ONLINE SECURITY – CYBER RANSOMING A GROWING PARASITICAL BUSINESS FOR UK HACKERS

‘There are minimal overheads and profits can be limitless’

Cybercriminals are increasingly targeting UK workers files and data, and the Metropolitan Police have warned that “no one is safe”.

The FBI, Metropolitan Police, and security experts all agree that cyber ransoming has fast become one of UK’s biggest economic crimes.

Unpredictable, unstoppable and potentially fatal to a business, the rapid emergence of ransomware has become a threat to people across the nation.

August Graham, the editor of the Sentinel, arrived at work one morning last summer to find a note pop up on one of the computer screens. It informed him that all the files on the firm’s server had been encrypted and were being held ransom.

He was told he had to pay £500 to get them back, or they’d be destroyed.

Last year, 54 per cent of businesses in the UK were hit by ransomware attacks, according to a survey by Osterman Research on behalf of Malwarebytes. In 20 per cent of the cases, it stopped business operations immediately.

Gadgets and tech news in pictures

CYBER RANSOMING A GROWING PARASITICAL BUSINESS FOR UK HACKERS.PNG

The average ransom demanded is £520, but some can be enormous. Three per cent of UK companies that have been hit by ransomware reported a charge of over £50,000 to recover their data.

Gary Miles, the detective chief inspector of FALCON (Metropolitan Fraud and Linked Crime Online) described cyber ransoming as “the crime of choice” right now.

“For a criminal, the cyber ransoming business model is very attractive,” he said. “There are minimal overheads and profits can be limitless.”

If you measure risk against reward, it’s no wonder ransoming has doubled each year since its 2012 emergence. Robbing one computer at a time violently using a knife or gun doesn’t scale well.

However, one hacker can rob thousands with the click of a button.

What is ransomware?

In the first stage of a ransomware attack, a target will receive an email appearing to contain a legitimate attachment, such as an invoice or link to a website. Most people will have come across one of these infected messages.

In the past, they’ve tended to be written in broken English and easy to spot, but hackers have skilfully refined their techniques.

If the victim takes the bait and engages with the content, the second phase begins. The malicious code in the attachment will then be released onto the victim’s machine and spread fast.

It will encrypt all files and folders in local drives, attached drives, backup drives and other computers on the same server. In no time, all files will become corrupt and inaccessible.

The ransom note will then appear on the computer screen. Demands can range from a couple of hundred to several million, depending on how much the hacker thinks the organization will pay.

What to do if you’re targeted

Ransomware attacks are not just proliferating, but becoming increasingly targeted too. Blocking one is extremely difficult. Defenders are like the batters in a cricket game, who need to deflect every ball thrown at the wicket. Hackers just need to knock the bails once to win.

A survey by Trend Micro found that 65 per cent of UK businesses hit by ransomware last year paid the ransom, despite all security agencies and police forces advising against complying with attackers’ demands.

Explaining why victims should not pay up, Pascal Geenens, Radware’s security evangelist for the EMEA region said, “Firstly, there is no guarantee that you will recover your data and secondly, even if you do recover your data, hackers may come back at a later date demanding an even larger ransom.”

Geenen says companies must place an emphasis on prevention by educating employees and putting protective technologies like firewalls, antivirus software and intrusion detection systems into place.

On top of that, companies are encouraged to establish a disaster recovery plan. So if a breach happens, there is a plan to minimize the damage. A company must concentrate on strengthening those things in order to make themselves less susceptible to ransomware. Once it happens, it’s too late.

Cybersecurity firms also encourage companies to back up their systems frequently.

“It should be done at least every hour,” said Mr Geenens. “That way, if an attack happens a company need only reboot their systems to the last point of backup.”

Online security review: Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks

Argentinian security expert Manuel Caballero has published new research that shows how a website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute his very own persistent JavaScript code while the user is on other domains.

 

There are multiple issues and attack scenarios that Caballero discovered, but fortunately, they only affect Internet Explorer 11, but not Edge, or browsers from other vendors.

 

The bad news is that, according to Net Market Share, IE11 is the second ranked browser version, with a market share of 10.46%, right behind Chrome 55, with 37.27%, meaning it still accounts for a large portion of the online user base, despite its advanced age.

 

The undying IE popups

 

In a blog post published yesterday, the Caballero demonstrated how a developer could create popups that persist in the browser, even after the user has left the page where the popup’s code was loaded, either by clicking a link or entering a new URL in the browser’s address bar.

