking, especially as regards human vulnerability, saying that “we need to include our social science friends in criminology and sociology to understand human vulnerabilities and behaviours online”.

The key response here is to think in a manner that reflects the diverse ways in which we process information. That means looking at non-neurotypical perspectives – designing for people with dyslexia or autism as well as for those whose mental health is affected by anxiety or depression. As Whiting puts it, “when we put people in the room who are from different neurotypes, backgrounds, ethnicities and sexualities, we get a wider variety of ideas”.

The one-size-fits-all approach to cybersecurity is no more realistic in protecting us from cyber harm than it is from accurately predicting all human behaviour. Combined with what Jones’ calls “black box thinking” – looking at all the mistakes to drive improvements – alongside the neuro-marketing techniques that Whiting flags, we have the beginnings of a pivot towards a more subtle, counter cyber-crime approach.

The missing ingredient is broader thinking, and to break out of providing the same answers to the same cyber problems.

Looking ahead

So where does this leave us? Un-complicating cybersecurity, thinking more diversely and focusing on people – not technology – may be the discipline needed to get through the pandemic and beyond.

Of course, just because technology is less of a problem now, it doesn’t mean it will stay that way. Victoria Baines, visiting research fellow at the University of Oxford, suggests we look further ahead to the post-Covid threats: “my next horizon is 2030,” she says. “We have a massively distributed Internet of Things. We've got edge processing and edge analytics. We've got a much more mature AI ecosystem. We've certainly got 5G. We've possibly got 6G. I'm trying to think about how that all converges, the incredible smart cities that will enable a reduction in energy consumption that might enable nano health and huge benefits.”

That’s true. A different order of cybersecurity will no doubt be needed to protect the infrastructure of the late 2020s and early 2030s, but as technology becomes more secure and consumers flock online, we need to start by getting inside our heads, not our computers – and that’s where our defenses need to be, too.

-- For more information, visit Capita

This article was originally published by WIRED UK