2018 – The year that business got cyber?
Well, yes – and no. It was certainly a year not short of things happening. Here are my highlights:
- Major CPU architecture flaws were disclosed in most modern CPU families
- Facebook became ever more embroiled in the Cambridge Analytica scandal
- Both Facebook and Equifax were issued with the maximum penalties under old Data Protection Act by the ICO for data breaches, both in very different circumstances
- The ICO successfully prosecuted an individual in the motor trade for logging into a computer system with a work colleague’s credentials, ending in the perpetrator serving a custodial sentence
- GDPR, the much vaunted change to Data Protection Law, was written into UK law as the Data Protection Act 2018. The ICO has seen a large increase in the number of reported incidents since it’s introduction, and the mandatory breach notification requirement coming into effect
- The US government oversight committee issued a damming report about the 2017 Equifax breach involving millions of UK citizens, citing that it could have been entirely preventable
- Multiple countries including New Zealand have banned the use of Huawei equipment in 5G networks over security concerns
- With the likelihood of a no-deal Brexit increasing, those who transfer data to the UK about EU citizens, may need to appoint a representative in the relevant EU member states in which they conduct business
So, these are the big news stories. But how do they apply to the average UK business, which is firmly in the SME category? Here are they key things I have taken away from the Cyber World in 2018…
The basics matter
One of the continuing trends we see when customers come to us for help with cyber, is that the basics are just not in place in *most* organisations.
From network shares and RDP exposed directly to the internet, to users with more access rights than needed and (almost unbelievable) business networks with no form of firewall security. Yep, none. So common is that last one, I am no longer surprised when we come across it. What’s worse, many organisations believe they have a ‘firewall’ in place. And the number of organisations in the SME space that don’t do basic cyber awareness training, or believe that they are of no interest to potential attackers? Once again, *most* who come to us for help.
Good password practices, 2-factor authentication, keeping software up to date, making and securing backups, not exposing services to the internet, having appropriate network security – these are the very basics to get right, and will defend against a wide variety of opportunist attackers. For those organisations already on the road to cyber maturity, take a look at the next steps you should be considering. Cyber is all about continuous improvement and is something you need to do every day in order to make it effective.
Public awareness is on the rise
With GDPR now in full effect as the Data Protection Act 2018, and users leaving Facebook in droves since the Cambridge Analytica scandal, general public awareness around data privacy and Cyber-security is at an all time high, and is set to increase as we move into 2019. Any organisation concerned about their reputation and the potential fines for non-compliance, should take note. In particular, the ICO has recently fined a number of organisation for not paying the ICO registration fees. Fine levels can vary, and can be up to £4,350.
Risk is not an IT issue, it’s a business issue
Back in February, I was speaking at an industry conference to around 200 organisations, to which I posed a simple question: Who is responsible for cyber in your organisation? 75% or respondents said this was either IT or their IT providers responsibility. Yet with the levels of business disruption and additional cost a cyber incident can bring, cyber still isn’t on the agenda of many organisations Senior Management teams. Yes, there is a lot of responsibility on IT teams to ensure the correct systems, procedures and security configurations are in place, but it isn’t the responsibility of IT to determine or sign off on the risk appetite of the organisation, train staff on basic cyber awareness, arrange appropriate cyber insurance or indeed drive the overall requirements for security – this needs to come from the top. Those organisations that have engaged us on board level briefings and practical cyber, have been able to adequately understand their requirements and communicate them to the business.
Most organisations know they should or even need to do something in order to start their cyber journey, but lack the understanding of where they are right now, and where they should aim for in the context of their business. We have helped many organisations ‘Get Fit‘ for Cyber with our in depth reviews and ‘Cyber Test‘ services, covering off governance and compliance, data protection, technical and detailed network scans for threat identification. We have then produced a cyber roadmap and where needed, helped organisations implement improvements.
Supply chains are risky
According to the Allianz Risk Barometer, across the globe, business interruption, including supply chain interruption, was the top global risk in 2018. In the UK, cyber incidents were seen as the top risk, with business interruption (including suppliers) in at number 3. So what happens if there is a cyber incident in your supply chain? High profile names such as British Airways and Ticketmaster were subjected to a coordinated attack to steal payment card information, both of which were achieved by attacking suppliers, rather than the targets directly.
We carry out a large amount of supplier reviews, management and due diligence activities for FCA regulated organisations and those wholly reliant on their supply chains for the business operations.
Email compromise and Phishing is the top cyber threat
According to Cofense, 92% of cyber-attacks start with some sort of Phishing email. Why? It’s the easiest way to get malware past security defences, and crucially, it works.
From malware that copies itself around networks, banking trojans that steal login credentials and credit card numbers and more traditional ransomware, the amount of organisations suffering from this type of attack has been on the rise. In the last six months, we have seen a dramatic rise in the amount of business email systems that have been compromised, either for the purposes of intercepting invoices and modifying bank account information or, more disturbingly, for launching attacks on other organisations. Email from valid domains, even compromised ones, is much easier to slip past spam filters. In the last week, we have also seen a rise in legitimate cloud based systems being weaponised to capture login credentials and distribute malware infected files. Many of these cloud platforms by their nature are allowed to pass security checks as they are ‘trusted’ sources. We recommend a range of measures to be put in place to defend against your cloud systems being breached and are able to ensure that your organisation is operating all of the available and relevant security features for you.
What does 2019 have in store for us?
So, all in, a very busy year in 2018. So what does 2019 have in store for us? Predictions are difficult, but after reading the Forbes 2019 predictions in cyber, a few key areas standout for the average SME:
- The availability (or lack thereof) and cost of hiring a dedicated, skilled and experience cyber-security professional is beyond the average SME. To that end, SMEs will turn to their IT teams and IT providers for help in this area. Challengingly, as the majority of IT providers focus on functionality, the requirement for specialist security providers, or MSSP’s will increase. Many organisations will resist this approach as managing multiple suppliers is challenging. To that end, a new breed of cyber and IT Hybrid providers will come to the fore, combining traditional and cloud focussed IT skills with pure Cyber capability to offer the SME space a credible alternative.
- Phishing and the weaponisation of cloud platforms and on-premise systems will continue, with organisations waging war on other organisations, without knowing about it.
- The risk of a no-deal Brexit could have a major impact on organisations that move large quantities of data in an out of the EU27.
- In 2018, 6% of business that suffered a breach, also suffered permanent data loss, according to the ONS. It makes for a sobering read, and is set to increase in 2019.
Are you confident that your business takes the right steps to avoid becoming yet another statistic, or is the first step for you in 2019 to understand where you are currently? Our InfoSec experts are available to offer pragmatic advice and partner with you to become more cyber-security mature.
Author: Todd Gifford, Certified Information Systems Security Professional (CISSP), Head of Consultancy at Optimising IT.