 

According to the veteran security researcher, there’s no limit on how many popups a malicious website owner could show users after they left his site.

 

The only way users can stop the popups is to close the tab and open a new one. Navigating away from the malicious page in a new tab also prevents the popups from showing up.

 

Never-ending popups could be used in tech support scams

 

In a real-world scenario, this Internet Explorer issue could be a handy tool in the arsenal of tech support scammers, shady advertisers, or other scare ware operators.

 

A user leaving a shady page could still receive popups peddling all sorts of products and links, even after he clearly left the previous domain.

 

Similarly, users that land on tech support scam websites and find a way to leave the site will still receive popups afterward.

 

If the victim navigates to reputable or neutral sites, such as Google, Wikipedia, Bing, or others, the constant stream of subsequent popups could convince almost any non-technical users into thinking their computers have a real problem indeed, and dial the tech support number to get help cleaning their computer.

 

An IE user reading a Forbes article would receive a malicious ad, and start seeing popups about being infected with a virus. Navigating to one or more new sites in the same tab will still show the same popups, leading inexperienced users on the same path to believe their PC might have real issues.

 

Despite IE security measure, users can’t block popups

 

Besides discovering a way to perpetuate popups across different domains, Caballero says another issue could be used to disable the checkbox at the bottom of the repeating popups, which normally IE11 allows users to block.

 

 

This second issue can be integrated into the first, allowing malicious website owners to create popups that span across multiple domains that are impossible to kill using IE’s built-in popup-limiting system.

 

Popups are simple attacks. Issue can do even more harm

 

But popups are only scratching the attack surface. The real problem here is that Internet Explorer executes persistent JavaScript code even after users leave a site. The attacker can replace the popup code with everything he wants.

 

“Let’s say there’s a new zero day and the attacker needs to download 5 megs into the user [‘s browser],” Caballero told Bleeping Computer in a conversation. “How can he make sure he has time to download the bits? With a persistent script, the attacker has time for everything.”

 

“With a persistent script [like this] you can create a network of bots without installing anything to anyone,” the researcher also added.

 

 

IE11 issue is a malvertiser’s lottery ticket

 

“For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads,” Caballero noted, explaining that a website owner could use past site visitors for ad fraud.

 

“[Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user […] closes the tab.”

 

Even worse, the persistent script issue can be used as a supplement to already existing exploits, improving their success rate.

 

No patch available

 

At the heart of the persistent script problem is a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in IE’s htmlFile/ActiveXObject component, which Caballero described in depth two weeks ago, but only recently realized he could use to do more damage.

 

There’s no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they’ve ignored many of his previous reports.

 

Caballero has put together a demo page that shows all his findings. Make sure you access the page through Internet Explorer 11.

 

Last December, Caballero found a way to abuse Edge’s Smart Screen security feature to show warnings on legitimate domains. This issue too, could be abused by tech support operators, and this too, Caballero didn’t report to Microsoft.

Security and risk complaints online: Prevent identity theft

Just like burglars and thieves, cyber criminals have many different ways to steal personal information and money. Just as you wouldn’t give a burglar the key to your house, make sure that you protect yourself from fraud and online identity theft. Know the common tricks that criminals employ to help you protect yourself from online fraud and identity theft. Here are a few simple tips.

 

Don’t reply if you see a suspicious email, instant message or webpage asking for your personal or financial information

 

Always be wary of any messages or sites that ask for your personal information, or messages that refer you to an unfamiliar web page asking for any of the following details:

 

Usernames

Passwords

Medicare numbers

Bank account numbers

PINs (Personal Identification Numbers)

Full credit card numbers

Your mother’s maiden name

Your birthday

Don’t fill out any forms or sign-in screens that might be linked to from those messages. If someone suspicious asks you to fill out a form with your personal information don’t be tempted to start filling it out. Even if you don’t hit the “submit” button, you might still be sending your information to identity thieves if you start putting your data into their forms.

 

If you see a message from someone you know that doesn’t seem like them, their account may have been compromised by a cybercriminal who is trying to get money or information from you – so be careful how you respond. Common tactics include asking you to urgently send them money, claiming to be stranded in another country or saying that their phone has been stolen so they cannot be called. The message may also tell you to click on a link to see a picture, article or video, which actually leads you to a site that might steal your information – so think before you click!

