The cyber threat to UK business 2017-2018 report jointly launched this week by the National Cyber Security Centre (NCSC) and the National Crime Agency(NCA) highlights the extent of the threats faced by the UK - 34 significant cyber-attacks in the 15 months to the end of 2017( ie attacks that typically require a cross-government response) - and how the threat continues to grow.
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), notes in his foreword how: “Much of the impact on businesses is caused by cyber-crime, but all nefarious cyber-activity can be as damaging….Wannacry and NotPetya,... costs ... ran into hundreds of thousands of pounds.”
Donald Toon director, prosperity, National Crime Agency (NCA) in his accompanying foreword agreed, describing how cyber-crime growth has continued this year, as well as calling for early reporting of cyber-attacks as, “essential to mitigating the impact of an attack.” He noted that Action Fraud, the National Fraud and Cyber Crime reporting centre for the UK, has launched a 24/7 live cyber-attack reporting service which works in tandem with the NCA and other parts of government, “to ensure that we are able to prioritise cases, protect victims and find those responsible.” Action Fraud and the National Fraud Intelligence Bureau (FNIB) run a 24/7 hotline on 0300 123 2040 for businesses to report live cyber-attacks and victims are advised to keep a timeline of events and save any information that is relevant to the attack.
Last year was one of sustained ransomware attacks and massive data breaches, supply chain threats and fake news stories. We also saw the distinction between nation states and cyber-criminals increasingly blur, making attribution all the more difficult.
Supply chain compromises of managed service providers and legitimate software (such as MeDoc and CCleaner) were another feature as attackers will target the most vulnerable part of a supply chain to reach their intended victim. Costs include the attack itself, remediation and repairing reputational damage by regaining public trust. Attacks have triggered share prices falls and the sacking of senior and technical staff, and soon we can anticipate heavy fines under GDPR following breaches. Meanwhile the Internet of Things and its associated threats continue to grow.
In addition to the 34 significant cyber-attacks (including WannaCry) recorded by the NCSC Between October 2016 and the end of 2017, 762 less serious incidents (typically confined to single organisations) were also recorded.
There has been substantial growth in cryptojacking - where an individual's computer processing power is used to mine cryptocurrency without the user's consent - and increased use of cloud technology to store sensitive information makes it a target, putting UK citizens' information at risk.
Basic cyber security measures such as those in the 10 Steps to Cyber Security , Cyber Essentials or the NCSC's Small Business Guide could prevent or at least mitigate many of these attacks.
Reference is also made to a mid-2017 report by Cisco saying that cyber-criminals stole US$ 5.3 billion (£3.7 billion) using BEC fraud (Business Email Compromise) during the last three years, compared to US$ 1 billion (£700 million) from ransomware. Industry experts project that global losses from BEC scams will exceed US$ 9 billion (£6.4 billion) in 2018.
Industry commentators were generally supportive of the NCSC's actions. However, Etienne Greeff, CTO and co-founder of SecureData homed in on the supply chain issue and commented in an email to SC Media UK: “The NCSC is doing a sterling job at highlighting and raising the profile of cyber-security in the UK, but why haven't we had an advisory such as this earlier? Some companies may be under more pressure than others, and perhaps they needed to know first, but given the complex interdependencies in any supply chain, nobody should not be considering any one company at more risk than another.
“As NotPetya demonstrated so vividly, supply chain attacks are not theoretical; they are real and can be devastating. NotPetya started when the accounting software supplier used by Maersk, WPP & DLA Piper was hacked leading to them being compromised through no fault of their own.
“In a world where threat vectors are changing constantly and becoming more and more potent by the day, all companies are at risk, including those that are obviously in a CNI supply chain, but also those that arguably to an outsider may not be. Given that the NCSC stated in January that a major breach, or Category 1, incident is now expected not just hypothesised, this advisory should have come out far sooner rather than later. This only highlights a desperate need for industry and government to no longer be so hush hush about cyber-attacks coming from external, hostile actors.”
The supply chain issue was also raised by David Kennerley, director of threat research at Webroot who noted how it should come as no surprise that cyber-attacks against UK businesses are on the rise, as threat actors are only becoming more sophisticated, targeted and collaborative with their tactics. He added:“To effectively protect and mitigate cyber-attacks, business leaders must be aware of the vulnerabilities not only within their own environments, but in their supply chain as well. Organisations need to utilise a multi-layered approach with real-time threat intelligence to detect all types of emerging threats and stop attacks before they strike. While not forgetting the essential role of employee education within any organisation. Employee are often seen as the weakest link with regards to security, it's time to buck this trend, and instead utilise them as the first line of defence.”
