In five years’ time, the battle to keep data secure against cyber-attacks will descend into a “machine on machine war” with the advancement of artificial intelligence, a former head of MI5 says.
Lord Jonathan Evans, speaking at Jersey Finance’s “An Open World” Annual Private Wealth Conference, told an audience of more than 600 family offices, wealth holders and advisers that attacks would become more sophisticated as hackers made use of semi-autonomous technology.
However, defence systems would evolve accordingly, he said.
“The difficulty with [cybercrime] is it’s a threat that manifests itself in many different ways, and it’s very dynamic. So the sort of issues we are talking about today are not the same issues we were talking about 18 months ago,” Evans, who left MI5 in 2013, said.
While awareness around cybersecurity had increased dramatically in the past five years, as more large-scale attacks were given press attention, it was important for companies and individuals to “keep up with this [issue] because the story keeps changing”.
“You need to ensure you have good technology, and you know what’s going on within your own networks, so you have the ability to detect anomalous behaviour.”
Today, Evans’ work focuses on risk and cybersecurity. Dealing in the corporate and wider world he looks at the nature and severity of potential threats from terrorism, commercial rivals, activists and “everyday trouble-makers”.
He said there was still a tendency to see cybercrime as a purely external threat, but many attacks had insider help.
“All cyber-attacks have got human beings somewhere along the road, and of course a proportion are aided by someone within the target organisation either through negligence or deliberate collusion.
“Many defences are to stop unauthorised persons, if the person is in fact authorised, that gets them over the first two or three hurdles.”
It was important for organisations to do a practice run of how they would respond if a security breach did occur, both in terms of containing it, and from a public relations point-of-view.
Evans suggested researching advisers and having them on-call ahead of time, and said many cyber insurance packages included crisis support.
Lastly, it was not good enough to only have your own backyard in order. The cybersecurity policies of suppliers also needed careful examination. Evans gave the example the 2013 hack of US retailer Target, in which attackers gained access to the company’s network via credentials stolen from a third party heating and ventilation company.
“If you can’t show that you are taking the protection of your client’s data seriously, then they’ll go elsewhere… We need to live as part of a secure eco-system. We can’t do this as an island.”
According to Private & Confidential: The Cyber Security Report, a study by law firm Schillings in partnership with Campden Wealth, 28% of family offices, and ultra-high net worth families have experienced a cyber-attack in the past.
More than a third (38%) of respondents said they did not have a cybersecurity plan in place.
Of the 28% who had suffered a cyber-attack, 77%—a fifth of the total sample—had been subject to phishing; a form of social engineering attack targeting a specific individual as a way into the family.
There were stark regional differences in attitudes to cyber security—and levels of preparedness.
Just 26% of Asia-Pacific families have a cyber security plan in place, compared to 66% in Europe, the best-prepared region. Those in North America reported the highest level of known attacks (41%), followed by a 32% attack rate in Europe, 15% in Asia Pacific, and 14% in Emerging Markets.
Evans said while the idea of a barrage of AI-fuelled attacks seemed frightening, there has been great innovation on the defence side, as well as the attack side.
To frame it another way: “Everyone is always talking about AI. It never arrives because when it does, it just becomes a normal part of how computers work.”