Molouk Y. Ba-Isa Saudi Gazette Here we are in the New Year and the struggles continue with the same old information security problems – along with a tidal wave of new ones. Some security issues will be attributed to criminal elements working for terror and destruction – along with a massive payday. Few cybercriminals are caught and prosecuted, so with deterrence lacking, online crime is increasing. It's also very easy these days to become a cybercriminal. Social networks specializing in criminal activity are a reality and “professionals" can be paid to provide the resources for specific portions of the wrongdoing. Unfortunately though, cybercriminals have lots of help. Many information security breaches are aided by laziness, arrogance and stupidity. People are too arrogant to install security software on their devices, thinking they are somehow immune to security issues. They are too lazy to upgrade to the latest versions of applications or install recommended security patches on operating systems. As for stupidity, take the example provided by a security manager from a Jubail industrial company. He related that the company sent a test email out to their staff that simulated a spam email with a link to a possibly malicious website. About twenty percent of the recipients of the email clicked on the link! The company started an effort to counsel those employees to control the urge to click as well as further restricted their Internet access. Businesses need to get proactive about information security awareness because every security consultant believes that targeted attacks against companies will rise. In some instances the attacks will be industrial espionage. It costs a lot less to steal technology than to develop it and information about productivity and costs can provide profitable advantages. Criminal elements are also interested in probing for network weaknesses or monitoring networking technology use so they can be ready for future “opportunities." There is increasing concern around the security of Supervisory Control and Data Acquisition (SCADA) industrial control systems. SCADA systems are used everywhere in the Kingdom, from Saudi Arabia's water desalination units to its gas and oil operations. These systems have their own security issues and there aren't enough local experts to handle them. A new area of possible weakness in digital system security is medical technology. Unsecured wireless communication with devices from drug delivery systems to pacemakers could compromise patient safety. As of this moment, there's no instance of it occurring in reality, but a US television program showed how by hacking into a pacemaker, a massive shock of voltage could be delivered to the user, resulting in death. For consumers, the mobile devices that everyone loves have become the favorite criminal target. The US Federal Communication Commission reported that one in three robberies in America involved the theft of a mobile phone. There are no statistics for Saudi Arabia, but reports of phone thefts everywhere from street corners to funerals confirm that people need to protect mobile devices both in the real and virtual worlds. In the past, the worst that could happen if a phone were stolen was that the number would be abused and the contacts would be lost. Now, get ready for a giant mess. People carry too much data on their handsets – both confidential personal and business data. Few people back up their devices. Many folks don't even do the basics and password-protect their handsets. When I hear from a business acquaintance that they've lost my contact details because their phone was lost, stolen or damaged, I know this person lacks security awareness. In the future I carefully consider what to share with such an individual. There are so many computer and cloud-based backup solutions and sync applications that losing essential data is a sign that a person is either careless or massively overscheduled – and neither is a good recommendation. Plenty of people have transferred the “click urge" from their PC to their mobile and they will click on any “like" button that appears. Last week the CEO of a company told me that I was the first person who had ever asked why he wanted to join my LinkedIn network. The link in a “like" button could lead to a malicious location, plus online communities are increasingly being used to facilitate cyber-attacks through technical or social engineering vulnerabilities. Add in mobile banking and the ignorance of many Saudi companies in allowing smartphones unfettered access to their networks and it's no surprise that criminals are so interested in gaining access to mobile devices. The fight against cybercrime begins with information security awareness. Spend some time reading this weekend. There are good reports on the topic from Websense at http://www.websense.com/content/2013-security-predictions-report.aspx and McAfee at http://www.mcafee.com/sg/resources/reports/rp-threat-predictions-2013.pdf. Then, act on what you learn in regards to your own technology and behavior, and spread the information to anyone who will listen. The first time someone tells you that the tips you provided helped them dodge a cybercrime, you'll become a cyber hero.
