Published on: November 24, 2024
In a recent SafetyDetectives interview, we spoke with Peter Warren, Chair of the Cyber Security Research Institute (CSRI) and a veteran investigative journalist, about the evolving landscape of cybersecurity. With over 35 years of experience in the field, Warren shared insights into the pressing challenges facing the industry today, the rise of AI-driven threats, and the critical role that cybersecurity education plays in defending against cybercrime. He also touched on the unique risks that small to medium-sized businesses face and the strategies needed to protect against them in an increasingly digital world.
Could you share your journey into the cybersecurity field and what led you to become the chair of the Cyber Security Research Institute (CSRI)?
I’ve been a national newspaper journalist in the UK for years, working as an investigative journalist with some of the most renowned investigative units in the world. I started to realize about 35 years ago that hacking and accessing computers was where the future was headed. You had to be where the information was. There’s an old story about a guy who was asked why he robbed banks, and he said, “That’s where the money is.” It’s the same thing with data.
As an investigative journalist, if you’re after compromising documents, you need to know about computers. It was clear early on that hacking and those interested in breaching cybersecurity were going to be the “James Bonds” of the future. That’s where my interest began, and it naturally led me to where I am now, at the Cyber Security Research Institute.
What are the core goals and missions of the Cyber Security Research Institute, and how do they contribute to the evolving landscape of cybersecurity?
The Institute was founded to raise awareness about cybersecurity threats and get a clear understanding of what’s happening in the real world. A lot of cybersecurity companies operate at a distance, working remotely to combat threats. We felt it was important to be more hands-on in our approach, so we do exercises and tests to stay on top of what’s really going on out there.
One example of this was when Wi-Fi first came out, people said you could intercept unprotected streams easily. So we tested it ourselves. We didn’t actually read the messages, because that would’ve been illegal, but we demonstrated that the traffic could be intercepted. Another exercise we did was in Parliament Square. We set up free Wi-Fi and asked for personal information in return. The terms and conditions included that users would give us their eldest child or favorite pet for eternity—just to highlight how careless people can be with open networks. The idea was to raise awareness and encourage people to use virtual private networks (VPNs).
How has the threat landscape changed over the past few years, and what do you see as the most pressing cybersecurity challenges today?
It’s funny—everyone thinks the threat landscape has changed, but we’re really seeing things from the past resurface in new ways. For example, ransomware is one of the biggest challenges today, but 30 years ago, disgruntled employees were already encrypting company data and demanding a ransom. What’s changed is that now, with the internet, ransomware can be executed remotely, making it easier and more widespread.
Going forward, we’re going to see ransomware evolve. I expect to see more attacks on individuals, especially through their mobile phones. It’s a low-hanging fruit, and in parts of the world like Africa, a small ransom could go a long way. I can also see database poisoning becoming a big issue, where attackers insert fake data into a company’s system and demand payment to fix it. The increasing use of AI will also lead to more sophisticated attacks, making the future threat landscape even more dangerous.
With the rise of AI-driven cyberattacks, what strategies or innovations are being developed to counteract such threats?
We’re entering an arms race, where AI will be used to fight AI. Some people are terrified by the idea of AI-driven attacks, but there’s one crucial thing to remember: attackers are always after something, whether it’s data, money, or documents. That gives us an advantage because we know what they’re after.
AI systems are going to focus more on spotting patterns—patterns of data extraction, for example. We’ve already seen cybersecurity companies talk about creating “nervous systems” that can detect hackers moving around within a network. What attackers will do, though, is try to blend into the normal flow of data so they can go undetected. You’re going to see AI trying to act like a regular part of a system to avoid suspicion, while our AI systems will be tasked with identifying unusual activity and stopping data from leaving the network unless it’s approved. It’s going to be a very complicated and challenging battlefield.
How important is cybersecurity education and awareness in combating cybercrime, and what steps should organizations take to improve this?
Cybersecurity education is absolutely essential. The biggest threat we face right now is human error—people clicking on phishing links or sharing too much information online. As AI systems get smarter, they’ll start profiling people on platforms like LinkedIn to identify the easiest targets. There’s even the potential for AI to find patterns in people’s behavior that make them more vulnerable to attack.
Organizations need to focus on raising awareness among their employees, not just about phishing scams but also about the risks of social media. People need to be more careful about what they post online. I’ve seen situations where people announce their new jobs on social media, and it essentially gives away their entire professional network. It’s not very clever, but it’s happening all the time. We need to raise awareness that we’re all under attack, and we have to be vigilant in our online activities.
For small to medium-sized businesses, what are the most overlooked cybersecurity risks, and how can they mitigate these challenges?
The biggest risk for small and medium-sized businesses is their lack of awareness. They often don’t think they’re targets, so they don’t invest in cybersecurity or train their staff properly. As a result, they become easy victims. There’s also a tendency for smaller businesses to view cybersecurity as an overhead cost, something they don’t want to spend money on because it doesn’t directly impact their business operations.
But things are changing. Larger companies are going to demand better cybersecurity practices from smaller businesses if they want to continue working together. This will force smaller companies to improve their cybersecurity or risk losing clients. At the end of the day, cybersecurity is going to become a necessary cost of doing business, and those who don’t adapt will learn the hard way.