 

Never enter your password if you’ve arrived at a site by following a link in an email or chat that you don’t trust

 

Even if you think it’s a site that you trust, like your bank, it’s better to go directly to the site by using a bookmark or typing in the site’s address directly into the browser.

 

Don’t send your password via email and don’t share it with others

 

Your passwords are the key to your accounts and services online, and just like in your offline life, you should be careful who you give your keys to. Legitimate sites and services won’t ask you to send them your passwords via email, so don’t respond if you get requests for your passwords to online sites.

 

Because your passwords are so important, you should think carefully before deciding to share them with others – even friends and family. When you share your passwords, there is a greater risk that someone may misuse your accounts by accessing information that you don’t want them to or using the account in ways that you don’t approve of. For example, if you share your email password with someone, that person might read your personal emails, try to use your email account to access other online services that you might use, like banking or social sites, or use your account to impersonate you. Finally, when you share your password with someone, you will have to rely on them to keep it secure; they may share it with others on purpose or by accident.

 

Pay close attention when asked to sign in online

 

Check for signals about your connection with the website.

 

First, look at the address bar in your browser to see if the URL looks real. You should also check to see if the web address begins with which signals that your connection to the website is encrypted and more resistant to snooping or tampering. Some browsers also include a padlock icon in the address bar beside to indicate more clearly that your connection is encrypted and that you are more securely connected.

 

Report suspicious emails and scams

 

Most email providers, including Gmail, allow you to do this. Reporting a suspicious message in Gmail will help block that user from sending you more emails and help our abuse team stop similar attacks.

Cyber security: Researchers trick ‘CEO’ email scammer into giving up identity

Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.

 

Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts.

 

Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting [the scammers] give us all the information about themselves,” he said.

 

The email scheme involved a fraudster impersonating a CEO in what’s called a business email spoofing attack. The goal is often to trick a victim into wiring funds to the scammer’s bank account.

 

Although a business can train its employees to learn how to spot these suspicious emails, that won’t necessarily stop the attack, especially since it’s easy for anyone to continually bombard a victim with emails, SecureWork said.

 

Instead, a business’ IT security staff can fight back and disrupt the scammer’s operations. They can do this, by first replying to an email scam and pretending to act like a gullible victim.

 

This was how SecureWorks managed to eventually identify an email scammer from Nigeria that targeted a U.S. technology company in November. SecureWorks was brought in to investigate and decided to fool the fraudster into thinking his scheme had worked.

 

The scammer had tried to trick the technology firm into wiring funds to a bank account by impersonating its CEO. SecureWorks pretended to comply, which caused the scammer to turn greedy.

 

“He started asking for $18,000,” said James Bettke, a SecureWorks researcher. “And then after that, he said, ‘Oh that’s a typo. It’s a $118,000.’”

 

 

To try and identify the scammer, SecureWorks decided to email back a PDF-based receipt, indicating the wire transfer had been complete. In reality, the receipt was a decoy that when clicked on, sent off the recipient’s IP address and other web browser information.

 

The researchers found that their scammer was using an internet service provider in Lagos, Nigeria, and was viewing the receipt on an iPhone.

 

SecureWorks continued to play a gullible victim, by claiming the wire transfer had failed. That forced the scammer to hand over details to other bank accounts. The researchers then took that information and notified the responsible bank that these accounts were being used for fraud, shutting them down.

 

To find out more about the scammer, the researchers sent another decoy receipt of a wire transfer that forced the recipient to enter a legitimate mobile phone number to view the form.

 

The scammer fell for the ruse. Using Facebook, the researchers found that the entered phone number was tied to a user named “Seun,” which the researchers believe is a real account.

 

“We know who he is,” Stewart said. “We could report him to the EFCC (The Economic and Financial Crimes Commission in Nigeria). But he didn’t get away with any money.”

 

So instead, SecureWorks is publicizing information about the fraudster’s scams, including the email addresses he used.

Online fraud detection: PayThink Contextual commerce sputters without deep consumer ties

 

Every business that uses apps or online platforms to connect with customers knows there’s a major transformation underway in how you do business.

 

Customer convenience is top priority, while the mechanics of sales and payment transactions are moving out of sight where they are less likely to cause friction that costs sales.

 

To take advantage of this confluence of technology known as “contextual commerce,” you need to know what it is and what it requires. If your business development plans don’t include reimagining how you will sell to your customers, you risk losing out to competitors that are thinking beyond the traditional e-commerce experience.

