Over the last few years, a digital transformation has swept across the world at an unprecedented level. A desperation to apply AI driven solutions, edge computing, commercial drones, cloud storage and dare I mention, IoT software wherever possible. There is no doubt that some of the ‘experimentation’ has supported increasing efficiency, driven higher profits and improved service in organisations. However, with every new development comes a new threat, and forward-thinking firms have exposed themselves to new threats previously unheard of.
Similar to the way hackers found a way to get past anti-spam and anti-virus filters, new tech developments have motivated hackers to find new avenues of attack. With AI solutions and IoT software being applied on everything from the office ‘smart-fridge’ to workplace apps such as Skype or Slack, the possibilities for exploitation are growing. With this comes an increasing demand on businesses to mitigate these threats, but how?
“Know Your Threats”
Rather than rushing to implement every new technology available, it is vital that firms first assess the risks that come with them in order to avoid possible attacks. Consider what the new technology can access, such as critical networks, servers, applications, and files. Progressively, firms are beginning to understand the problems associated with cloud-based storage and file sharing applications such as OneDrive and Dropbox. These applications are teaching firms that just because a file is coming from a trustworthy location, it is not necessarily safe. Despite technology being in place to mitigate risks, it is becoming increasingly common for weaponised documents to be shared through a link in an email, or even on social media. Once the link is clicked and the malware is inside a system, it can transform itself, and be used to download new payloads using steganography to receive its instructions from anywhere which hosts innocuous-looking images.
Organisations must ensure that any applications with access to their network have been thoroughly vetted to ensure they pose no threat from any of their requests for access. The issue is the ease of downloading apps. Employees regularly download and install new apps, unwittingly granting access to everything from the device’s camera, microphone and contacts without the knowledge of the IT department. Once an app is installed, it is difficult to know what it is doing with the access you have granted it. How would you know if the app you have downloaded is listening in to your surroundings, and selling your information on? An app could even take all of your business contacts and other critical information and upload it to the cloud without you being any the wiser.
“Watch every detail”
It is not enough to just assess the threat of an application or devices intended use. Organisations must continue to monitor new threats, such as published vulnerabilities (aka bugs) or unexpected side-effects. Often overlooked are small IoT devices, despite them being frequently attached to the corporate network to upload or download information. If this, seemingly harmless, information is compromised, they can be repurposed to collect and send critical information. It is therefore vital to remember that all information is valuable to someone. Recent breaches have exposed the vulnerabilities in even the most obscure pieces of IoT tech, such as the exposition of the exact location and perimeters of a top-secret US military base by a Strava fitness device. This breach could have had catastrophic consequences if it had it been an overnight base in a conflict zone.
However, malicious activity is not always initiated by an unsuspecting tech user who clicks a link or opens a file. As the recent AI-powered cyber-attacks identified by Darktrace against one of its customers showed, we can see disastrous consequences if AI is hacked by a malicious player. A customer used AI to observe and learn the patterns of user behaviour inside a network so that it could go on to mimic this and blend into the background so as not to be spotted by security tools.
Even the most trivial devices can pose a threat to the network as a whole. In another case, pirates hacked into IoT-enabled freights in order to access the larger network to steal bills of lading and identify the most valuable cargo aboard specific container ships. The data stored by any company using IoT is more extensive than ever, making the risk of hacks all the greater.
“Is it worth the risk?”
The nature of AI data security threats means they are hard to predict, and therefore it is difficult to imagine the range of backdoors and loopholes we may see appear by integrating entirely new solutions into our business processes. The exponential adoption of AI in business in the last few years means that now over 37% of businesses have embraced some function of AI. Of course, AI-augmented workplaces are propelling efficiency and decision making, and with the more data we collect, the more useful AI becomes. However, the positive uses of AI are also matched by its exploitation by cybercriminals. Anticipating attacks on a data storage server and having solutions in place to mitigate it will not help if a firm’s own AI solution is manipulated and used to access and transfer data using its own permissions.
Another growing threat comes from the developments in ‘deep-fake’ video and audio. This development could theoretically see hackers send a seemingly authentic video directive from the CEO, deceiving employees into sharing critical information or paying a bill. Even without deep-fake, fraudsters are already stealing large quantities of money. While firms are envisioning the value of emerging tech to their business, careful consideration is needed from the risks they will bring.
Tech is developing and changing far faster than any regulatory body to keep up with the risks attached. It is therefore vital that organisations stay vigilant in the face of change. Many already have audit abilities on laptops, but there is now a need to duplicate this on mobile devices. What apps have employees already freely downloaded and given permissions to? Organisations could lock down the mobile devices they provide their employees, but isn’t it more dangerous to information security if employees start to bring their own devices? Devices which then remain hidden from the IT department? Virtually segregated networks and USB control software is needed to protect organisations from IoT devices which might run amok, with no knowledge until it is too late.
This is not to say firms should run away from emerging tech or be fearful when it is introduced. Crucially, organisations must go above and beyond to be fully aware of the threats emerging tech brings, and how to mitigate them. Organisations must keep up with the risks as quickly as new tech is developed. Personally, you could speak to your IT partners and solution providers about the potential dangers and use their feedback to shape your decision-making process. Being aware of the threats must go hand-in-hand with being optimistic about the solutions tech can bring.
Written by Dr Guy Bunker, CTO at Clearswift
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/