Cyber security is still a burning boardroom issue. Perhaps it always will be. And that, I’m afraid, is because we can never defeat every single attack. But maybe we don’t need to. Here’s why.
The threats posed by the rising tide of cyber-crime against Information Technology (IT) and operational technology (OT) are better understood – and vastly more prevalent - than at any time in our history.
The story began when Cornell graduate student Robert Morris created a worm and released it against the Massachusetts Institute of Technology in 1988.
The worm quickly went viral, merrily rewriting 14% of every storage device it could find. And it found plenty.
That all took place 35 years ago. But here we are in 2023 and cyber-attacks are not only deadlier but they often come from highly organised, well-resourced gangs of cyber criminals rather than curious students with too much time on their hands.
Having said that, robust defence against the most sophisticated cyber-attacks is eminently possible in the short term. With the right expertise and experience (securing OT needs different skills to IT), vulnerabilities in hardware and software can be discovered, diagnosed and fixed. So far, so good.
However, your OT and IT systems and networks evolve over time to meet the demands of the organisation and of the market. And as things change, new vulnerabilities slip in unnoticed.
So now it is only a matter of time before the ever-vigilant hackers discover and exploit the opportunity. It is imperative that cyber-security is given a place at the top of the agenda and kept there. There can be no half measures and no shortcuts.
A global industry
No one is entirely safe from cyber-crime. Search on the keywords ‘cyber-attack 2022’ plus the continent or country of your choice and you’ll see what I mean. Here are a few recent examples.
In September last year, Australian telecom giant Optus suffered an attack which compromised the names, birth dates, addresses, phone numbers and, in some cases, passport and driver’s licence details of nearly ten million customers.
The attackers leaked 10,000 of these and demanded a £1 million payment in bitcoin. The attack is believed to have been through a ‘hole’ in the company’s security rather than a user/password combination.
Just a few weeks ago (January 2023) the Royal Mail’s international parcel service was attacked with Lockbit 3.0 ransomware. Many believe that a labelling system was the entry point. The service did not resume normal operations for several weeks.
The "people problem"
Whenever we send a team to assess the customer’s current security we pay close attention to the human factor. People, as we all know, are entirely fallible.
We still see discoverable security weaknesses created by someone who decides there’s a more convenient way of doing things. And all too often we come across individuals with a breathtakingly lax attitude to password security.
Occasionally, there is an attack from within. Just two months ago it was widely reported that former Twitter employee Ahmad Abouammo accepted bribes to pass on confidential data regarding ‘users of interest’. There isn’t much you can do about that.
Interestingly, Abouammo wasn’t convicted of any particular flavour of cyber-crime. Instead, he got three and a half years in federal prison for ‘acting as an unregistered agent of a foreign government, international money laundering and falsification of records in a federal investigation.’
A widely reported attack on Uber in September 2022 was successful even though the system used multi-factor authentication (MFA). The attacker used an ‘MFA Fatigue attack’, which bombarded an employee with demands to complete MFA requests. The attacker later told an information security news publication:
“I contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants [the MFA attacks] to stop, he must accept it…he accepted and I added my device.”
These are just a few of the very high profile attacks and some of the ways in which they are perpetrated. Ransomware is favourite.
Plan for the worst
Make no mistake, ransomware attacks are a lucrative global industry which respects no borders. They can happen anywhere, anytime. The targets are carefully selected – after months of careful research and planning – and ruthlessly exploited. So, what can you do?
Clearly, you need to secure your OT and IT against attack and keep it that way. You will almost certainly need the services of a specialist third party for this. If you have offices or facilities in multiple countries you need multi-lingual, multi-skilled cyber experts to protect you.
Even so, there will always be a risk that hackers will find a way in and there is no way to predict how much damage they’ll cause to your systems, your customers, your reputation and your share price.
You need to plan for that.
You need to build resilience into your business and have ways in which normal service can be resumed after a successful attack. You need to rehearse and refine your responses regularly so that your continuity plan can be executed immediately.
Recruiting talent which works best for you.
Finding the right people with the requisite cyber skills and experience has become a real problem. There is a global shortage of ‘cyber experts’ and it is common for them to ask for jaw-dropping salaries. Retention is difficult, too. Head-hunters are never more than a phone call away.
The industry is trying to address this shortage. At Thales, for example, (and we are certainly not alone in this) we have an energetic apprenticeship programme and we are constantly reaching out to the education sector at every level from primary schools right through to universities, to explain and advocate careers in cyber.
And that brings us on to consider what, exactly, constitutes a cyber expert. Just like the term ‘engineer’ it means everything and nothing. You wouldn’t engage a software engineer to design a railway bridge. Or a biochemical engineer to design an aircraft. Cyber is also a broad field with several disciplines.
So, finding and retaining the specific cyber-talent that your enterprise needs, in the languages you use, is a major challenge. That’s not going to change anytime soon.
What we’re trying to do at the moment is to build cyber academies across the world, so that people can join us with a basic capability and we’ll train them in other cyber disciplines. We’re also promoting global mobility to support our international customer base. If one of our cyber experts wants to work overseas we’ll find a way to make that happen.
You’re going to struggle to match that variety in-house.
Securing the supply chain
SMEs can add tremendous value, either because they've got great technology and rare niche capabilities. They are unlikely to have the advanced cyber security that you have, though. And a hacker who is planning an attack against you will certainly explore the possibility of launching that through your trusted suppliers.
Their cyber defences will be much more limited than yours. So you have to make sure that they know the risks and that they’re taking care of the cyber essentials – basic best practice. And you should be helping them do that.
Bottom line? Robust, 3600 cyber security is essential but that’s not the end of the story. The markets might be unhappy that you have been hacked but decisive action and rapid recovery will always be celebrated. So the smart play is to add resilience and business continuity to the mix.
Key points in brief
• There is always a risk that an attack will be successful
• Hackers are likely to be skilful, organised and well resourced
• The majority of attacks are ransomware
• Put cyber security at the top of the agenda and keep it there
• Resilience and business continuity are arguably more important than robust cyber security
Vice President Operations & International - Cyber Defence Solutions Business Line.
Gareth is responsible for the International Cyber Solutions Business of Thales across the world, spanning multiple
countries and regions. He is also a member of the UK National Cyber Advisory Board, a member of the CBI Wales Council, and a board member of Technology Connected.