As cybersecurity software becomes ever more sophisticated, so do the tactics of cyber criminals. Not only do they find new ways of attacking the same targets, they also find new, softer targets.
The softest target remains the technologically naive user of computers and mobile devices. That can include anyone from a clueless pensioner to business executives who think they know it all.
The most telling conclusion from cybersecurity company Trend Micro's recent 2018 "Security Roundup" report was that "attacks that capitalise on the human desire to respond to urgent requests from authority are on the rise". It found that a category of hacking called "business e-mail compromise", the enterprise version of phishing, was one of the fastest rising. Sites built for phishing increased by a huge 269% in one year.
However, humans are not always more vulnerable than hardware and software. Trend Micro says that, thanks to compromised systems, it saw 224% more bugs in industrial control systems which monitor and regulate factory machinery, sensors, and other equipment managed by computers.
Today, such systems form part of what is collectively known as the Internet of Things (IoT). The very name suggests its vulnerability: because so many devices are now connected, they are also more open to attacks than was ever possible before.
"This is particularly significant for organisations that struggle to implement patches across their systems," Trend Micro reported. "Known vulnerabilities were used to execute the largest attacks in 2018. These tactics rely on vulnerabilities that have had patches available for months, even years, yet remain exposed in corporate networks."
Indi Sriniwasa, vice-president of Trend Micro for sub-Saharan Africa, believes this vulnerability will become fully apparent in a year or two. "We can see attackers taking control of traffic lights and electricity grids.
"We think vehicle tracking in SA is secure. But that's a mature environment. Port authorities, airlines, and other infrastructure are going to see a tipping point when attackers gain control of critical machinery."
A key challenge is that information technology (IT) practitioners, who focus on hardware and software, and operational technology (OT) managers, who look after industrial equipment, have traditionally operated in isolated silos, says Sriniwasa.
"The toughest thing is that IT and OT need to meet in IoT, but most control systems are proprietary, built with a certain purpose, and not with security in mind."
To address this need, Trend Micro has formed a joint venture with an American industrial networking provider, Moxa. The new company, TXOne Networks, will focus on the security needs of IoT environments, including smart manufacturing, smart cities, and connected energy grids.
In other words, wherever IoT is all grown up. "When IoT matures, it will need controls," says Sriniwasa. "When smart cities and smart government arrive, we'll be ready."
• Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter and Instagram on @art2gee..