The conversation around both AI and IoT has reached peak popularity. Both terms coined around 20 years ago, they are now pervasive enough that even your technophobe neighbours probably have heard about them – and may even have a vague idea of their connotations.
Both artificial intelligence and ‘internet of things’ devices are changing the way that we live our lives; however, they both also have an important place in another popular tech idiom: cybersecurity.
As the software underpinning our lives becomes more complex, and from a wider variety of vendors, so too grows the risk to cybersecurity – both on a personal level, as well as in business.
Here, we take a closer look at cybersecurity in Australia, the increased threat posed by IoT growth, and whether AI will be the silver bullet to help reduce risk – or whether it’s another risk in itself.
The state of cybersecurity in Australia
Cybersecurity in the workplace
Industry leaders Cisco’s 2018 Asia Pacific Security Capabilities Benchmark Study of 2000 professionals from 11 different countries highlights some alarming statistics from Australia:
- 81% of organisations are receiving 5000+ cybersecurity alerts per day (highest in Asia-Pac)
- 33% receive 100,000-150,000 cybersecurity alerts per day (global average: 10%)
- 52% report that true attacks cost $1-5m USD per year (highest in the region)
- 69% of Australian defenders are experiencing cyber-threat fatigue (3rd after Japan and Thailand)
However, it’s not all bad news:
- 72% of alerts are investigated (over 56% globally)
- 65% of investigated alerts are legitimate (over 34% global average)
- And 69% of these legitimate alerts are remediated (over 50% global average)
What these stats indicate is that we experience a greater cyber threat in Australia over other regions, although we’re fairly good at identifying real threats and actioning them. With this high workload, there is plenty of room for automation and innovative tech solutions to help stop cyber-threats in their tracks.
Solutions like mail filtering, user management, virus scanning and network intrusion detection systems make up enterprise cybersecurity stacks – but these need considerable monitoring, reporting, updating, and governance to be truly effective.
Cybersecurity in the home
On the other side of the coin, we have cybersecurity in the home, left to individuals to navigate, often without a clear view of the cyber-threat landscape and what’s required to stay protected.
According to 2017 Norton cybersecurity Insights Report Global Results,
- 6.09m Australian consumers experienced cybercrime in 2017
- $1.9b in consumer losses as a result of cybercrime
- 16.2hrs were spent per victim dealing with the incident
Risks abound in the online space in Australia, and with increasingly complex attacks, we see not only expensive losses but a weariness in the cybersecurity fight (despite increasing cybersecurity jobs) – and the explosion of IoT devices is poised to give us a further headache.
Cyber risk in an IoT world
“IoT increases the threat landscape in cyber due to its pervasiveness across (all) aspects of our lives.” – Rahul Lobo, Director, Cyber Solution Lead, Security Architecture, EY
It’s no secret that the IoT explosion has begun, with devices that we wear (i.e. smartwatches, activity trackers, medical devices etc.), that we drive (smart vehicles), and that we live and work in with smart homes and offices (heating, cooling).
All these devices have their own software, each with ranging degrees of security.
To put it this way, you choose Microsoft’s Office productivity suite because you generally trust the vendor (Microsoft) to provide a good degree of security for their products. Then you have other organisational software, such as an HR management system, accounting software, a virus scanner… each of these pieces is evaluated before purchase not just for their function, but also the degree of trust you have in the security of the product.
The same goes for each IoT device brought online in an organisational environment. Each device requires careful risk assessment before acquisition and deployment. As Lobo at EY puts it, “Software being inherently insecure and prone to bugs increases the attack surface and hence the threat of cyber-attack on these devices and as such can create a very large security impact.”
The trickle-down impact of IoT device security
IoT devices are unique in that large amounts of data flow through them that can paint a picture of one aspect of an organisation (or individual). For instance, a smart lighting system could potentially tell attackers when there is no one in a building when a physical break-in attempt might be the most successful. Here, information security is at risk.
A virus that exploits a vulnerability in a video security system could have an Ocean’s 8-like impact, where an attacker takes control of the viewing angle of a camera.
