This year’s Governance, Risk, and Compliance Summit focused largely on cybersecurity; could it be the next crisis?
Cybersecurity Summit- On 12 and 13 November, this year’s Governance, Risk, and Compliance (GRC) Summit came to London and a key takeaway was the importance of talking about cybersecurity.
The National Cyber Crime Unit’s Paul Edmonds gave a detailed talk around the subject and here are ten key points we think you should know about in the cyber space.
1. Cybersecurity is a tier one threat
While it may not seem like one of the largest and most dangerous threats of current times, cyber-attacks are a serious risk to the UK and everyone living in it.
So much so that they have been ranked as a tier one threat, which puts them on a par with war, terrorism, and natural disasters.
The takeaway? Every single business must prioritise protecting themselves from cyber-attacks.
2. Good security is not enough
Edmonds said: “Good security is no longer enough”.
In the interconnected world that we live in today, we are all vulnerable to cyber-attacks. These vulnerabilities will be exploited as attackers get more and more intelligent.
Prevention strategies like firewalls and antivirus software are not sufficient on their own. Your business also needs detection tools – automated detection technology – such as continuous monitoring and automated alerting to put it in the best position against possible cyber-attacks.
3. There are 2 key types of threat
The two threat types every business should be aware of are breaches and malware.
Data breaches, and their cousin, data exposure, have both been quite prominent in 2018. Data exposures are when data is stored and protected badly so it is exposed on the internet and available to anyone who comes across it. A recent example of one is when firm Exactis exposed about 340 million records on a publicly accessible server.
Malware is when what’s known as malicious software operates on the victim’s computer and often the user doesn’t know anything about it until it’s too late. For example, there was the WannaCry ransomware attack of May 2017 which attacked Windows computers by encrypting data and then demanding ransom payments via cryptocurrency. It was estimated to impact more than 200,000 computers in 150 countries around the world.
4. Attack vectors are changing
People used to be the only target of a cyber attack, but attack vectors are changing and changing quickly.
Now attackers are moving to focus on the supply chain which is likely a reaction to businesses tightening security on their own systems.
Portable devices are also a target as they can easily be stolen or infected via easy-to-implement remote attacks.
5. There are four types of cyber criminal
Cyber criminal profiles are always changing, but the key groups businesses must be aware of today are:
- Serious organised criminals – these groups have a clear financial motivation and are highly professionalised and specialist in the way they perform attacks.
- Young offenders – these are predominantly teenagers and male (though there are exceptions). They often commit the crimes by being part of hacking forums and can be vulnerable individuals who are being influenced by others online.
- The cyber ‘as a service’ user – this can literally be anyone who decides to perform an attack.
- Near state actors – these are in hard-to-reach jurisdictions, for example the North Korean programmer who was part of the famous hacking group behind the Sony Pictures and Wannacry hacks. They will often go to extreme lengths to avoid being caught.