London’s top attractions have been 'attacked' millions of times, including museums such as Imperial War Museum. Kew Gardens suffered the most attacks with 86 million recorded security incidents in the last financial year according to a report from think tank Parliament Street. But SC readers (end of story) questioned the use of such volume stats and described referring to such data as attacks as 'sensationalising.'
The data came from a Freedom of Information (FOI) request showing that spyware was the most common attack followed by information leak attempts on Kew.
In 2017/18 successful breaches were reported to include hacking of one of Kew’s servers, and in the previous financial year, an email account was breached by hackers.
Kew - under attack
In response to SC Media UK’s further enquiries, a Kew spokesperson commented: "With respect to the 438 percent increase in attacks across the two years in question, this is due to the fact that the firewalls were installed mid-year (2016/17) and we were not able to capture a full year’s data."
They also noted that according to insurance company Hiscox, the total number of attempted attacks ranged from 900 to 359,000 per day, averaging 65,000, adding: "For reference, Kew’s average number of attempted attacks per day is approximately 235,600 – which it pointed out, falls well within the Hiscox average range for SMEs of our size. "
In an official statement to SC a Kew spokesperson said; "RBG Kew can confirm that we have observed a rise in the number of cyber-hack attempts in the past two years but that these attempts were successfully blocked by our firewalls and perimeter defences, as should be the case. Security remains one of our primary concerns and this reflects the reality of today’s challenging cyber-landscape".
The Imperial War Museum (IWM) had received more than 10 million cyber- security incidents in the last three financial years; eight were successful ransomware attacks on its systems. IWM said, "The vast majority of what has been classified by Parliament Street as cyber-attacks are malware and email attacks, particularly attempted spam and viruses. IWM experienced no data breaches as a result of any of these attempted attacks".
In regards to the eight successful ransomware attacks, IWM said, "Our security devices and systems gave us an early indication that a machine was infected. We have a process to deal with these issues involving isolating the machines, totally reformatting and then reimaging with a new operating system. The situations were resolved quickly and with no data loss." It also added that, "We are a Cyber Essentials- compliant organisation".
Sarb Sembhi, CTO and CISO at Virtually Informed commented to SC Media UK: "Every small business is attacked multiple times every day depending on its visibility and attack surface. However, London attractions will have multiple attacks because, in some respects they are considered to be a great prize for those who succeed".
"The likely success of an attack on an organisation, may not depend on anything to do with the level of security spending or the quality of the user awareness programme, it could be through something as simple as someone installing an unauthorised IoT device on the network, or opening an email, or visiting a well-known website.
"You have to put in a risk- based balance of controls (preventative, detection, response and recover). With the right controls most low to medium level attacks will fail, regardless of the volume. But with highly targeted attacks, the attackers rely on just one of the few to work that rely on human intervention – ie a user going about normal every day business," Sembhi added.
Jake Moore, cyber security specialist at ESET has commented: "Hackers may assume that popular tourist attractions will have weaker cyber-security, with less money spent on keeping their data safe than other institutions such as banks or large technology businesses.
"The tourism industry hosts a huge amount of personally identifiable information, and if there is potentially less security, it makes for a highly profitable target for criminal gangs to penetrate".
SC Media UK readers on LinkedIn questioned the value of this volume measure of 'attacks' as a meaningful statistic, emphasising that it was more useful to know the nature of successful intrusions, rather than the 'whiring of the machine', with Nic Miller describing such stats as of no value:
Nic Miller ('Providing cyber security advice for startups and small businesses')
Instead of a volume based approach, focus on sophistication.
Don't share the 86 million IDS Events. Share the example of the copy of your website someone made to lure clients/staff to a fake login page to steal their credentials.
Don't share the number of emails blocked by your gateway. Share the targeted phishing email that spoofed your domain with an extra letter, pretending to be the IT team sending out instructions to users. Or the emails with the excel attachment that would have launched ransomware across your entire enterprise.
Don't share the number of users who clicked on phishing links. Share the number of users who reported the phishing emails, allowing you to react quickly and keep all recipients safe.
And if you're sitting there thinking, 'I don't have have examples of those' then fine. Consider what confidence you have in your detection but overall just 1 of the above succeeding is probably far more damaging that all of those 86 million IDS Events combined
As an industry we really need a better definition of "attack" and stop using what I'm guessing are 86 million IDS Events.
Simon Legg (Group Chief Information Security Officer (CISO) at JLT Group)
Amen Nic Miller so many in our industry are guilty of sensationalising the whirring of the machine ... its impossible to tell the time by looking at the cogs spinning, the funny thing is I've seen many board packs where this volume approach to data gives people a false sense of security.
Damon Greber (Head of Risk Advisory Services at BDO and also Trustee at both Brook Jersey and Maison des Landes Hotel for the disabled)
I couldn’t agree more Nic. Board reporting and understanding of Cyber Security, and Data Protection for that matter, remains an issue unfortunately.