Security is at the heart of the DCC. The smart meter network operates to the highest standards in Europe and is endorsed by the National Cyber Security Centre.
Cyberattacks make possible a scale of criminality that is beyond anything seen in the physical world. A traditional thief or burglar is very limited compared to the scale cybercriminals operate on - just 1GB of data translates to about 150 reams of paper. Sadly there is no silver bullet for this epidemic, we must all become aware of the methods that will be used by cybercriminals in 2022. Throughout the year, Bob's Business and DCC will walk you through what 2022 holds for the world of cybersecurity and what to look out for. So put on your smart kettle and let's make you into a cyberwarrior!
Ransomware will evolve into multi-level extortion
Ransomware is the biggest threat to people and businesses in 2022. You are probably aware of ransomware, you are probably less aware of how rapidly it is evolving. You might imagine a ransomware attack involves encrypting some files, then seeing what kind of price can be negotiated for them to be decrypted. However, gone are the days where these attacks occur in one instance.
Ransomware is exploding on the darkweb, it will evolve into a fully fledged service that can be bought by anyone who knows where to look. Sophisticated groups are emerging that will offer a range of ransomware services.
Attackers are even beginning to specialise in different phases of ransomware attacks, who have already begun to sell their services on the darkweb. Right now, you can buy the malware required for less than £50, but I’m not going to tell you where!
Ransomware attacks will now occur over weeks and months, the initial reconnaissance will take place upon a person’s digital infrastructure. In this phase, attackers are learning about your software, their update cycles and finding out where your “crown jewels” are kept (your most personal and sensitive data you have stored on yourself and anyone you know). Not to mention the most effective time to activate their malware, so that it will cause as much damage as possible.
Such risks are compounded within a company, most notably amongst companies who are part of critical national infrastructures. Energy suppliers, internet providers and governmental departments all hold massive amounts of personal data on all of us, staff, customers and business partners. Their cyber-resilience will determine what happens to the information they have stored on us - in other words their policies and action plan in the event of an attack. The DCC protects data to the highest standards anywhere in Europe. Even going so far as to run regular ‘black swan’ crisis exercises, these security breach simulations make sure everyone knows what to do in the event of an incident.
Be on the lookout for spear phishing and whaling attacks
This will be the most popular method of infiltration over 2022. Phishing and whaling attacks are evolving into communications with incredible detail and relevance to each victim. You will more than likely spot the suspicious emails claiming millions in foreign investment from fakemail@gmail.com. Will you spot the emails that appear to be from your children’s school, or one of your subscription services? The same applies at work, how many of your colleagues would open an email that appeared to be from your paper supplier, without considering it as a phishing email?
Cybercriminals have higher success rates than many marketing campaigns because they achieve a level of intimate knowledge about you, by utilising your digital footprint.
A resource that is readily available online, your digital footprint allows cybercriminals to create false communications from someone you trust. For those of you who do not know, your digital footprint consists of two parts: passive and active.
Your passive digital footprint refers to data gathered without you knowing, such as how many times you visited a particular website. For example, did you know that Netlflix knows how long you hover over each show’s thumbnail in the menu?
Your active digital footprint is anything you have chosen to share - everything from your social media posts, to the cookies you consent to for apps and websites. Unfortunately, this information is as available to cybercriminals as it is available to these companies.
Try searching for yourself and your IP address online, it will give you an idea of how much information someone not trained in cyberattacks can find. You can find out what your IP address is by searching “what’s my IP address” in any popular search engine - your IP address is your digital fingerprint however, so make sure you don’t tell anyone what it is!
We will all need to practice good cyber-awareness and good cyber-hygiene
Currently, over 90% of successful cyberattacks are a result of human error, not some hacker in a hoodie breaking through a firewall. So how exactly do you stop all of these attacks? We must change the narrative and become the tip of the spear in the fight against cybercrime, rather than the liability in our own lives.
Employers will also, more and more, recognise their staff are the front line and the first level of defence against cyberattacks.
We expect investment to be placed into training staff in cyber-awareness, in order to mitigate attacks as much as possible. We have put in place a training programme with the DCC, so their staff stay at the forefront of cybersecurity awareness.
Say you are a hacker planning your next attack, would you attack a company that had just put all their staff through cybersecurity training? Or a company who doesn't think cyberattacks would happen to them? This is what makes the DCC leaders in security across Europe, because their security breach simulations ensure they are prepared if any cybercriminal attempts to break into their system.
Then there is cyber-hygiene, so what is this term all about? It's basically how you act online, for instance, do you accept cookies on websites and apps? Do you ever review which sites and apps you have given these permissions to? Do you post details about yourself that can be used to ascertain what your passwords are, or use the same patterns for your passwords? We are all guilty, myself included, it’s almost impossible to remember a random collection of numbers and symbols. I recommend using a password manager that requires two step verification, ideally biometric as this is the most difficult to crack. The alternative is to write down all of your passwords and keep this list in a very safe place, like where you keep all the passports and birth certificates.
Where you work, if any member of staff is unaware of how their password can be uncovered then everyone’s work becomes compromised. However because company, home and other networks are now inextricably linked, an attacker can move onto your home network from your company network and vice versa. If a co-worker has their home network breached, that same malware can travel to anything connected to your network; this includes any network you visit, such as your friend’s and family’s networks.
In our next piece we will be taking a closer look at the integration between different networks, from your work to your coffee shop, but most importantly how to navigate them safely.
Melanie Oldham
CEO, Bob's Business
Further reading