THE CYBER THREAT IS SERIOUS AND GROWING. NO COMPANY CAN AFFORD TO IGNORE IT. CLIFFORD STYLE CAN HELP
We all know that the cyber threat is nowadays a fact of life: something to take seriously in private spheres and in business.
But – QUESTIONS – do we fully understand it; do we keep up-to-date; do we know how to protect ourselves; do we – amongst all the other priorities – give enough time to the subject? Change, uncertainty and overload all offer opportunity to cyber operators.
Cyber is of concern at every level from the micro personal hack to the international strategic.
First the international strategic picture.
We – in Britain and the ‘western world’ more widely – need to pay attention to a new global bi-polarity. Coincident with Xi Jinping’s open-ended ascent to the Chinese Presidency came the rapid development of an alternative world view and a determination to challenge western norms.
The famous semi-mysterious ‘document 9’ published around President Xi’s arrival in 2012 supposedly outlines seven dangerous western ‘values’ including judicial independence, democracy, media freedom, universal (‘enlightenment’) values and civil society.
This great ‘eastern’ nation now espouses an idea of ‘authoritarian capitalism’; the government seeks access to everything under a ‘foreign investment’ law. It possesses formidable cyber capabilities including technology enabling intellectual property theft and cyber espionage in areas such as pharmaceuticals.
Over 100 other countries can deploy cyber capabilities. Wherever they may have come from, there have been famous recent hacks including WannaCry via ransomwear which reputedly cost the NHS around £90m in 2018. Many others may have been struck by attacks which they have not publicised for obvious commercial reasons.
Then, as we all know, there is increasing manipulation of public opinion, and thus – it might even be said – an insidious blurring of truth and fiction.
The cyber space is – simply – ungoverned space. We can hope that increasingly well organised public and private countermeasures may protect us; but there exists no magic wand which governments and security agencies can wave in this field.
Artificial intelligence and associated surveillance of everything is gaining ground very rapidly: it often cannot be countered pre-emptively. This raises social as well as organisational challenges: a blurred or obliterated line between fact and fiction, loss of trust, loss of sovereignty, loss of (the right to) privacy, blurring standards of journalism and the like.
So what can and should individual companies do about this new reality?
There is a level of cyber sophistication in the threat to all companies (as well as other institutions, organs of government, academic establishments and the like) that can only to be realistically countered by government or similar agencies. Even so, there is much that companies need to do to protect themselves; some are surprisingly simple.
It is now essential to have a structured approach.
Though the technicalities can be daunting, there is in essence nothing revolutionary about the approach: assess the risk, consider the wider context, prioritise vulnerabilities, resource counter-measures, and spread the word internally (often the least well achieved). An approach may seek:
- Policies to manage the risk. This means appropriate processes, disciplines, and understanding of the nature of risks in particular spheres (including in supply chains of which more below).
- Protection. This means appropriate measures to protect information systems and networks. Know what is critical; prioritise it.
- Cyber security monitoring. Dependent on scale of business and sector, this may involve technical systems and/or procedures to spot cyber events quickly enough to offset or minimise their impact.
- Minimisation of the impact of cyber events. This involves recovery and protection planning, and an efficient ‘lessons- learned’ process. There is an analogy here to the aviation world which – owing to the safety imperative – more widely fosters an open culture of ‘owning up’ for the benefit of others. For several reasons the personal or corporate instinct might drive behaviour in the opposite direction.
Supply Chains
The so-called ‘big hack’ in October 2018 was based on a small chip and reached almost 30 US companies including Amazon and Apple by compromising the US technology supply chain. There is no such thing in the commercial world as a corporate data-island. By definition therefore cyber threats and countermeasures must be considered in this context.Clifford Style emphasise supply chains from a number of angles: these include the opportunities for innovation and improved collaboration in uncertain times. To these must be added countering the cyber threat. Every email, phone call, invoice, exchange of data, logistic operation, product description, or form of technical cooperation in or around a supply chain opens vulnerabilities. The answer is not to close these activities down; the future depends on agile and imaginative collaboration within supply chains. It does however mean informing ourselves within our supply chains and establishing cyber counter-measures.
‘Every day’ cyber crimes
According to the NCSC latest Annual Review, 19000 cyber crimes are committed against small businesses every day. We are 35 times more likely to be subject to cyber crime than burglary.
The most likely forms of attack are:
- direct attack/password crack
- ‘DDoS’ – distributed denial-of-service
- phishing – malware, invoice redirects, bitcoin, fraud
- website compromise – (cf British airways £183M)
- crypto locker – WannaCry etc
- website/cross-site scripting/SQL injection (database destruction)/password theft.
We should also not forget the insider threat. A UK supermarket chain is currently subject to a class legal action against a data breach instigated by a disaffected employee. How can companies guard against this?
The opportunities for phishing – often basic in execution (via emails and phone calls for example) – are limited only by the imagination of those who perpetrate these scams, just as they are in the private sphere in cases of the exploitation of trusting older people. And by no means only older people fall into this bracket.
The National Cyber Security Centre provides increasingly relevant and user-friendly advice which covers such essential (and sometimes quite basic) subjects as:
- Data backup
- Smartphones and Tablets
- Malware Damage
- Avoid phising
- Passwords
It provides a Board Toolkit, and advice about how companies can set up exercises to test procedures and resilience under the heading ‘Exercise in a box’.
Finally – in this short overview of a major corporate challenge – no company can any longer afford to be without the right sort of insurance against the consequences of cyber attack.
Clifford Style offer focused, informed advice and support to companies who do not have the capacity to address these issues individually. It draws on specialist assistance where this may be necessary. CALL US.
Charles Style December 17th 2019