Criminal cyber-attacks against UK firms continue to increase, according to a report from the National Cyber Security Centre (NCSC) which shows a rise in 2017/18. The report highlights ransomware, fake news, data breaches and weaknesses in the supply chain as key threats to UK businesses, and identified ‘crypto-jacking’, theft from cloud storage and the ‘internet of things’ as emerging threats. Experts from Bindmans LLP, Cooley (UK) LLP, and Institute of Chartered Accountants in England and Wales (ICAEW) point to ‘building a cyber-culture’ by changing business and individual attitudes to the threat of cybercrime.
The Cyber Threat to UK Business Industry 2017-18 report was written in collaboration with the National Crime Agency (NCA) and highlights ‘the enormous scale’ of several serious cyber-hacks, such as the 2013 Yahoo breach, 2016 Uber breach and 2017 Equifax breach, as demonstrations of how large a threat cybercrime is to businesses.
The report identifies several key factors which contribute to the growing cyber-threat, such as:
businesses under-reporting cybercrime which leads to evidence and intelligence not being collected
‘[t]he internet of things and its associated threats will continue to grow and the race between hackers’ and defenders’ capabilities will increase in pace and intensity’
as more businesses move their data onto the cloud, it will ‘become a tempting target for a range of cyber criminals’ and ‘take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored. This could lead to high profile breaches involving UK citizen information’
service providers and software need to be effectively managed as ‘[a]ttackers will target the most vulnerable part of a supply chain to reach their intended victim’
crypto-jacking which a Check Point report found affected 55% of business globally in December 2017
the increase and influence of fake news where ‘the distinction between nation states and cyber criminals has blurred’ making tackling the issue ‘more difficult’
Donald Toon, director of economic and cybercrime at the NCA, said ‘UK business faces a cyber threat which is growing in scale and complexity. Organisations which don’t take cybersecurity extremely seriously in the next year are risking serious financial and reputational consequences’.
Lack of awareness and ‘blurred’ lines
Mark Deem, partner and commercial litigator with experience in regulatory matters at Cooley (UK) LLP, says that the increase in criminal cyber-attacks ‘should come as little surprise to anyone’.
Referring in particular to the ‘particularly newsworthy WannaCry, Petya and NotPetya ransomware attacks’ in 2017, Deem states that ‘[a]ll the evidence […] seems to suggest that the relevance, immediacy and potentially devastating impact of any threat vector is not fully appreciated by individuals and businesses alike’.
A lack of awareness of the risks, is also a ‘persistent concern’ for Jessica Skinns, associate in crime, fraud and regulatory at Bindmans LLP, who highlights inconsistent ‘underreporting’ of attacks and the impact of this on ‘intelligence gathering, damage limitation, detection and ultimately prosecution’.
Skinns notes the launch of an Action Fraud ‘24/7 cyber-attack reporting service’ in December 2017, as an important move to combat the issue of underreporting.
A more difficult problem to solve that Skinns highlights, is the ‘pressing concern’ of fake news and the ‘the extent of state sponsored involvement in cyber attacks’. She reads that ‘[o]f state sponsored cyber attacks, the report says that it is getting increasingly difficult to distinguish state sponsored attacks from other attacks’ however adds that the report ‘touches on fake news but confines itself to its impact on business’.
Richard Anning, head of the IT faculty at the ICAEW, also emphasises the importance of businesses ‘improving their cyber defences’ to remain ahead of cyber criminals as businesses conduct ‘more business transacted online’ and embrace ‘a growing dependence on the use of technology in running businesses’.
In our research at ICAEW, we see businesses doing well at improving their cyber defences – but cyber criminals finding newer ways of breaching defences, including using new technology such as AI to streamline attacks - leading to a growing capability gap between businesses and cyber criminals.
Added security and a cyber-aware culture
Security measures, Deem argues, are increasingly crucial to the safety of data:
The latest report from the NCSC […] serves as a salutary reminder of the ever-increasing importance of implementing adequate security measures within an extended organisation (employees, customers and suppliers) to ensure that all data is held securely and is accessible only in permitted circumstances. Crucially these measures, which need to be monitored and policed, should be hardwired into the contractual framework of an enterprise and up and down the supply chains in which many businesses operate.
Anning notes that "[d]oing the basics’ such as patch management and controlling system access can provide easy wins against attack’ and welcomes the introduction of the General Data Protection Regulation (GDPR) which will introduce ‘large fines’ to ‘raise this up the board agenda’.
Deem also looks forward to the implementation of GDPR as it will mean that ‘ignoring the responsibility to meet the challenges posed by all threat actors should no longer be a risk that any business should entertain’.
Anning concludes by bringing the focus back onto individual and business mentality, saying, ‘do not underestimate the impact of people, who are one of the strongest lines of defence (as well as one of the weakest). Building a cyber-culture in the organisation, led from the top, will help improve overall cyber resilience and reduce corporate risk’.
This article was first published on LexisNexis.