Cyber-terrorism: more Hollywood fad than genuine fear
While there can be no doubt that cyber-crime and cyber-terrorism are real threats, the dangers they pose are nowhere near what blockbuster films would have you believe.
Cyber-terrorism occurs when criminals exploit a quarry's computers, data networks and information systems, usually via the Internet, to cause physical, real-world damage, or severe disruption of infrastructure or services.
Since 9/11, institutional fears of cyber-attacks on financial institutions, military installations, power grids, nuclear facilities, chemical plants, dams, airports or telecommunications and navigation satellites have grown exponentially. These fears have been further exacerbated by genuine onslaughts - such as the November 2014 cyber-attack against Sony Pictures at the hands of North Korean hackers, or the more recent and currently under investigation Russian interference in the US election.
A key reason people fear cyber-terrorism is that there is a relatively low barrier to entry, says Ryan Roseveare, MD at BUI. Furthermore, as technology proliferates and the world collectively becomes more tech-savvy, new players, be they non-state actors or states themselves, are expected to emerge.
"Cyber-attacks come in two forms: the first is an attack against data, while the second focuses on control systems. The first type attempts to steal or corrupt data and deny services, and is clearly the category into which the vast majority of attacks fall, such as credit-card number theft, Web site vandalism and the occasional major denial-of-service assault."
"Control-system attacks, on the other hand, would be those that attempt to disable or take over operations used to maintain physical infrastructure, such as the distributed control systems that regulate water supplies, electrical transmission networks and railroads. Although examples of such attacks exist, the catastrophic disasters that usually accompany such an attack are mainly the stuff of Hollywood screen writing, as opposed to reality."
Roseveare points out that the film industry loves exciting drama, and usually only achieves this by dialling things up to 11. And when it comes to hacking and cyber-crime, Hollywood has been upping the ante for decades.
A case in point is the 1983 film 'War Games', where a high school student hacks into a military supercomputer and activates the US nuclear arsenal, almost causing an atomic Armageddon. Since then, screenwriters have regularly used the trope of the dangerous hacker who causes trouble - from 'Hackers' in 1995, where a teenager gets banned from using computers after writing a virus that causes the biggest stock exchange crash in history, all the way through to 2007's 'Live Free or Die Hard', where the bad guy plans to take down the entire computer and technological structure that supports the US economy. Most recently, the 'Grey's Anatomy' Season 14 mid-season finale saw the hospital systems attacked by ransomware.
"Hollywood just loves to amp up the dangers of cyber-warfare and cyber-terrorism. While there is no doubt it is a genuine thing, the doomsday scenarios of cyber-terrorism that result in massive deaths or injury remain only in the realm of Hollywood scripts and conspiracy theories."
"It is worth noting that although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult and a physical attack on the electricity, water or transport infrastructure still remains a far more probable - and is far more likely to cause real damage - than an attack targeting the cyber-infrastructure that controls these systems," he explains.
Of course, continues Roseveare, just because Hollywood overcooks the potential damage that such attacks can do, doesn't mean that businesses should forego security. And just because your employees are not cyber-criminals does not mean you shouldn't know who in your organisation is accessing what. To achieve this, he adds, it is still vital to instil a robust security culture.
"It is essential for a business to have an IT security strategy in place, and it is important to align this strategy to the enterprise's overall security culture. The IT security strategy can only be truly effective if there is a strong security culture embedded into the very fabric of the company's operations. This means ensuring that your people are security-aware and that it is constantly top-of-mind for them."
Remember, he points out, that educated employees are more likely to spot threats quickly, meaning they can be addressed as rapidly as possible.
Moreover, threats are constantly evolving, so your security culture must as well, forming a constant part of the mindset and habits of employees. A strong security culture, in turn, begins with a well-defined and properly enforced security policy. Such a policy should start at the very top of the leadership pyramid and include a defined baseline of security requirements; defined requirements around what meets or exceeds the industry and regulations obligations; and should be aligned to the risk appetite of the organisation.
"The communication of security requirements and security awareness go hand in hand in building a strong security culture. More effective communication creates greater awareness, and with more security awareness, individual employees are more likely to incorporate security into their day-to-day thinking and decision-making. As a result, security becomes thoroughly embedded into the mindset and work habits of each employee, thereby creating a strong security culture."
"Such an approach will go a long way towards securing your company against virtually all insidious threats - with the possible exception of blockbuster movies, that will, I am sure, continue to create new and more incredible cyber-disasters as we move forward," he concludes.