 

The defining idea behind contextual commerce is giving your customers the ability to buy something within the flow of another activity that they’re engaged in. It’s presenting a product or service right at the moment when the buyer might naturally want it, without making them go through a separate commerce or payment experience.

 

Easy payments are critical: The transaction must occur in the background, relying on stored payment methods rather than making a buyer key in card details. But there’s more to it than that.

 

Uber — which won its massive user base partly by making payments invisible and freeing riders from worrying about fares and tips — is building out its contextual commerce vision by striking partnerships. For instance, its deal with Hilton to link the Uber app with the hotel chain’s loyalty app makes it easy for travelers to arrange their rides when they are reviewing hotel reservations.

 

The WeChat messaging platform, which is hugely popular in China, is another example of how users can engage in all kinds of transactions without ever leaving their preferred environment. WeChat users can shop, buy movie tickets, and even pay bills from within the app.

 

Looking beyond these examples, we can expect opportunities for new contextual commerce business models to arise as stored payment technology finds its way into other environments. Given how much time many Americans spend on the road, one particularly promising new area is the connected car. GM’s OnStar Go platform, which will roll out in automobiles starting in 2017, will feature integration with Mastercard’s Masterpass digital wallet, allowing drivers to buy goods and services from behind the wheel.

 

Customer trust in the security and privacy of stored payments is essential for contextual commerce to succeed. The growing use of various kinds of e-wallets and mobile payment systems is also helping to put consumers at ease.

 

The back-end infrastructure to support a contextual commerce ecosystem is taking shape. Tools and interfaces will be needed to easily connect a variety of components, including: The merchant’s payment and order management systems (including inventory, logistics and returns); the “context” in which the customer is found; merchants will strike partnerships with complementary businesses, content providers and others; and the customer’s stored payment and shipping information, such as e-wallets

 

All of these pieces will need to connect seamlessly so that the customer receives the service they expect, while the payment transaction takes place out of sight.

 

Coming up with compelling ways to engage your customers through contextual commerce will require you to do three things well:

 

Gain a deeper understanding of your customers. How, when and why do they buy? Now is the time to make investments in ramping up your data and analysis game. Understand their behavior and what else is going on around their transaction with you, and you may see opportunities for partnerships.

 

Respect customer preferences. Not everyone wants to be presented with buying opportunities everywhere they turn. Businesses will need to be thoughtful to avoid alienating customers with overly intrusive offers, especially as predictive analytics seek to anticipate consumers’ needs. Remember that what’s convenient to one person may be creepy or annoying to another.

 

Be alert to all contexts – virtual and real-world. Right now, a lot of focus is on connecting on the virtual plane: Businesses are looking for opportunities to sell within online content such as information, entertainment or gaming, as well as within social experiences such as messaging and social networks. Location-aware and augmented reality technologies will open more opportunities for reaching customers in their real-world contexts as well.

 

It’s an exciting time to be engaging in tech-fueled commerce. As the contextual commerce revolution begins to get into full swing, make a plan to put your business in the game.

Online fraud detection: PayThink Contextual commerce sputters without deep consumer ties

Every business that uses apps or online platforms to connect with customers knows there’s a major transformation underway in how you do business.

 

Customer convenience is top priority, while the mechanics of sales and payment transactions are moving out of sight where they are less likely to cause friction that costs sales.

 

To take advantage of this confluence of technology known as “contextual commerce,” you need to know what it is and what it requires. If your business development plans don’t include reimagining how you will sell to your customers, you risk losing out to competitors that are thinking beyond the traditional e-commerce experience.

 

The defining idea behind contextual commerce is giving your customers the ability to buy something within the flow of another activity that they’re engaged in. It’s presenting a product or service right at the moment when the buyer might naturally want it, without making them go through a separate commerce or payment experience.

 

Easy payments are critical: The transaction must occur in the background, relying on stored payment methods rather than making a buyer key in card details. But there’s more to it than that.

 

Uber — which won its massive user base partly by making payments invisible and freeing riders from worrying about fares and tips — is building out its contextual commerce vision by striking partnerships. For instance, its deal with Hilton to link the Uber app with the hotel chain’s loyalty app makes it easy for travelers to arrange their rides when they are reviewing hotel reservations.

 

The WeChat messaging platform, which is hugely popular in China, is another example of how users can engage in all kinds of transactions without ever leaving their preferred environment. WeChat users can shop, buy movie tickets, and even pay bills from within the app.

