The global threat from cyber crime to both corporate and individual security is growing; our security requires a response from everyone who uses the worldwide web.
An unprecedented threat
We have seen a change in the security posture across the globe over the last two and a half years, unprecedented in our working lifetime. Whilst I in no way belittle the physical threat the world faces, the cyber threat to a ubiquitous digital landscape affects everybody who touches the internet, ranging in scale from deadly to stressful, financial and reputational.
The facilitating factors are well known to us all: a global pandemic is a pretty powerful vector particularly when it has generated action by governments, not previously seen in peacetime, and certainly never previously supported and/or exacerbated by social media.
Our sudden fascination with global statistics and PPE supplies, whilst being locked down without colleagues to talk with nor with any restraints usually incorporated in a workplace network, made everyone so much more susceptible to the bogus email.
Our reliance on video meetings – although we and the providers adapted very quickly – and the fact that many of us were now connected to the internet in some form (smartphones, generally) from the morning’s alarm to long after “lights out” gave criminals and organised crime groups hours more opportunity to sow their seeds.
Powerful cyber nations
According to the Belfer Centre for Science and International Affairs at Harvard’s Kennedy School, the ten most powerful cyber nations are, in order: the United States, China, United Kingdom, Russia, the Netherlands, France, Germany, Canada, Japan, Australia.
This is good news for UK business. It indicates that, as ever, GCHQ and NCSC do an outstanding job of keeping us safe, not only through surveillance of domestic and international threats, but also in terms of controlling the information environment, enhancing domestic industry growth and defining international cyber norms and technical standards.
But this reflects technical capability, and it is now true to say that the huge majority of boards view cyber security related risk as a business risk. So whatever is happening on the cyber landscape, it is beholden on business to shift the emphasis away from mere awareness and technical responses and establish and develop a cyber risk aware culture, utilising social sciences and behavioural economics to improve that culture and influence behaviour.
Cyber crime is no respecter for borders
Of course, the difficulty has always been that cyber protection, responses, capacity building etc. are tackled at a national level. The beauty for the cyber criminal is that the information highway has no borders and the last two years have seen it become increasingly professionalised with “cybercrime as a service” being frequently observed. What we previously categorised as “nation state actors” now is likely to be include of organised crime groups.
Cyber crime trends
Ransomware attacks have increased massively as has the availability of stolen data on the dark web; ransomware group Conti has been prevalent in Russian attacks on Ukrainian critical infrastructure. The Log4j vulnerability saw nearly one million exploits within 72 hours, eliciting dire warnings from several western governments, and the financial sector has had to scramble to deal with the re-emergence of the Trojan Trickbot, less than ten months after Europol announced its take- down. This malware was already documented, but was joined by over 160 million new types of malware in 2021, the vast majority being Trojans. The money made by the crime groups who subsequently sell stolen data would bail out many a third-world nation, not to mention a Spanish football club!
The major cyber crime trends are very familiar. Phishing continues to be the criminals’ favourite, particularly now fear can be mobilised in so many directions. COVID-19 Omicron variant is an obvious facilitator; the re-homing of Ukrainian refugees has been exploited by the setting up of fraudulent charities, and people’s eagerness to “do something” has seen criminals inviting innocent parties to help launch DDoS attacks, the links then infecting the willing parties’ systems. Increased concerns over the environment, in all its guises, are being exploited in very similar ways and, of course, the turbulence around so many heads of government has not gone unnoticed, with people’s willingness to add their e-signature to online petitions opening up a further line of attack.
Supply chain attacks have increased since March 2020. Vulnerabilities in the supply chain of multiple companies are being attacked in single efforts, whilst the German government has recently warned of frequent attacks on smaller businesses which then run riot through the whole supply chain. This has been made possible by the criminals focusing on service providers and exploiting the weaknesses within an extensive network. Expanded ransomware scams have seen crime groups demanding ransoms from customers and partners of the original victim, having already stolen data relating to those entities in the initial attack. You can imagine that the discovery of non-disclosure agreements and shared intellectual property can be a potentially lucrative bargaining chip.
Hybrid working has vastly increased the projected costs of data protection for companies. Insecure phones and laptops connected to the company network are an obvious logistical and security nightmare and this is exacerbated by the increased “connected time” that employees tend to have when they are working remotely. Simply put, the security concerns become exhausting and thus too regularly ignored.
The new game in town is the deepfake. Exploiting our reliance on video conferencing was always likely to be exploited but the increase in deployment of AI tools to protect against cyberattacks is also being exploited by criminals. Last year, Forbes reported the use of a director’s cloned voice to defraud a Hong Kong bank out of $35m.
People must be at the heart of the response
In terms of response, best practice is the same wherever you are. The difficulty will be in applying it successfully across a very varied global map. Our people will always sit at the heart of our security posture. At the start of this piece, I referred to culture and the need to employ a sociological rather than a technical solution to our defences. We need to be aware that many developing countries have implemented a digital framework that is piecemeal, based on facilitation rather than security, and may even have an unfriendly (to us) backer/implementor. In a similar vein, one should be aware that public sector IT infrastructure is often outdated. This makes it hugely attractive for the attacker. Operational technology poses a similar risk, again because software is often outdated owing to the cost of updating large networks. In this case, proactive protection and proof of rigorous compliance measures is crucial.
Attacks on production have increased as the manufacturing industry has increased its connectivity; we are seeing the adoption of industry standards which does force an awareness onto all parts of the supply chain. This is definitely a good thing! The retail sector is more exposed than it ever was, due to the rush to online and e-based selling. Its biggest weakness may be the fast turnover in staff and thus maintaining a consistent level of awareness; and seasonal issues, particularly around Black Friday and Christmas.
We have travelled the full circle. The global threat to our corporate and individual cyber security is undeniable and growing; the response and our security ultimately sits in the hands of every individual who accesses the worldwide web.
Neil Sinclair
Programme Lead for Police CPI’s Digital Security Provider Initiative.
