I recently had the privilege of sitting in on a webinar featuring presentations from two of Kaspersky’s senior security researchers, David Emm (Principal Security Researcher) and David Jacoby (Senior Security Researcher).
Both Emm and Jacoby are members of Kaspersky’s Global Research & Analysis Team (GReAT), and they each shared a substantial amount of insight on the current state of information security and what businesses need to do to stay protected.
Jacoby presented first, giving a direct and easy-to-follow lesson on the history of hacking techniques through the decades, looking at the 80’s, 90’s, and 2000’s (something I definitely appreciated as a layman). He made it clear that, in many ways, the techniques malicious hackers are using have not fundamentally changed but have simply grown to exploit weaknesses wherever they can be found in their target’s digital infrastructure, and one of the main weaknesses is individual user ignorance of computer security best practise.
Jacoby said, “If you look at trends, it is the people who made security complicated. People create new technology, but often fail to consider computer security.”
The distinction of ‘malicious’ was an important one that Jacoby hammered home by explaining that the term ‘hacker’ is inherently neutral, with many agents, who might have been formerly dismissed as miscreants, becoming today’s top security consultants, who’s skills are valued in identifying vulnerabilities in a firm’s cyber-security. Jacoby elaborated on the value of incentivising these ‘white hat’ hackers to use their powers for good and cited the growth of ‘bug bounty’ programs that invited people to attack their systems and report how they did it in return for commercial reward.
Jacoby ended by saying, “White hackers are heroes. We need them for the betterment of improving security risks.”
Following this, Emm presented a series of statistical findings from the Kaspersky IT Security Report (in which nearly 250 Australian businesses were surveyed), and elaborated on some insights the data showed in relation to the current state of cyber-security investment and preparedness amongst Australian businesses. He explained that a concerningly low amount of Australian business were aware they are being targeted by malicious agents, and that even fewer were adequately prepared for it (26.4% of Australian small businesses revealed the fact they had incurred losses between $3,000 and $15,000 in 2019 due to cyber-attacks).
In comparison to Great Britain (2.7%) and the US (3.4%), more than 7% of Australian businesses were ignorant of the fact they had been targeted by cyber-criminals, a concerning figure.
Emm stated that “While the percentage is relatively small, the fact that there are business who don’t know they have been targeted is worrying, because every business today must try to have visibility into what is going on”.
Emm stressed the importance of not only having a robust software solution (firewalls, malware detection etc.), but in investing in risk mitigation that effectively offsets the blow of a data breach, if and when it manages to be successful. Citing that 34.8% of Australian businesses had been compromised through employee use of third-party cloud services, and that lost employee devices accounted for almost 50% of enterprise security incidents, Emm reinforced the need for businesses to have a comprehensive threat mitigation strategy that focused around education on best-practise policies for employees, as well as offsetting losses by determining the liability of third parties who are at-fault for a breach (via review and enforcement of contractual obligations).
These risk factors stem from the fact that many decision-makers are either ignorant of, or complacent about these human-error based vulnerabilities, and Emm stressed that “Getting business leaders involved is huge. If people directing the business understand what the potential threats are, then clearly that’s going to make a big difference in terms of the right investment made.”
During their discussion, both Emm and Jacoby agreed that, while state-of-the-art software solutions are essential in threat protection, educating employees not to click on suspicious emails and other best-practise policies are equally paramount in protecting your business from victimisation.
During the Q&A period, both experts were asked about immediate steps that firms could take beyond an investment in education and encryption. Emm said that it was essential to audit your company’s data so that you could identify what your most valuable digital assets or ‘crown jewels’ were and secure them against being compromised, with Jacoby adding that firms should employ the risk mitigation strategy known as the CIA triad (confidentially, integrity, availability).
In response to a question about reviewing the responsibilities of third-parties, Emm said this would not necessarily make a breach less likely to occur, but that it would help to “cushion the blow” of said breach by spreading its cost between those who are found to have failed to prevent it in one way or another.
To round-off the discussion, both speakers shared their views on a topical subject in Australia’s consumer IT space – the CovidSafe digital tracing app released by the Australian Government as a means of combatting the spread of COVID-19 (Coronavirus).
With more than 5 million Australians having downloaded the app, and with the source-code still unreleased by the Government, both Emm and Jacoby were asked if, as security experts, they would download the app if in the shoes of an average Australian.
Emm said that while CovidSafe’s tracing technology and centralised data collection had utility during a health crisis, he could sympathise with concerns that this could be potentially “re-badged” as a means of tracing person-to-person contact outside of the interests of public health.
Jacoby said that, while there may be a risk of user privacy being compromised in the future by Government apps like CovidSafe, he stressed that many Australians would have already given up their data to privately-operated applications (such as Snapchat, Instagram etc), and that fear of Government tracing through an app designed for public health may be redundant when looking at the big picture.
Both Emm and Jacoby agreed that it was too early to give a final verdict on CovidSafe’s viability, as well as its potential for misuse. Emm elaborated that without wider voluntary adoption of CovidSafe by the Australian public (currently only around 1/5th of the population has opted-in), that it would not be able to track person-to-person contact in a way that would meaningfully assist the public health system.
Overall, the primary insights I gathered were that:
- Software/hardware security sales need to be combined with thorough education on employee best-practise to be as effective as possible
- Human error is still the #1 vulnerability in any firm’s digital infrastructure, and that business leaders need to be less complacent about vulnerabilities amongst their staff/use of third-party applications
- Accepting that breaches are possible, and mitigating the negative impact of them is essential for modern business to operate confidently in the current landscape, and this must include reviewing the liability of third-parties if and when a breach occurs
- Fears about privacy being compromised by CovidSafe may be overstated, but that it is too early to make any definitive predictions
Thanks to David Jacoby, David Emm, and the rest of the Kaspersky team for inviting me to listen to this refreshingly honest breakdown of the threat’s in today’s information security landscape, specifically in regard to Australian business and what they should do to protect themselves from data breaches/malicious attacks.