 

Looking beyond these examples, we can expect opportunities for new contextual commerce business models to arise as stored payment technology finds its way into other environments. Given how much time many Americans spend on the road, one particularly promising new area is the connected car. GM’s OnStar Go platform, which will roll out in automobiles starting in 2017, will feature integration with Mastercard’s Masterpass digital wallet, allowing drivers to buy goods and services from behind the wheel.

 

Customer trust in the security and privacy of stored payments is essential for contextual commerce to succeed. The growing use of various kinds of e-wallets and mobile payment systems is also helping to put consumers at ease.

 

The back-end infrastructure to support a contextual commerce ecosystem is taking shape. Tools and interfaces will be needed to easily connect a variety of components, including: The merchant’s payment and order management systems (including inventory, logistics and returns); the “context” in which the customer is found; merchants will strike partnerships with complementary businesses, content providers and others; and the customer’s stored payment and shipping information, such as e-wallets

 

All of these pieces will need to connect seamlessly so that the customer receives the service they expect, while the payment transaction takes place out of sight.

 

Coming up with compelling ways to engage your customers through contextual commerce will require you to do three things well:

 

Gain a deeper understanding of your customers. How, when and why do they buy? Now is the time to make investments in ramping up your data and analysis game. Understand their behavior and what else is going on around their transaction with you, and you may see opportunities for partnerships.

 

Respect customer preferences. Not everyone wants to be presented with buying opportunities everywhere they turn. Businesses will need to be thoughtful to avoid alienating customers with overly intrusive offers, especially as predictive analytics seek to anticipate consumers’ needs. Remember that what’s convenient to one person may be creepy or annoying to another.

 

Be alert to all contexts – virtual and real-world. Right now, a lot of focus is on connecting on the virtual plane: Businesses are looking for opportunities to sell within online content such as information, entertainment or gaming, as well as within social experiences such as messaging and social networks. Location-aware and augmented reality technologies will open more opportunities for reaching customers in their real-world contexts as well.

 

It’s an exciting time to be engaging in tech-fueled commerce. As the contextual commerce revolution begins to get into full swing, make a plan to put your business in the game.

Cyber security: Cyber crime: an unprecedented threat to society?

In the last year cyber crime has been firmly established as one of the biggest threats to democracy, privacy, and health and safety. Here, Simon Townsend chief technologist EMEA at Ivanti Software discusses this threat and the possible ways to circumnavigate it

 

What cyber security trends from 2016 did you see?

 

Ransomware, ransomware, ransomware! Not only this, but 2016 was also year of insider threats. Email continued to be the main route of entry, with phishing scams running rife in organisations.

 

Ransomware got its own stage in 2016: in 2015 many people were mixing the attack up with other methods of entry or it wasn’t on the agenda for many decision makers. However, now it’s not something just for certain high-profile organisations, it’s a problem for everybody.

 

What is the future of the cyber security industry looking like?

 

One of the main trends that I’ve seen in 2016, that I believe will be more prevalent in 2017, is the changing motivations of cybercriminals. Previously, hackers have mainly acted in reaction to something. The attack was usually in retaliation to if a public figure or company had done something which had been perceived as morally incorrect, the attacker would demonstrate that their community will make them pay for their actions.

 

Recently, cybercriminals have been demonstrating that their activities are becoming more about financial gain and recognition, rather than revenge. Although this was always a motivation, after all one of the easiest ways to make money is to get hold of personal records and sell them on the dark web, we’re now seeing a notable increase of attacks for this purpose.

 

I also predict an unfortunate increase in cyber-attacks in local government and healthcare. If we take the example that personal records hold the most profit, which institutions hold a wealth of these, and aren’t given a large budget for cybersecurity? Public sector organisations. For example, we’ve seen 21 universities hit by attacks in the last 12 months, and I see that public sector vulnerability continuing into 2017.

 

Finally, I believe that we are at a tipping point with BYOD and mobile working as digitally minded businesses strive to enable the user and deliver a great experience for employees. By blurring the line between work and home, we’ve created a workforce that can be more mobile, productive and comfortable by using hardware that they are familiar with as consumers, such as having an iPhone as both a work and personal device. However, we’ve seen an alarming rise of breaches caused by employee negligence, human error and users being given access to files that don’t correspond to their role, accessing huge chunks of the network they shouldn’t have sight of.

