So 'cyber' has come of age. In fact the term has been so overused that most of us either turn off when a headline with the word appears, or tune in for another entertaining story of espionage that could never possibly happen to our company. In recent months the tables have turned with revelations that it is not only criminal gangs and hostile nation states that spy on electronic communications, but our very own government using the US based PRISM programme.
Whilst a subject that needs debating, this detracts dangerously from the real threat to UK business. According to Jonathan Evans (Head of MI5), UK firms are under ‘astonishing’ levels of attack from hostile nation states and criminals. This has not changed just because the terms ‘cyber’ and ‘advanced persistent threat' have been overused. Complacency now means betting the future of the company on obscurity, which no longer offers the protection it used to.
We have known for over a decade that the internet is not the friendly place it once was; so we use firewalls, virus checkers and don't reply to emails from 'Nigerian Princes' (‘419' scams). Although individuals are still occasionally caught out, virus infections are not a board level issue. So if information security is no longer a strategic consideration, why are companies increasingly caught out by cyber attacks, losing large amounts of proprietary and personal data and often going out of business soon after?
Some history is important to understand the shift in focus of online attacks, and therefore the evolution of electronic threats to UK businesses. The first phase of malware consisted of simple viruses that were written to show off the capabilities of the author. They were often pranks or technical demonstrations, messing around with graphics or opening the CD drive to annoy the user, rather than commit crime.
These did not affect business as they appeared before computers and the internet were central to operations. The next important phase (still very much present) consists of more damaging malware. Viruses, worms and trojans install software on computers to redirect users search queries, log key strokes and encrypt data and hold the user to ransom, for example.
The important common factor is that these types of malware (plus 419 style scams) are rarely targeted to a specific person. It is generally these types of electronic attack that UK businesses are geared up to protect against, using the aforementioned technical measures and user training.
A disturbing trend that has been brought to our attention in the last five years or so (but perpetuated for far longer) is the move from a scatter-gun approach to highly targeted attacks aimed at stealing a particular type or set of data. Another shift is the increasing use of technical vulnerabilities as one aspect of a larger attack, including social engineering aspects and, in rare cases, espionage.
This strikes to the heart of the problem presented by cyber threats. The targeted nature of new attacks (often to a single person in an organisation) means that technology can only be one part of the response. Although products have come on in leaps and bounds (UTM firewalls and identity management solutions for instance), the threat is not being taken seriously and appropriate solutions including user awareness programmes are still not being implemented by the majority of companies.
Current strategic threats to UK businesses fall broadly into two camps:
- State or state sponsored attackers (and the companies that benefit from the stolen information) - these groups are after intellectual property, either developed by your business or another business in your network. The nature of these attacks tends to be social engineering-heavy, where the aim is to infiltrate and extract data over a long period of time. This is a textbook advanced persistent threat (APT) style actor.
- Criminal gangs - these groups are out to make money. The attacks tend to be more technical in nature and much more about a quick break-in followed by a large-scale theft of personal data. These are often publicised, for instance the theft of around 80 million user details from Sony in April this year.
A compounding issue is that there are few knowledgeable people in the industry who are willing to share their expertise (particularly on APT tactics), so others who have not had direct exposure are unable to learn before bad things happen.
The current state of affairs as I see it is that businesses are trying to counter new strategically important attacks with decade-old knowledge and technology. There is also no longer security through obscurity or company size (i.e. that large companies have better protection). The targeted nature of an attack means that where a large corporate or government entity is difficult to breach, contractors are identified and the information is extracted from them.
On the other hand, criminals are now more willing to tackle multinational corporations holding databases containing tens of millions of personal data records. These might have been seen as difficult before or not worth the trouble. The speed of action, reach and anonymity offered by the internet has changed this.
I believe that the coming year will only bring an increasing intensity of targeted threats and that virtually no company can consider themselves safe. So where does this leave C-level company officers in the UK? It is important to understand that although foreign states and mafia-style gangs did not feature on your risk register before, they are likely to be relevant now. If sole trader and micro businesses can become targets for APT actors (yes, really!), then is the intellectual property in your 50 or 500 person company safe?
I believe that the key challenge in the coming year is simply becoming aware of these new threats to your business. The change in culture needed for all staff to take the word 'cyber' seriously and take ownership of information security themselves can only happen from the top down. After all, if you are able to connect your shiny new personal tablet to the corporate network, then why can't they? Another important aspect is gaining an understanding of the value of the assets you hold (whether your company or another stakeholder created them).
This must be assessed based on what they are worth to your adversaries, rather than an internal valuation. Something to think about - if your staff are putting together a bid document for a project worth £10 million to you, then surely that document is worth just under £10 million to your competitor? I am not suggesting spending that much on information security, but in this age of highly proactive threat actors, the cost of staff cyber awareness training plus updated hardware and software looks far more reasonable.