Picture it: you’re about to go out of town for a week and you’ve programmed your home’s smart thermostat to know your schedule so you’re not paying for heating or cooling you’re not using while you’re gone.
With 60.4 million U.S. homes using some level of smart home devices in 2023, this is a common scenario, but what most of us don’t consider are the 12,000 hack attempts on smart home devices per week – including smart thermostat hacks that can spike temperatures and, in a worst-case scenario, tell hackers exactly when you’ll be away from home.
October is Cybersecurity Awareness Month, and with so many people – and devices – now “on the network,” it’s more critical now than ever for individuals as well as businesses to stay vigilant against cybersecurity attacks.
As Cybersecurity Awareness Month enters its 20th anniversary, I had a conversation with Jeff Reichard, Veeam’s Vice President of Solution Strategy, about how cybersecurity has changed in two decades and how we can all keep up with its ever-evolving landscape.
How did you become involved in the cybersecurity space?
Reichard explains that his second job out of college – working in the data center at Stanford University – had him running data backups, and his career in data replication and data backup provided the building blocks for his eventual introduction to cybersecurity.
“If my data gets corrupted, if my resources go down, I need to be able to get those resources running again to restore availability. There has always been an obvious but sort of unrelated relationship between data backup, disaster recovery and security. What’s interesting, and what’s pulled me into more and more and more security conversations over the past couple of years, is that that relationship, especially since the advent of ransomware, is not unrelated anymore, right? It’s front and center.”
How has the landscape of cybersecurity changed over the past 20 years?
“There are some ‘big picture’ events that have happened, but cyber risks have been around for a long time. One useful way to look at the evolution of cyber risk is to see how cyber insurance has changed over time. Cyber insurance policies have actually been around since the dot com boom of the 1990s,” said Reichard:
1990s: the Dot Com Boom and Cyber Insurance
“That was when businesses first started having an online presence that was relevant to their revenue and bottom lines. Those cyber insurance policies were all about service interruption – do I have financial losses because my website goes down and people can’t buy books from Amazon, for example.”
2003: California Online Privacy Protection Act
“California tends to be a leader in terms of legislation like this,” said Reichard. “And they realized that, wow, all these people are doing business online and there should be some kind of legislation of that business. If that data gets stolen, there should be some regulations and consequences for that.”
Reichard adds that the passing of General Data Protection Regulation (GDPR) and similar privacy legislation also passed in other countries as more businesses turned to the worldwide web to increase their revenue streams. At this point, cyber insurance policies pivoted to cover both business interruptions and losses due to privacy breaches.
2000s-Present: Computer Viruses and Ransomware
And that additive dynamic has continued. “In terms of the threats that people face, unfortunately, it’s been kind of an additive process,” said Reichard. “It’s not like any of the threats went away, except maybe if you look at the original targets of ransomware – they were mom-and-pop. There were people trying to fish to get 500 bucks out of you and me, whereas now they want 15 million or 30 million bucks from MGM. So, it’s a different story now.”
In addition to ransomware demands and targets evolving, Reichard says the types of attacks have also gotten more sophisticated over time.
“Back in 2000, the ILOVEYOU worm, which was a very primitive, script-based worm, spread itself through email attachments and then forwarded itself to victims’ contacts. It was technically extremely primitive, but the estimates are $10 billion worth of damage worldwide,” he said. “Fast forward to 2010 and centrifuges in Iran being used as part of their nuclear development program were targeted by the STUXNET attack. This is a security incident with bigger ramifications, both globally and because it continued the additive process of cyber risk. Now we’re adding nation-state actors with geopolitical agendas into the global malware risk landscape.”
In your opinion, what impact has Cybersecurity Awareness Month had on raising awareness about cybersecurity globally?
“I think it’s a good thing – it can’t do anything but help,” said Reichard. “Gartner talked about top trends for 2023 and focusing not so much on the technology and process but focusing on the people – the whole focus is to reach people.”
Speaking of people, what emerging trends in cybersecurity are you observing that are critical for not only businesses, but everyone to be aware of?
Reichard reiterated a previous point – types and targets of cybersecurity attacks are constantly evolving, to the point where, in addition to vulnerable businesses falling victim to cyberattacks, regular individuals now also need to be vigilant within their own home setups.
“An awful lot of things that used to not be considered cyber risks now are, and that trend is only going to accelerate,” he said. “I recently remodeled my kitchen, and my dishwasher and my refrigerator wanted me to connect them to the network. I have not connected any of those things to the network and I will not. I don’t need my fridge talking to the network for anything,” said Reichard.
How should people observe Cybersecurity Awareness Month?
“Stay curious about the topic because it’s changing rapidly, and everything you learn is likely to morph but not become obsolete,” said Reichard. “Stay safe out there”.
Stay up to date on the latest data security and ransomware research and insights from Veeam and learn more about what you can do to secure your world against digital crime.