 

We may well be at a point where an organisation could turn around and claim that the cyber security risk is too great to give employees these permissions, and take a five-year step back in user experience. Laptops will not be allowed off premises, admin rights will be removed, consumer devices such as iPhones will be swapped for Blackberries, and remote working will be prevented. This will be sad for the progression of information technology as a whole.

 

How important will AI and automation be in cyber security moving forward?

 

When it comes to AI and automation, fundamentally we’re talking about threat prediction. At the minute, there are plenty of players in the protection space. It’s like offering to give someone the flu, and then offering an antidote – people would much rather avoid the flu in the first place, which is where prevention and prediction are now coming into play.

 

For example, if you were to log into Facebook on holiday, or made a payment from an unusual IP range or location, your bank or social account would contact you to confirm your activities. All of this is intelligent automation based on certain rules, and is a large part of what will make prediction and prevention the future of cyber security.

 

However, this could be a double-edged sword. Using AI and automation in this sense, hacktivists could use the tools to block people out of accounts and prevent access. Unfortunately, no level of cybersecurity can block 100 percent of attacks.

 

How devastating will data breaches be post-GDPR?

 

If we take Tesco, for example: The attack on the bank cost them over £2.5million which was taken out of bank accounts. Following that, you’ve got brand damage, on which you can’t put a price. What you can put a price, however, is how much the EU GDPR law would have charged them, either $20m, or 4% of their turnover, whichever is the highest. Looking at Tesco’s 2015 turnover, 4% would be something around the £2.5billion mark. Pretty devastating.

 

Fines aside, GDPR is going to have a large effect on organisations. Companies are going to have to report things quicker and whistle-blowers are going to have to put their hands up. We may see more data protection officer roles being created, who must let someone know if something goes wrong, or if user data has been breached. This officer is ultimately going to sit outside of the IT and security departments, taking responsibility to report and analyse patterns.

 

Another way that GDPR will have an effect is relocating resources to meet with the personnel demand. I’m not convinced that everyone has budget assigned to this either, as there are two aspects to GDPR. It’s not just about the cyber security element, but businesses also need to invest in security hygiene, which is one of the biggest challenges.

 

This involves organisations making sure that they’re aware of the data they’ve got and is stored in a clear, organised and easy to access way. Due to this, I believe a future trend (and something we’re seeing at the moment) is an emergence of data storage organisations talking loudly about how they can aid this, and grow in the market space.

 

How do you advise the industry educates employees?

 

Ideally what needs to happen is a culture change. Prevention technology can protect you from most of what’s out there, other technologies that can fill the gap, but ultimately there needs to be a shift within organisations, with more education amongst the younger generations that are moving into work. In the future, we may see working agreements and employment contracts change to include tighter policies about cyber security best practices, including where they work, how they work, and what is acceptable use of company technology. Security companies have been doing this for a long time, which also protects their brands, but now we need to see these policies reach out to further industries and lines of work.

 

How can businesses face the IoT and mobile threat?

 

As the Dyn DDoS attack (the cyber-attack that brought down much of America’s internet in October) and the smart car system attacks from 2016 have demonstrated, businesses need to ask themselves: ‘Have we not taken the necessary cyber security steps that we should have in the face of staying competitive?’.

 

If we look at the recent Tesco breach, for example, we all know the brand as a supermarket, and potentially in a rush to stay ahead of the curve, it has branched out into banking, insurance and mobile phone policies. It’s interesting to look at the fact that the Tesco banking division was attacked, where legacy banks (with most likely more valuable accounts and data to access) weren’t. It’s this rush to market that poses one of the biggest threats when it comes to securing IoT and mobile devices in 2017, as cyber security isn’t considered at the design stage for most products. If you’re going to create an IoT device, invent with security first.

 

Overall, it seems that IoT in 2017 is close to becoming what cloud computing was in 2014 – a buzzword.

When the market suddenly grabs hold of a technology or a new concept, you find the industry spending so long discussing it, that the next thing you know is 500 companies have popped up and CISOs are spending their time worrying about it, distracting from larger problems in the organisations.

 

My advice here is to not let IoT become the noisiest topic of 2017 and draw your attention from larger cyber security problems, such as ransomware and email phishing campaigns.

 

It will be of primary importance to those companies or business units who can gain an edge by using IoT, but its just another platform in the fight against cyber crime that needs addressing, not the be all and end all.