Illusion of Cyber Control: Insight from Goldilock’s COO
In today's hyper-connected digital age, cyber threats loom larger than ever before. With individuals and businesses constantly 'plugged in' across multiple devices and platforms, bad actors have increasing numbers of vulnerabilities they are all too eager to exploit.
Stephen Kines, Goldilock's Chief Operating Officer and Co-Founder, is an international corporate lawyer with expertise in complex M&A and tax-efficient commercial transactions in the US, UK and emerging markets, Stephen has been a general counsel for ultra-high-net-worth individuals and families as well as international law firms. He is focused on emerging technologies, including blockchain and cybersecurity.
A former military officer, Stephen is the second-in-command at Goldilock - keeping 'selection and maintenance of the aim' front of mind. Here, he sits down with us to discuss how to defend against cyber threats in an ‘always on’ world.
What are the benefits and drawbacks of living in an ‘always on’ world?
The “always on” culture that we live in, which is largely sold as a good thing, affords never-before-seen levels of convenience and accessibility to individuals and businesses. But this pervasive connectivity can also be our undoing because being connected isn’t the same thing as being in control. In that regard, this “always on” culture may be more aptly described as one that’s suffering from an illusion of control.
It’s not hard to see how we got here. Technology has become so seamlessly integrated into our daily lives that, at this point, calling it ubiquitous is an understatement. But there’s danger in ubiquity. It leads to carelessness. Every day, we effortlessly transition from personal devices to professional platforms without a second thought lulling us into a false sense of security and making us believe that we remain in control even as we navigate a perilously vast digital landscape.
This illusion doesn’t mean we ignore cyber threats. On the contrary, we are almost obtusely aware of them. You’ll find report after report detailing statistics like the cost of cyber threats, their expected rise and bad actors’ new tactics but awareness is only one thing. Doing something about the threats is another. We’ve reached the point today where we believe that our business’ digital security is adequately protected simply because we’re aware of cyber threats. This illusion of control blinds us to the very real vulnerabilities that surround us, turning us into easy prey for bad actors.
Cyber awareness and cyber defence – what are the differences?
There’s yet another layer to this illusion of control: too many of us are talking the talk instead of walking the walk. We know that cyber threats are costly. We know that we are vulnerable. We know that businesses need to step up to the plate and reinforce their cyber defences. So in response, we devise new cybersecurity legislation and threaten those who don’t adapt with hefty fees and reputational damage, as evidenced by policies like the NIS Regulations and the EU Cybersecurity Act.
There is a legitimate call for alarm. After all, almost everything we do as businesses is online. So it makes sense that the more online we become (and thus the more cybercriminals stand to gain from breaching our networks), the more governments and cybersecurity vendors pour into research and development to try and find new solutions.
Despite all this, cyber threats are frighteningly widespread. In 2023 alone, IT Governance reported a total of six billion publicly disclosed security incidents. This is the result of not enough definitive action that can actually stop attacks.
Today, an alarming number of cybersecurity vendors are telling corporations that being hacked is inevitable and to “assume you will be breached.” Does this compromised mindset sound familiar?
The unfortunate reality is that we have surrendered control and accountability to cybersecurity firms who are supposed to protect us and then they turn around and tell us that sure-fire protection isn’t actually possible.
In our era of disinformation, misinformation, and cyberthreats, it’s hard to discern who or what is real. Cybercriminals know this and they know that what we’re doing to try to bolster our cybersecurity defences isn’t really working.
Businesses have been deploying the same techniques over and over again, for example creating new software, building new cloud solutions, and designing new systems. Unfortunately, these solutions can all too often be reverse-engineered and backdoored, or even compromised during development.
Long story short, we’ve locked ourselves into a vicious cycle of “Innovation, breach. Innovation, breach.” Every time we think we take a step forward, it’s not long before the bad actors push us two steps back. If we keep at it with the same old, same old, things are going to get worse.
What is the current state of the evolving threat landscape?
This approach is clearly not enough. With the current threat landscape, it’s more important than ever for businesses to be as vigilant as possible. The NCSC’s 2023 annual review highlighted the problems AI could pose as it continues to develop and end up in the hands of the wrong people.
As with any new technology, there are always going to be malicious actors aiming to weaponise emerging technology. Unfortunately, the potential for AI to be used negatively is high, allowing criminals to carry out more targeted attacks. AI is already being used to create custom malware specifically designed to evade traditional security measures. It can also be used to automate cyberattacks. In other words, it’s going to become much more difficult to defend against cyberattacks.
Highlighted in the NCSC’s review as ‘enduring and significant’ , the cyber threats facing critical national infrastructure (CNI) have also evolved in recent years. Whilst CNI has become more dependent on digital infrastructure to run, the rise of state-aligned groups, driven by ongoing geopolitical challenges, pose an increasing threat.
In the UK alone attacks targeting South Staffordshire Water, The Royal Mail and NHS 111 have taken place in recent years. Whilst state-aligned attacks are not necessarily new, the threat is exacerbated by AI which allows persistent and novel forms of attacks. In an environment where businesses and CNI assume their security is under control, these threats will become more and more difficult to defend against if organisations don’t act now.
How can peace of mind be achieved?
We’re already paying a very dear price for our cyber vulnerability. In 2023, the global average cost of data breaches was US$4.45m. Looking ahead, Cybersecurity Ventures forecasts a 15% per year increase in the cost of global cybercrime, hitting US$10.5tn by 2025. It’s clear that our traditional methods are insufficient. And doubling down on redundant cloud solutions and legislation is just part of our blind attempt to think we’re making any kind of meaningful impact in keeping criminals at bay.
It’s all a part of this illusion of control organisations have but it’s time to face reality. Today, it is simply impossible to have real peace of mind about the security of our digital assets because if our businesses are “always on,” then they’re always just within arms’ reach of cyber criminals. The truth is that no matter what safeguards we come up with, anything connected to the internet can be stolen, breached, or leaked by third parties.
To successfully mitigate these threats, it comes down to learning when to disconnect. Controlling when our devices, networks and systems are connected to the internet is key.
Even better, making the default to disconnect, until we need to be online will put the power back in the hands of the user. It may sound radical, but if we want to keep criminals away from our business’ data, then we have to take it off the table.
Because the only thing that’s safe on the internet is something that’s not on the internet.
**************
Make sure you check out the latest industry news and insights at Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
**************
Cyber Magazine is a BizClik brand
*************
