Cyber-attacks are happening with alarming regularity, with two thirds of large businesses in the UK reporting a breach in the past year alone. And, with the digital warfare heating up, it seems there are no limits to the creativity of cyber criminals, with threats to organizations’ security becoming ever more sophisticated. With just a third of all firms having a formal written cyber security policy in place, however, it seems many are at a loss as to where to start with protecting their most critical assets and IP. Here, I explore the different types of cyber incidents threatening UK organizations today, as well as some of the challenges involved in addressing each of these risks.
An organization can put as many security policies in place as it feels necessary, but if its employees haven’t got the basics right, it’s the equivalent of leaving your house with your front door locked and your windows wide open. The weakest link within a business is often its workforce – staff leaving their password written under their keyboard for instance, or making their login details too simple. Business leaders must put processes in place – such as training programs and cyber drills designed to test individuals’ susceptibility to attacks like phishing emails – to mitigate against these risks.
Exploit kits are increasingly being sold on the dark web, making it easier for low-level criminals to purchase tools unnoticed relatively cheaply. Often, without an agenda, these individuals are simply looking to test the boundaries of what they can do. The 17-year old teenager responsible for hacking TalkTalk in 2015, for instance, admitted he 'didn’t really think of the consequences at the time [and] was just showing off to [his] mates.'
Organized criminal gangs
The past few years have seen the emergence of several cybercriminal groups, such as extortion gang, DD4BC. These groups are using Distributed Denial-of-service (DDoS) attacks (when traffic from multiple sources floods the bandwidth of a targeted system to disrupt service) or at least the threat of DDoS, to extort money from businesses. Others still are using DDoS to distract organizations from the real target area for attack.
With political motives, hacktivists, such as New World Hackers, often use cyber tactics to bring down the reputation of a Government department or business. Many of these groups are emerging in Eastern Europe, and with limited territorial agreements in place with these countries, the UK Government is struggling to mitigate against these threats.
When terrorists’ agenda isn’t to steal data, money or IP, but to cause mass destruction, how can organizations (for instance, transport networks and government offices) mitigate against this risk? Terrorist organizations are increasingly adding digital warfare to their arsenal, with Head of MI6, Alex Younger, recently admitting cyber attacks from hostile states pose a 'fundamental threat' to European democracies, including the UK.
Protecting your organization against these threats
While the current level of threat to organizations may seem daunting at first, there are a number of processes that can be put in place to batten down the hatches. Firstly, secure senior level buy-in for IT security solutions. This can be difficult when many boards and senior stakeholders take the view that they haven’t experienced a breach yet and so it’s unlikely to happen to them.
Secondly, look to hire IT security professionals with the aptitude and enthusiasm to learn the skills that will be needed to protect organizations two to three years from now. Cyber security expertise is in short supply and it’s, therefore, less about the technical skills on their CV and more about the soft skills they demonstrate – a willingness to learn and experiment with new technologies for example – and an ability to communicate the benefits of these solutions to senior level executives.
Cyber security shouldn’t be the sole responsibility of the IT department, however. Every individual employed by the organization must be continuously up-skilled to ensure they’re thinking about the importance of cyber security on a daily basis. Conduct regular training exercises and drills, such as fake phishing emails, to test employees’ level of awareness of the risks at hand.
As the threat of cyber crime intensifies, it’s not a case of ‘if’ but ‘when’ hackers will strike. However, by adopting these types of approaches, organizations will strengthen their defense and ensure they don’t become the next security breach headline.