Carl Leonard, Principal Security Analyst at Forcepoint also worries about the supply chain, noting: “As UK businesses migrate to the cloud, or have inadvertently done so through so-called Shadow IT, it is vitally important for businesses to assess the security capabilities of their application suppliers. With 68 percent of data breaches being caused by the accidental or malicious insider it has become a necessity to understand how a user interacts with data in the cloud. With GDPR enforcement just six weeks away UK businesses still have chance to identify their riskiest cloud instances, secure them and reduce the chance of a data breach,” adding that to do that, “...requires a strategy for insight and protection that has to account for the risks posed by users and the abuse of their credentials.”
Erik Westhovens, architect and evangelist Digital Workspace at Insight UK was concerned about combining tech introduction with training and observed: “... every organisation – both small and large – is vulnerable to an attack. …. data privacy is one of the top things customers value,[so] security should be top-of-mind for all UK businesses. [while] financial, and operational risks of cyber-attacks are now recognised, there's clearly still much to be done.
“...organisations should look beyond IT departments to establish good cyber-security awareness and practice across the organisation. Ensuring employees are more cyber-aware through effective training schemes will be one of the most cost effective ways to reduce the financial and reputational impact of human error. However, organisations should not neglect the importance of investing new technologies such as analytics or artificial intelligence.”
Joseph Carson, chief security scientist, Thycotic found the findings unsurprising and can expect to get far worse, noting: “Firstly the National Cyber Security Centre (NCSC) is getting better at measuring cyber-crime which was really only introduced a few years ago and this, in combination with the EU GDPR which requires organisations to report cyber-crime or face massive financial penalties, will only result in more companies reporting cyber-crime than previously.
“Of course the EU GDPR does not come into effect until May 25th 2018 but many organisations have been preparing for several years and the breach notification as well as incident response are major areas of investment and improvements for businesses. So basically by measuring cyber-crime and forcing companies to report it - will only have one direct result - an increase in cyber-crime statistics.
“Secondly the impact to this increase is a direct result from more connected devices such as the Internet of Things (IoT) with huge sales of voice assisted speakers, connected homes and fitness devices means more targets for cyber-criminals to attack. With more devices to target cyber-criminals will only see this as an opportunity.
“Lastly, the political situation with the UK and other countries like Russia who are currently under immense pressure and cyber-criminals from those countries will see this as an opportunity to simply get a safe haven and avoid any prosecution from their home country for performing cyber-attacks against oppressive nation states. Patriotic cyber-criminals in the current political landscape is only growing.
“Cyberattacks are crossing country borders and disrupting our way of life, without nation-states taking responsibility. Several companies and governments have linked these cyber-criminal groups to nation-states, though without revealing concrete evidence and those nation-states denying any involvement. Without clear cooperation and transparency, this will continue to grow as a major problem with a possibility of a full-on cyber war as retaliation.
“...governments and the private sector need to work together with full cooperation and transparency to ensure that cyber-attribution is possible and hold other nation states responsible for the actions of criminal organisations carrying out cyber-attacks from within their borders. It is important that governments do not provide a safe haven for cyber-criminals....”
Raj Samani, chief scientist and fellow at McAfee notes how the findings highlight how: “...all organisations need to understand that the data they hold and possible disruption to services makes them a hot target for cyber-criminals.
“The NCSC rightly highlights the importance of collaboration in underpinning the UK's response to cyber-attacks. One way to do this in in adopting threat intelligence sharing. In learning about the attacks that other similar organisations are facing, IT and security professionals can ensure that they are prepared to defend against the popular attacks of the day.”
David Emm, principal security researcher at Kaspersky Lab concurs, telling SC: “In today's world, no organisation, large or small, can afford to ignore online security. Whether you're a team operating out of an office, or an individual working from home, cyber-security is an issue that every business should prioritise. In light of the recent findings from the National Cyber Security Centre, it simply comes down to being prepared – and there are several steps that businesses should take to arm themselves against threats. Although businesses have no direct control over the growth of cybercrime, by taking simple steps to secure their internal systems, they can reduce their exposure to attack.”
Matt Walmsley, EMEA director at Vectra suggests we need a fundamental shift in our thinking “... as the prevalent bastion mindset is fundamentally flawed.,” saying that, “We need to quickly adopt a “I'm already compromised” mentality and put in place security capabilities that not only block known threats but that are smart enough to detect and respond in real-time to active threats that have defeated or bypassed defensive controls and gained access and persistence within the organisation. Only then do we have the chance to get ahead of the attacks before they become critical security incidents.”
He suggests that: “AI can automate the detection and isolation of potentially infected machines, before they can propagate the threat at machine speed around the corporate network,” before concluding that, “...we need the executive leadership and governance bodies of organisation to step up and recognise that security is a strategic organisational issue, not one simply of technology.”