5 minute read
what does the threat landscape look like for businesses?
Whilst we need to move on from, and stop talking about the pandemic, it did release a cacophony of challenges that business leaders are still grappling with today. One of which was an increase in cyber security threats as more people worked from home.
Leaders will remember the rush to buy laptops and equipment from PC World as employees were mandated to work from home. The point being, it meant the threat landscape altered as IT teams had less control over what employees were clicking on and responding to.
Chris Lennon is a cyber security commentator and the Director - Sales and Development, at Specialist Risk Group
Looking back, he says: “Many firms just didn’t have the IT capabilities but have broadly now responded to agile working. As you would expect, threat actors tried to exploit this flux. However, there weren’t new types of attacks but there was an increase in the frequency of phishing and smishing attacks, which are text messages saying your delivery hasn’t arrived and you need to click a link, for example.
“The vogue now for these types of threats is around energy pricing and in a moment of weakness, you can see how somebody would click on the link.”
WHAT SHOULD BUSINESSES BE AWARE OF?
Lennon says that no sector or business is immune from an attack and critical infrastructure is a key target for cyber criminals, although every business from every walk of life could be attacked.
“It’s not only a technology issue and you can’t just throw hardware at the problem because it is a people issue. You can spend all the money in the world on the best technology but if the people aren’t trained or if the tech is inflexible, this is where you will get issues,” he explains.
Knowing that the problem exists, many businesses just don’t seem to be gripping it sufficiently.
Paul Bentham, who is Chief Product Officer at Immersive Labs, says that the issue of cyber resilience is still not where it should be – at board and leadership level.
He says: “I agree that the solution to the problem is people, but it is still not sufficient at board level for too many businesses, and it needs to be. The connectivity of the world and business also means that many companies carry supply chain risks. Threat actors can get to what they want not by attacking the government or the big businesses but by compromising a smaller supplier that has the crown jewels of their personnel database.
“The message for small and scaling businesses is this. If you do business with big contractors, you must take cyber security seriously.”
Ryan Pullen, who is Head of Cyber Security at Stripe OLT, says another risk for businesses is employees. He explains: “People are now selling access to the company they work for to threat actors. It might be a disgruntled employee, for example, and there is no real silver bullet way of detecting that. They might not be getting a pay rise internally and a threat actor will say to them that I will give you £100k if you leave your laptop open when you finish work.”
From The Nhs To The Business World
To help our readers get a deeper understanding of the current threat landscape around cyber security, Business Leader was also privileged to talk to Deryck Mitchelson, a self-proclaimed ‘veteran cyber warrior’ that previously worked as Chief Information Security Officer at the NHS
Giving a top line analysis of the cyber security threat for businesses, he says: “It’s a perfect storm now and the new ways of working sparked change too quickly. Businesses prioritised remote working, but they didn’t prioritise the security around this. These are two different types of conversations.
“Many firms don’t have good cyber hygiene and they are playing catch-up. People think that because they have Microsoft 365, they will be protected, but this isn’t the case. When you have a cyber-attack, only 40% of firms can do a full restore.”
Mitchelson continues: “I have never known an organisation that hasn’t been able to find investment funding to get a response up and running on the back of a breach, so why don’t they invest to prevent it and save money? I still don’t think it gets the level of funding pre-attack because the conversation isn’t there at board level and the narrative needs to change.
“If you walked away with boxes of paperwork from the office, people would say something. But you can walk away with a pen drive these days, so that does make tackling it more difficult.”
Paul Croker, who set up and runs 18it agrees with Mitchelson, that it does all start with the people.
He says: “It does all come back to the people, when you talk about cyber resilience because we’re having tech conversations with non-technology people. The subject needs to have more buy-in from leadership teams and we need to ask the question – what is business management really interested in?”
SO, WHAT ABOUT REPUTATIONAL DAMAGE?
A time when you can get businesses to start listening is when they understand the scale of reputational damage a cyber breach might cause.
Chris Lennon elaborates on the difference a good and bad response can have: “You look at Talk Talk’s data breach and it resulted in £60m of shareholder value being lost. It wasn’t what happened but the PR response and how this was managed. They lost 650,000 odd records, whereas Carphone Warehouse lost 2.2 million records, but they didn’t have the interruption or negative press as they handled it better.
“Ultimately though, it is better to look at how you can stop it going wrong in the first place and mitigate reputational damage and loss of earnings going forward.”
On advice for businesses, Lennon also says: “Covering up rarely works. There are examples of businesses that have had breaches but fessed up and they have been open about what went wrong and their reputation was left intact. You need to have a process in place should it happen, and own up, talk to your customers, and manage the situation.”
Mitchelson adds: “The PR machine kicks in, doesn’t it? Companies try and play it down and say it was only a small attack, but it is not a small attack if you happened to be impacted. We need to move away from that world and to one where we share more because that is how you build trust.”
With employee retention such a big issue for businesses, Paul Croker says that businesses also need to think about staff welfare and what it might mean for an employee to be the one who causes a breach.
HOW SOPHISTICATED IS THE THREAT?
What may or may not surprise readers is how organised the cyber threat gangs are. Ryan Pullen explains: “The average cyber threat firm has 65 employees and small organisations simply don’t have the resources or financial ability to battle them.
“You can’t have a system where you say to an employee you have clicked on this, it went wrong and now you have to do some training, as that will seem like punishment. It needs to be more collaborative.”
Knowing what to do and having a plan in place if something does go wrong is important too but many businesses won’t even have a reaction strategy in place.
To find out what a good process looks like, Ben Holt, who is a lawyer at VWV, comments: “Firstly, you obviously need to stop the problem and work out what has happened. When assessing what has gone wrong, don’t mark your own homework. Get somebody external to do this. This will likely be a cyber security advisor.
“You then need to think about your public response but remember that putting something in a press release could kill your business, so don’t rush in. The response can be worse than the attack, so make sure it is measured and accurate.
“If the breach is criminal, then do get in touch with Action Fraud. It can take a long time for them to deal with the problem but call them and get on the list. You also need to report it to the ICO, but what you say is important and don’t give too much information at the early stages and be careful with language. Call it a data incident, rather than a breach.”
