A new report by US-based cybersecurity company CyberArk has reiterated the growing threat of hacking. It’s no longer big corporations and financial institutions that need to worry — everyone is a target, from small businesses to increasingly consumers themselves.

Worryingly, due to the sophisticated techniques now used by hackers, they can stay undetected for months or even years. Most people will never even know they’ve been compromised, and if they do, it will be far too late.

“Every company has something of value to protect, something that attackers want. In today’s connected business world, everyone is a potential target,” says Craig Williams, a security researcher with Cisco Talos Security Intelligence and Research Group.

PwC Australia’s national cyber leader, Steve Ingram, says the more technology invades our lives, the greater risk we all face from having our information stolen or systems compromised.

“We’ve now got this whole interconnected cyber-ecosystem where big companies are connected to little ones, international ones connected to local ones, and now with the Internet of Things, consumers are connected to organisations that are connected to other organisations,” he said.

He’s referring to the whole host of so-called smart devices now invading our lives — from baby monitors, home thermostats, TVs and fridges, to the computer in your car that opens the garage door, to medical devices such as wearable health monitors and automated pharmaceutical dispensers.

A recent study by technology company HP emphasised this point, finding that 70 per cent of the most commonly used connected devices contained “serious vulnerabilities”.

According to PwC’s newly released Global State of Information Security Survey, 47 per cent of healthcare providers have integrated consumer technologies such as these into their systems, but only 34 per cent of those have contacted the manufacturer about security, and only 44 per cent have security in place.

“There are two sorts of organisations: those that have been breached and know about it, and those that have been breached,” he said. “It doesn’t matter how big or small you are — you’re of interest.”

The number of reported cybersecurity incidents globally rose by 48 per cent to 42.8 million in 2013, according to PwC. That amounts to 117,339 attacks per day. And as the frequency of attacks rises, so too does the cost of mitigating them.

According to a study by the Center for Strategic and International Studies, malicious cyber activities cost organisations worldwide between $A347 billion to $A1.16 trillion in losses annually.

Mr Ingram uses the acronym ‘OSHI’ to describe the four types of hackers — Organised Crime, State Sponsored, Hacktivists and Insiders.

Organised criminals are “smash and grab”. “They don’t care if they’re detected. They’re after cash or identity information, anything that can be sold. Even the price of personal information on the black market has plummeted, simply because there’s so much available now,” he said.

State-sponsored hackers are more discreet — according to a recent study by security firm Mandiant, the average time between breach and detection is 229 days. They will typically be the ones sitting inside systems for long periods of time, collecting information: “User names, passwords, who you’re sending emails to, who you’re connected with.”

Hacktivists, such as the group Anonymous, tend to be politically motivated. “It might be an environmental group, someone taking offence because you’re providing banking services to the timber industry, for example,” Mr Ingram said.

“They can be difficult to anticipate, but they look for headlines. They want to take your site down, crash your servers with denial of service attacks, that sort of thing.”

The most difficult to deal with is the insider. That includes contractors, subcontractors, vendors, employees and ex-employees. “People are the greatest risk. It’s not necessarily insiders as being malicious, just doing the wrong bloody thing sometimes,” he said.

In the CyberArk report, cyber threat investigators outline how phishing and social engineering techniques have become increasingly more sophisticated and credible-seeming.

“If an attacker sends out 20 or 30 phishing emails, there’s a good chance he’ll penetrate your network,” says Christopher Novak, global head of telecommunications company Verizon’s cyber security team. “The phishing attacks are that sophisticated. No company is immune from them.”

In the report, Peter Tran, senior director with internet security firm RSA, describes setting up fake online personas, pretending to be a “PhD researching cancer therapies or an engineer developing a new laser module for a defence system”.

“It’s a social media honey pot designed to attract an advanced adversary. We see what type of inquiries we get and learn their techniques ... And what we’re seeing is attackers have gotten really good,” he writes.

“They’re masquerading as recruiters and reaching out to high-value targets such as senior engineers, business managers. They use social media to start dialogues with valuable insiders, and they take time to cultivate relationships. Based on what we’ve seen, [attackers are] credible enough to fool most people into providing the entry point they need.”

Mr Ingram his approach to security as protecting the “crown jewels”. “A lock on the door isn’t going to keep a determined criminal out, whether he breaks down the door or gets someone to open it from the inside,” he said.

“Within your house you can’t protect everything, so you need to keep the most important things in a safe. Intellectual property, the formula for Coke, processes for engineering or manufacturing, M&A strategy — anything that’s going to be market sensitive.”

frank.chung@news.com.au

Originally published as ‘No one is safe’: Hacking threat