The cyber threat landscape is continually shifting. As a result, staying ahead of cyber crime is a significant challenge for both organisations and individuals.
I joined industry experts on a panel to consider the problem from the perspective of the victims and how they can best be protected.
At Tortoise Media’s recent Cyber Security Summit, I was privileged to join a panel of cyber security experts – Rashmy Chatterjee, CEO of ISTARI, Dave Harvey, Head of UK Cybersecurity at FTI Consulting, and Dave Atkinson, Founder and CEO of SenseOn – to consider the victims of cyber attacks, any trends or patterns associated with these, and what we can do to protect ourselves.
What does a victim of a cyber attack look like?
The answer is, of course, just like you and I. Basically anyone with access to the internet is vulnerable to a greater or lesser extent, depending on how well versed they are in cyber protection measures.
The phrase ‘Follow the money’ cropped up a couple of times in discussion and it was agreed that a key characteristic shared by those organisations successfully targeted by cyber criminals is that they tend to be in industries which haven’t invested in their IT infrastructure. Of course, in those regulated industries dependent on grudge purchases – such as for gas and electricity – and a number of government and public bodies, often the challenge has been not having the budget for the right level of investment, and this has weakened their position.
Industries which rely on their supply chains are particularly vulnerable and this has been evidenced more recently in the manufacturing distribution sector, such the recent attacks on US supply chains. Ditto any organisation involved in critical infrastructure, such as energy and telecommunications – or those with geopolitical adversaries. Cyber security investment hasn’t traditionally been prioritised – indeed, cyber was named as one of the top five most difficult skills to find when hiring talent into an organisation by respondents to the Capita Institute’s Pulse 3 great opportunity debate research, which polled over 350 senior decision-makers on how they have been dealing with key business concerns during the pandemic. So a cyber attack is therefore a highly effective way of slowing down the progress of an adversary, often exacerbated by the disconnect between operations and IT.
At the other end of the scale, but no less a victim than the biggest organisations and governments, are the end consumers – those subject to personal data breaches, and those who can’t book a hospital appointment or take a holiday flight because the system has been hacked.
Cyber resilience is key in an increasingly digital space
The world was already becoming more digital before Covid-19, but the pandemic has accelerated that trajectory, creating an expanded threat surface with so many of us working from home. This pace of development means that companies must be focused not only on their digital resources and IT infrastructure, but on building robust foundations to ensure they’ll be able to withstand the continuing evolution of the cybercriminal of the future.
They need to make sure their operational systems allow for constant evolution, and that they’re always assessing for new risk as the underworld itself develops. The fact that you can buy Ransomware-as-a-Service is evidence of how quickly the stakes have been raised – these affiliate models of cybercrime groups are making it possible for criminals to operate in the ransomware field without the usual technical skills, functionality or infrastructure. Cyber crime is no longer the prerogative of the tech savvy.
The rise of cryptocurrencies has monetised pretty much every industry – suddenly those looking for ill-gotten gains aren’t limited to robbing banks to raise funds. Indeed, banks themselves have always had to be ahead of the security game and therefore tend to have a more robust IT infrastructure than those whose core business isn’t about money, leaving much easier – and a far wider range – of low hanging fruit for cyber criminals.
Educate those who matter…and that’s everyone
Ultimately an organisation’s employees are their first line of defence. Data around how breaches came about, and how vulnerability occurred, is crucial insight - it’s not just about flexing the latest security technology, but about social engineering and education. We agreed how important it was to grow the pool of expertise, both at a basic level – such as encouraging colleagues not to have obvious passwords – and in terms of knowledge transfer and talent acquisition.
In this respect it’s important to think outside the box about the valuable non-STEM aptitudes and skills needed to succeed in cyber security, including those acquired in areas such as law enforcement, psychology, the Ministry of Defence and forensics. With some technical training, humanities specialists can be highly successful cyber security professionals but are all too often overlooked because they don’t have the traditional IT qualifications. Diversity is, then, an important cornerstone of an organisation’s protection strategy.
Practice makes perfect when it comes to an effective response
For corporations, crisis simulation – or exercising – to determine an organisation’s strategy in the face of an attack is critical for ensuring an effective response should the worst happen. Preparation around risk and reputation exposure must be led at board level rather than being seen as a responsibility specific to the Chief Information/Technology Officer role.
Knowing that the board is aligned in the philosophy of how to respond to a ransom demand, how much downtime can be shouldered, how this will affect different functions, how to communicate with employees in the event of an incident – all of these are crucial to practise, considering the situation from a range of different perspectives before the real-life crisis itself.
A safe place to report ransom attacks
A major concern is that those companies subject to cyberattacks are often reluctant, for reputational reasons, to go public. This means there are a large number of companies paying ransomware at any one time.
Their reluctance to disclose what’s happened is understandable, but at the same time this silence is preventing collective action. We discussed how introducing a mandatory reporting requirement – without it being disclosed further than that – would help in facilitating information-sharing for the common good, to open up the possibility of an unhackable future.