These mistaken beliefs about cyber security were recognized by Ciaran Martin, CEO of the National Cyber Security Centre – the cyber arm of GCHQ – who cautioned organisations:
“There isn’t much of a reason any longer for not knowing about security as a company danger”.
First, a lot of organisations still believe that all cyber attacks are targeted, implying that unless they’re particularly chosen as the objective of a hacking project, they will not fall victim. Second, some board level executives do not engage with cyber security because they believe it too be too complicated– in many cases even being fearful of the intricacies they perceive as being included.
Speaking at the European Information Security Summit in London, Martin warned there are still companies which believe they will not remain in the sights of cyber crooks, so aren’t at threat from suffering the negative effects of a cyber attack.
“Tell that to the Western business leaders hit by NotPetya in the summer of 2017,” he said, referring to the malware campaign launched against Ukraine by Russia, which quickly spread around the world, knocking businesses offline and doing vast amounts of damage.
“The Russian target here was quite obviously Ukrainian infrastructure, but it damaged – amongst other things – British advertising and pharmaceutical companies, as well as the shipping giant Maersk,” said Martin.
The impact of NotPetya forced Maersk to reinstall 4,000 servers and over 45,000 PCs, with losses brought on by severe organisation interruption estimated to total up to over $300m– in spite of the shipping company never being the desired target of the attack.
Weeks earlier, the global WannaCry ransomware occurrence provided what Martin described as “an even starker illustration” of how unwary organisations can find themselves the victims of a major cyber attack.
The UK’s National Health Service found itself an unwitting victim of the campaign spread by means of an aggressive worm-like virus released by North Korea in an effort to extort ransoms.
“That makes small, British NHS bodies a uniquely absurd target, but they were attacked and disrupted nonetheless,” said Martin.
But board members thinking their organisation won’t actually deal with the threat of the cyber attack isn’t the only misconception which requires to be resolved. The NCSC employer described how some boards feel it to be too intricate a problem to really comprehend– but pointed how organisations deal with complex problems every day, and that its core, a cyber managing security technique isn’t much different.
“When I view companies in the UK and around the world, I’m typically surprised by the sheer intricacy and elegance of the businesses and the dangers that they manage. A company that can extract things from way listed below the ground, a business that can transport delicate items to the other end of the world in a really short period of time, a company that can process billions of monetary transactions every hour is more than capable of managing cyber security danger”.
Even easy activities like guaranteeing systems and software application are up to date can go a long way to protecting organisations from cyber attacks.
Martin described how that this could’ve assisted organisations all over the world prevent becoming victims of Cloud Hopper, a data taking espionage project, which Western authorities have attribute to China’s state-backed hacking group APT10.
Much of the campaign was based around dispersing phishing e-mails consisting of harmful Word documents which when opened, ran macros which retrieve malware.
Martin described how if f the targeted organisations had applied appropriate spots, the vulnerabilities exploited by the enemies wouldn’t have been open.
“Don’t blame the people who opened the files – had the organisations been running an updated Office application, it would not have made it through,” he said.
The fundamental point here is that the infection was able to continue and spread and do damage due to poor cyber security,” Martin said. While the APT in APT10 represents ‘Advanced Persistent Threat’ the attack wasn’t that advanced.
In this particular case the attack wasn’t advanced, the group didn’t require to be consistent and there as absolutely nothing truly threatening about it– that’s not good enough which’s what we need to deal with”
The NCSC has actually previously issued advice to senior executives on the 5 cyber security questions they must be able to respond to in order to guarantee the business isn’t at risk from hacking risks.
Source: https://www.ncsc.gov.uk/blog/ciaran-martin
User Review
( votes)
One Comment