UK Businesses Face Growing Cyber Threats
A report by the National Cyber Security Centre claims that businesses face increasing threats from cyber criminals and state-sponsored hackers. The report highlights several key areas in which both individuals and businesses can defend themselves from attacks.
According to the report, British businesses face increasing threats from ransomware, data breaches and weaknesses in their supply chain. The NCSC also argues that firms are becoming too reliant on cloud-based storage and IoT systems, which ultimately leaves them at risk of attack.
With ever increasing threats from both state-sponsored hackers and criminal enterprises, the need for stringent cybersecurity and education on the subject is an issue facing many British businesses going forward.
UK Business Under Increasing Threat
In January the NCSC released figures that highlighted 34 serious cyber-attacks took place between October 2016 and December 2017. A further 762 attacks occurred which were rated to be less serious. The report makes for grim reading as it goes on to predict that “2018 will bring more of these attacks”.
What the report does not do is differentiate between cyber attacks that were orchestrated by criminals and those which were state-sponsored.
The report acknowledges that distinguishing between state-sponsored and criminal cyber attacks is extremely difficult, leaving many in the dark as to who exactly is targeting British businesses and public infrastructure.
The NCSC report claims that “cyber crime is becoming more aggressive and confrontational, with an increase in the use of extortion, whether it is through DDoS attacks, ransomware or data extortion,” with ransomware still the most common form of cyber extortion. British public services have been rocked in the past 18-months by cyber extortion.
In a significant attack in early 2017, NHS services were seriously affected by the WannaCry ransomware attack, which resulted in numerous NHS appointments being cancelled and forcing some staff to revert back to pen and paper.
Is Your Mobile Safe?
The threat of mobile malware continues to grow in frequency and sophistication. However, despite the number of infected devices being very low the risk is still there and should be acknowledged. Primarily, mobile phones can be used as an integral part of the attack chain of any hacker looking to target organisations or consumers.
Malicious apps, fake apps or SMS phishing are all very real threats when considering the security of mobile phones. Some apps specifically pester users with relentless ads or request elevated permissions. According to the report, malicious actors can then use these elevated permissions to install further malware such as key-loggers, which record your login credentials.
Cloud & IoT Vulnerabilities
The NCSC report highlighted the vulnerabilities that can occur through the increased use of IoT systems. The interconnection of simple things such as household appliances could leave people vulnerable to attack. However, the issue here lies with a basic lack of cybersecurity provisions and not in IoT itself. Ultimately the responsibility to stay secure falls on businesses and individuals.
The report states: “Many internet-connected devices sold to consumers lack basic cybersecurity provisions. With so many devices unsecured, vulnerabilities will continue to be exploited.”
In particular, businesses’ increasing reliance on cloud-based storage leaves them increasingly exposed to attack, the report says that cyber criminals will be able to exploit this because companies fail to stipulate how and where their data is stored. It warns that oversights such as this could lead to high profile breaches involving UK citizen information.
How to Tackle the Threat
The under-reporting of cybercrimes is a major part of the problem, the NCSC urges individuals and companies to come forward and report such incidents. Without a more transparent approach the problem will simply continue to snowball. At the moment there is no true understanding of the scale and cost of cyber attacks targeting the UK.
Action Fraud only received 1,073 cyber crime reports from businesses during 2016, however these numbers to not reflect the reality of the problem. When businesses are unwilling to report attacks it only perpetuates the problem and leaves law enforcement in the dark.
Donald Toon, Director Prosperity of the National Crime Agency (NCA) highlights the necessity of cooperation between both law enforcement and industry in the UK as both look to fight back against cyber attacks. He said: “Successful law enforcement and industry collaboration doesn’t just enhance the UK community’s response to the cyber threat; it underpins it.”
Ciaran Martin, Chief Executive Officer at the NCSC echoes this sentiment saying: “Cyber attacks will continue to evolve, which is why the public and private sectors must continue to work at pace to deliver real-world outcomes and ground-breaking innovation to reduce the threat to critical services and to deter would-be attackers.”
As well reporting cyber incidents the NCSC notes the necessity of comprehensive cyber education about the practice of good ‘cyber hygiene’. Not only will this act as a preventative measure, it will also help them to recognise and deal with situations as they arise. Here are the three main elements that need to be observed to maintain cyber hygiene.
- The promotion of existing cyber security advice, such as the use of strong and varied passwords by
using the NCSC password guidance, available online.
- Where personal details are collected online, businesses are responsible for securely storing and
processing it, using best practice encryption and other security technologies to minimise the impact
of a successful attack.
- The signposting of Action Fraud on relevant company websites, to ensure customers know where to
report cyber crime.
Failing to update patches is one of most basic and common cybersecurity mistakes. The report cites the 2014 Heartbleed attack as a prime example of how businesses and organisations are failing to take this simple defensive measure and are leaving themselves open to attack. A recent report from Shodan revealed that there are still over 200,000 vulnerable websites scattered around the web.
Last month at Digit’s ScotSecure conference in Edinburgh, Ed Tucker, CIO of DP Governance highlighted the critical need for getting the basics right, saying: “Getting all the basics wrong leaves us wide open and we end up chasing false positives. Attacks don’t need to be sophisticated to target poorly defended businesses.”
For businesses, the first step must be to establish basic defence and security procedures. Although attacks are becoming increasingly sophisticated, the NCSC report identifies basic mistakes as a primary cause of security breaches.
Lessons from ScotSecure 2018
The suggestions for cyber resilience found in the NCSC report echo what attendees at ScotSecure 2018 heard on March 28th.
Basic cyber security, increased education and maintaining vigilance are all key factors in staying secure both at home and at work.
DI Nicola Burnett highlighted the subject of ‘cyber hygiene’ in her presentation and encouraged greater transparency on the issues that face law enforcement when dealing with cyber crime. By encouraging good cyber hygiene, educating the public about being safe online and collaborating to share data the police will be able to form effective digital strategies.
Both Ed Tucker and Federico Charosky – Managing Director at Quorum Cyber – also highlighted the need for basic security systems and promoting a culture of vigilance in the workplace, with the latter saying: “Just enough security is good enough, it has to be tailored to what is relevant to your needs as a business.”