If a device is connected to an organisational network without the right network security controls in place, it could start injecting malicious scripts and wreaking havoc on systems.
The implications of insecure IoT devices have the potential to be devastating.
IoT security from a consumer perspective
As individuals, we want to take advantage of the benefits that IoT devices can offer, such as health tracking, driving, home automation control, etc.
But how can we adequately assess the security risk from our devices, knowing they won’t leak data, leave our home networks open to attack, or that the vendor won’t on-sell our details? How can we do this with a limited budget and cybersecurity knowledge?
The solution is to do our own risk assessment, both on the device vendor, as well as on the security of the device itself. We can seek out the advice of trusted companies in the home cybersecurity space, such as Norton.
Thinking about these issues in advance, reading up about the vendor and device security, and consumer and security vendor ratings can go some way to alleviating the risk of personal IoT devices. Deploying trusted security software solutions across home networks and connected devices can also help beef up security.
Can artificial intelligence help secure the web?
Will AI be the silver bullet, saving us from a million insecure IoT devices turning into our own personal bot army from hell? Well, it won’t be a silver bullet, but it sure can help.
“AI can help security teams boost their threat detection and response capabilities, minimise identity fraud, thwart insider threats and reduce false positives in application testing — to name just a few examples.” – IBM’s Security Intelligence
AI is used in a general sense to convey any software that behaves as we’d expect a human to. What people often mean when they say AI is actually machine learning, whereby software finds patterns based on “training data” (large datasets), often patterns that are impossible to spot with a human eye.
As you can imagine, when deployed for security, these sort of software algorithms can find anomalies in incoming or internal data that can point to attacks or security threats. Training machine learning software algorithms to identify “data for goodware” can help identify suspicious outliers.
The problem with cyber attacks
The issue here is that there are countless different types of cyber attacks, for example:
- DDOS attacks, that seek to bring down a website or server due to an unmanageable amount of traffic directed to that resource
- Ransomware, which encrypts files in data storage on a machine in the background before finishing and directing you to pay a ransom for the decryption (which may or may not actually occur if you pay)
- Coin mining viruses, which direct your hardware to mine cryptocurrencies silently in the background
- Phishing attacks, which arrive via email and use social engineering to make people hand over funds, files, or passwords
Each different type of cyber attack requires a different approach to help combat it. New types of cyber attacks arise, and the existing ones become more sophisticated as time goes on. That means that we need different cybersecurity measures for each, that are updated as the attacks evolve, and try and anticipate changes in the security space.
Luckily, there are plenty of companies already offering cyber attack protection bolstered by machine learning at various levels, such as anti-phishing protection in Office 365 (for organisations).
If you’re an organisational decision-maker, you’ll need to find suitably trained professionals to roll out a multi-faceted approach to cybersecurity (including network and device security) that is monitored and updated as appropriate. Setting aside time for your staff to train up in cybersecurity, such as through Cybrary, can also be well worth your while.
Once you think your systems are up to scratch, you can run them through simulated cyber attacks (what’s known as ethical hacking) to see how they hold up in the event of an onslaught.
Hackers can use AI too
With all this being said, it’s not just the good guys who can deploy AI in the cybersecurity fight. You can be sure that the hackers are using all the tools at their disposal to achieve their goals, too.
Kade Morton, Security Consultant at Quantum Security Services gives an example: “Imagine an AI that scans a target, writes its own malware tailored to the target, phishes the individuals it assesses to be most vulnerable, knows what to look for and exfiltrates what it wants.” Scary stuff.
He notes that, “Malicious hackers with access to something like (AI) for automating their reconnaissance of targets, the discovery of vulnerabilities, something that suggests tools and payloads appropriate to those vulnerabilities, illustrates how a number of vulnerabilities could be chained together, and that can advise on the latest defence trends and how to circumvent them.”
Protect yourself and your business
In 2019, it’s time to get serious about cybersecurity or risk it all. While IoT devices are set to streamline our lives they also pose a threat to our cybersecurity which can only be tackled with strong leadership policies, procedures, combative software solutions fuelled by AI and a promise to stay current.