Nearly daily we see new stories of cybercriminals breaching security walls, stealing valuable data, and then holding it hostage in return for money. Companies risk exposing valued customer data as well as their own reputations, placing their credibility in disarray.
But targeting takes a different, far more nefarious turn when these attacks result in loss of life, the sad truth of a September attack on a German hospital that kept healthcare providers from doing their jobs. A young woman lost her life because she had to be transferred to another hospital that hadn’t been hacked.
Healthcare facilities are easy targets, unfortunately. They can’t afford to be down, making them more likely to pay quickly when a ransomware attack happens. Yet for any industry with critical data, the risks are only increasing.
And new technology like quantum computing open new attack vectors, leaving CISOs at even greater risk to the unknown.
Starting with a two-step process, you can begin to prepare for what the future may hold.
Know Your Data Vulnerabilities
North Korea’s 2017 “WannaCry” ransomware attack didn’t specifically target hospitals — more than 200,000 computers worldwide were infected — yet systems at National Health Service hospitals across the UK were shut down, resulting in 19,000 cancelled surgeries and appointments at a cost of more than $100 million.
Why was the UK healthcare infrastructure hit so hard? Because hospitals were running older, more vulnerable Windows operating systems. Once the malware got in, it hopscotched unimpeded from computer to computer.
With a candid assessment of your data, its importance, and a review of your security weak points, you can begin to isolate your most critical data and limit exposure.
- Define your most critical data. It’s the regulated information that has a long shelf life, like personally identifiable information (PII) or Social Security numbers, or information that is unique to your organization, such as truly proprietary or defined intellectual property.
- Assess data access points. Perhaps the data stored in outdated systems or accessed via legacy infrastructure with perforated firewall protection. Or consider your security systems reliant on a single vendor, which opens a door to a hacker concentrating in one family of technology. Once they’re inside, hackers have the knowhow to roam around more quickly through familiar territory.
Only by understanding the full scope of your vulnerabilities can you isolate near-term solutions.
A Whole New Meaning of Future-Proof
The challenge with security does not stem solely from the fear of being attacked — you know breaches will happen. It’s a matter of being prepared for how to best handle the attack when it comes.
Quantum computing represents a new paradigm in computing, which means security and encryption technologies need to brace for what’s coming with a whole new set of rules. Unfortunately, most companies aren’t ready for quantum-based attacks.
Quantum physics guides this new approach. While traditional computing relies on binary algorithms with values (bits) set at zero or one, quantum computing relies on the properties of light, which can flex and bend, entangle and spin to form values (qubits) with any combination of zero and one simultaneously. This fundamental ability, known as superpositioning, creates both tremendous opportunities for computing power (albeit resulting in new monumental security challenges from bad actors with access to the vaster hacking capability from using quantum computers), as well as new opportunities for greater protection by deploying quantum-based security technologies.
Quantum computing will allow for vast quantities of data to be computed millions of times more quickly — Google last year estimated that a task that took its quantum computer 200 seconds to complete would have taken a traditional machine more than 10,000 years to manage.
On the other hand, companies use and store their most valuable data under the protection of encryption keys, assuming that hackers can’t crack those keys, or at the very least, that it will take thousands of years of brute force computing to break the encryption keys and gain access to the data.
As hackers from China, Russia, South Korea and Iran get more sophisticated — especially from China, with its world-leading investments in quantum technology — the risk is that they’ll play the waiting game: copy data as it is being transmitted and hold it, while companies may be unaware their data is even missing. When these nefarious actors can eventually deploy quantum computers, they’ll be able to crack standard encryption technologies and read all that previously copied and stored information. This attack is known as “harvest today, decrypt tomorrow” or harvesting attacks.
Of course, the only way to protect against future threats – both financially motivated and those far more malevolent, even life threatening – is to future-proof your data security and make your crypto environments quantum-safe now.
One approach is to deploy crypto-agile solutions that can evolve with the threat landscape. Next-generation, quantum-enhanced keys are available to address the quantum threat. For example, because all modern encryption methodologies use randomly-generated numbers, a Quantum Random Number Generator (QRNG)can produce the purest entropy (greatest randomness) of any random number generator — and therefore offers an even greater level of encryption protection. Another option is to deploy a quantum-safe, out-of-band encryption key distribution system that can make classical keys quantum resistant while also providing a crypto-agile key infrastructure which can evolve with the threat landscape and as security needs intensify and change.
With the exponential increases in data quantity and value through advancements like Artificial Intelligence (AI), IoT (Internet of Things mobile devices), and 5G networks, enabling ever-faster downloads and data transfers, criminal motivations and timeframes are changing, and so is cyberwarfare.
Security professionals who think beyond today’s problems can develop and deploy processes and encryption solutions to stay ahead of the hackers.