A joint report from the NCA and the NCSC warns that cybercrime is becoming more aggressive. The increase in devices connecting to the internet is providing more opportunities for criminals to hold peo
A joint report from the NCA and the NCSC warns that cybercrime is becoming more aggressive. The increase in devices connecting to the internet is providing more opportunities for criminals to hold people to ransom over personal data.
According to the report, the threat to UK businesses is ‘significant and growing’.
In this post, we consider the findings of this latest report and the three key areas it recommends that businesses address: technology, people and processes.
The report, The Cyber Threat to UK Business, was published this month; March 2017, by the National Cyber Security Centre and the National Crime Agency. It reveals that the UK has been hit by 188 high-level attacks in the three months since the creation of the NCSC, as well as numerous lower level attacks.
The chief executive of the NCSC, Ciaran Martin, said that the UK private and public sectors must work together ‘at pace’ to reduce the cyber threat to UK business, which is continuing to evolve.
A significant part of the problem lies with the Internet of Things and the growing number of devices connecting to the internet. The report states that the growing number of internet enabled devices – TVs, Smartphones, watches, fitness trackers etc. – is providing more opportunities for hackers.
The trouble is that many of these devices have only limited security built in and can, therefore, be targeted by criminals with relative ease. Many manufacturers of such devices are simply not prioritising security, perhaps because it would drive up costs and delay products going to market.
Cybercrime is becoming increasingly aggressive, with extortion commonly being used in ransomware and DDoS attacks. The rise of ransomware has been well documented over the past year and, as this market begins to mature, new strains with unusual features are increasingly being employed.
Ransomware is a significant and growing threat and, as such, businesses should be looking to implement further preventative and mitigation solutions to combat it including appropriate defensive and backup solutions.
The report highlights three key areas for businesses to consider in the fight against cybercrime:
• Technology
• People
• Processes
By giving due consideration to these three areas, businesses can help to mitigate the cyber threat. Let’s examine each in turn…
The report asserts that appropriate investment in technology can ensure that businesses can defend against most cyber-attacks. Unfortunately, many businesses are still falling victim to attacks involving the exploitation of even basic, well-known vulnerabilities due either to ignorance of the threat or the failure to implement adequate cyber defences.
The report affirms the importance of a user-centred approach when designing a cybersecurity strategy. People are a crucial component and can be both the weakest and the strongest link in the chain. Many data breaches can be prevented by giving due consideration to good security design, usability and appropriate staff training.
The report notes that the unprecedented rate of digitisation of business processes can create vulnerabilities that may be exploited by cybercriminals. It also notes that some smaller businesses have difficulties in balancing cybersecurity with their available resources, particularly where accessibility and profitability are likely to be impacted.
Process related issues that can hinder cyber security efforts include:
• Poor communication between teams and individuals within an organisation, which can lead to failures to report important security details and/or passing the buck of responsibility for risk management.
• Cyber security being outsourced without recognition that the business still bears the ultimate responsibility for the risks – an out of sight, out of mind attitude will fail you.
• Lack of resources to invest in cybersecurity defences.
• Lack of awareness and training regarding the risks.
The report suggests that businesses can both mitigate against the cyber threat and reduce the potential impact of an attack by following the guidance laid out by existing initiatives such as the government-backed Cyber Essentials scheme.
This scheme shows businesses how to prevent common cyber-attacks, by highlighting five key controls designed to address commonplace weaknesses in their IT systems. These controls cover: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management.
More information on these can be found in the Cyber Essentials documents, which are free download and can be accessed here. Businesses can also apply for Cyber Essentials certification, which provides independent assurance that the company has these fundamental protections correctly in place.
An independent security assessment, such as those carried out under the Cyber Essentials scheme, can give businesses piece of mind that their IT systems are adequately protected. It also demonstrates to both suppliers and customers that a business takes cyber security seriously, with third-party evidence that all necessary protections are properly in place. This can go a long way to boosting the reputation of a company, helping it to gain consumer trust and secure more contracts.
At Grant McGregor, we can help you work towards the Cyber Essentials standards and certification. For more information, visit our Cyber Essentials page or get in touch today on 0131 603 7910.
Image source: Pexels