Acknowledging that criminal activity is becoming more sophisticated, in this article our experts highlight five areas of immediate concern and warn that businesses must be prepared or risk devastation.
In recent years the cyber security challenge from hostile states and increasingly-well-organised criminals has contributed to a sense of uncertainty in society. Governments have not yet found a way to deter these states from destructive action, and few cyber criminals are caught and punished. The advantage seems to be with the offender, and so, to strengthen defence, governments and regulators are placing greater onus on individual businesses and sectoral organisations to deliver security.
It’s no surprise that businesses are struggling with this responsibility. Many feel the complexity and cost of the task, not to mention the rate at which they are required to change, mean they can never keep pace with cyber threats.
We have entered a period of cyber self-reliance, where the private sector is expected to confront more and more complex threats. Companies incur significant financial and reputational risk if their data and cyber security arrangements are not up to scratch. No enterprise can secure itself unsupported with what it learns from within its own systems. Security providers are best placed to learn and share the lessons across industries, and have a dynamic approach to the technologies and techniques that will keep a customer enterprise safe.
Five areas of immediate concern
- Regulation and financial exposure
The ‘technical security principle’ in the General Data Protection Regulations which requires companies to “ensure organisational and technical measures appropriate to the risk” when protecting customers’ data has profound consequence. Boards have to be aware of the risks and must take organisational and technical steps to mitigate them to an acceptable level.
Cyber security breaches are often in the news and details of the techniques used by cyber criminals are increasingly made public by national authorities such as the NCSC, or are shared through threat intelligence networks. So Boards cannot plead ignorance of the risks and, should they fail to meet the requirements, can expect fines well in excess of past ICO penalties.
We are also seeing the birth of cyber-based ‘class actions’ where, in addition to ICO fines, consumers are seeking compensation when their personal information has been compromised in a breach. Some see this as potentially a new PPI-type ‘feeding frenzy’.
- Ever-evolving threats
The rate of change in threat and its range continues to increase exponentially. The techniques employed by hostile actors – criminals, hacktivists and nation states – has widened (and consolidated) with attacks becoming ever-more sophisticated and purposeful. The market for providers of zero-day exploits and the resale of stolen exploits is thriving. Collateral damage can be enormous as the line between nation states and criminals becomes blurred.
Companies need a detailed understanding of each potential threat. They can then develop mitigation strategies and prepare appropriate responses for the full range of possible outcomes. They cannot risk the Darwinian effect of ignoring technical evolution. So-called ‘polymorphic’ malware, now readily available online, means that previously successful defences can be overcome. Recognising a breach of your network weeks or months after the event just won’t do. You will learn much from knowing the data and activity on your networks
- Your points of weakness are growing
Over recent years we have learned that undersea cables, telephony routers, ubiquitous chips, commodity software, managed service provision and technical supply chains cannot be relied upon to be secure. Exogenous, large-scale interception, control and infiltration techniques are becoming widely known.
Businesses must know and react to what is happening endogenously within their environments, and progressively in their supply chain. With Ponemon reporting that 65% of breaches originated at a third party, and with 75% of respondents saying that this figure is increasing, due diligence and governance around third parties should be a key focus for all businesses. Situational awareness is essential, and boards should be explicit about what steps they take to understand the risks.
- Geopolitical factors
There is a close interplay between the techniques being developed and used by nation states and those employed by criminals. Russia, Iran and DPRK have all used criminal techniques, employed criminal gangs or sent out destructive attacks disguised as ransomware. Note the speed with which Vault7 exploits were incorporated into criminal malware but then used by States: NSA exploit ETERNALBLUE was published by Wikileaks and became the primary mechanism for WannaCry and NotPetya.
Populism, eco protest and anti-Americanism fuelled by dislike for President Trump, along with more general anti-government feeling and dissatisfaction with the status quo continue to grow. These often involve social media campaigns.
We can expect this ill feeling to lead to direct action online. Your approach to Brexit or staff recruitment, the use of water and/or plastics, or the carbon impact of delivery logistics could all drive a desire to hurt big brands. In these scenarios brand protection and prepared defence is everything.
- Retaliation targeting
States are increasingly developing or buying capabilities to interfere with industrial control systems, and are ever more willing to use them (not least to test them as weapons). For instance, as sanctions bite against Iran or Russia and Iran, iconic western brands can expect to be targeted in response. As businesses seek to take advantage of the industrial IOT, cyber security must be a central feature of their strategy and, indeed, systems architecture.
What should businesses do about detecting and responding to cyber events?
It is vital that businesses maintain a dynamic security investment – one that will keep pace with the increasing levels of cyber threat. A reliance on today’s technology, for all the reasons outlined above, is simply not good enough. This need not always mean more spend but it must be the right spend. External security provision, a constant focus on reduction of attack surface when developing your systems, and a push for automation should reduce overheads over time.
The most pernicious state attacks can often have indiscriminate effect, striking networks far from the country or industry they are targeting. Criminal activity is becoming more sophisticated and can have devastating effects. Your business’s security posture and preparation will determine the outcome.
Note the contrast between the companies that recovered best and quickest from the June 2017 Russian NotPetya attack and those still suffering to this day. The winners were those who had been doing work to improve their architecture and preparedness prior to the attack, and who had good situational awareness and understanding.
Private sector ‘Self Reliance’ is not each company acting alone. The ever-changing nature of attacks, the myriad reasons behind them, and the sheer speed at which technology changes, not to mention ever-present budgetary pressures mean that to establish and maintain the optimum level of cyber security companies will always require specialist advice.
If you’re still uncertain about what cyber security issues your business should focus on first, you may want to see a summary of five recommendations from Ciaran Martin, the Chief of GCHQ’s National Cyber Security Centre (NCSC). And if you’d like a view of what the future might hold for the world of cyber security, why not take a look at Kevin Whelan’s predictions for the year ahead.