The cyber threat to UK business is significant and growing; it’s varied, and adaptable, and the rise of internet connected devices gives attackers more opportunity. Cyber-attacks have become larger scale, and bolder; and technical expertise is not necessary to carry out attacks. That is the gist of an annual assessment of the biggest cyber threats to UK businesses, produced jointly for the first time by the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and industry partners.
The report will be presented at the NCSC’s Cyber UK Conference in Liverpool. For the 24-page publication in full visit http://www.nationalcrimeagency.gov.uk/publications/785-the-cyber-threat-to-uk-business/file.
Donald Toon, Director for economic and cyber crime at the National Crime Agency (NCA), said: “We have worked with the NCSC and valued private sector partners to produce this assessment, setting out an up to date picture of threats to business including ransomware, DDoS and evolving financial trojans. These threats demonstrate the need for a collaborative response across industry, law enforcement and government, with the ultimate aim of protecting customers and the UK economy.
“Businesses reporting cyber crime is essential if we are to fully understand the threat, and take the most effective action against it. And while 100 per cent protection doesn’t exist, making cyber security an organisational priority and ensuring up to date processes and technology can protect against the vast majority of attacks. The NCA and its partners continue to have significant success against cyber crime, through identifying and arresting criminals at home and abroad, working to deter young people from becoming involved in criminality, and disrupting the ways in which criminals make and launder their money.”
Ciaran Martin, CEO of the National Cyber Security Centre, said: “The National Cyber Security Centre exists to benefit the whole country, so we are delighted to be here in Liverpool – the UK’s first ‘Smart City’ – to share knowledge and expertise with many of our essential partners. As the national technical authority for cyber security in the UK, the NCSC agenda is unashamedly ambitious; we want to be a world leader in cyber security.
“Cyber attacks will continue to evolve, which is why the country must work together at pace to deliver hard outcomes and ground-breaking innovation to reduce the cyber threat to critical services and deter would-be attackers.
“No single organisation can defend against the threat on its own and it is vital that we work together to understand the challenges we face. We can only properly protect UK cyberspace by working with others with the rest of government, with law enforcement, the armed forces, our international allies and, crucially, with business and wider society.”
And Don Smith, technology director at cyber company SecureWorks and Strategic Cyber Industry Group representative, said: “The development of technology throughout history has given smart criminals new ways to get what they want: email spawned the development of phishing and spam; online banking led to the creation of viruses that target bank accounts; and the Internet of Things will doubtless bring opportunities for new methods of attack. Many businesses face understandable difficulty in reporting cybercrime incidents, but knowing that revealing such information might prevent further harm to their business is essential. This assessment proves that collaboration is key to protecting our assets and targeting cyber criminals.”
Comments
Tony Pepper, CEO and co-founder Egress, said: “This report certainly highlights the numerous security threats businesses are facing at the moment. While it’s all things everyone should really be aware of anyway, it does clearly show the uphill battle we’re all facing. What, however, is almost entirely bypassed here is the threat from insiders. Considering almost 50 per cent of breached records are the result of an accident, it seems an oversight to boil this threat down to a small box on page 8. Insiders with a grudge to bear are, of course, a problem, but more so are people who are simply not paying proper attention. Accidents happen.
“There’s no doubt that someone inadvertently emailing a spreadsheet containing all employee details to the wrong person isn’t as a good a headline as a ransomware attack, but that does not diminish the threat it poses. As well as shoring up defences against malicious, external cyber criminals, businesses must be made far more aware that accidents can cause just as much damage. All businesses need to better engage with employees to make sure they are aware of the risks and how to avoid them – and it takes more than just encryption technology alone to do that. It’s a case of training, communicating and encouraging every member of staff and employing technology to support that mission. Man and machine need to work hand-in-hand to fight this battle, not at odds.”
Dr Malcolm Murphy, Technology Director, Western Europe at Infoblox, said: “Ransomware was a dominating trend in cyber-crime in 2016 and is only set to increase, with its commoditisation through cyber-crime toolkits allowing even the most novice criminal to deploy it. As this report demonstrates, many Internet of Things manufacturers may be contributing to this rise by not prioritising security when building their devices; many are being produced with predictable passwords that cannot easily be changed.
“Too many electronics firms want to make their IoT device as cheap as possible. Security is expensive and paying developers to write secure code might mean a gadget is late to market and costly. Ultimately though, insecure products will lead to greater attacks. Unless we see security prioritised when building these connected devices, there’s a good chance we’ll see them increasingly being used for ransomware and other forms of cyber-attack.”
Peter Carlisle, VP EMEA at Thales e-Security, said: “Connected devices will play an increasingly crucial role in data sharing for the delivery of digital public services in organisations like the NHS. Our recent research found that one third of healthcare organisations now use IoT devices to store patient data, so it’s no surprise that hackers see this as an opportunity to breach security to steal patient data. This threat cannot be underestimated, leading to life-threatening consequences if medical devices are hacked and shutdown. To tackle this threat before it takes hold, organisations must train employees to improve their cyber security skills whilst implementing a robust encryption policy to protect critical data from malicious attacks.”
Andrew Rogoyski, Vice President Cyber Security Services, CGI, said: “As we’ve seen in today’s headlines, the joint report from the National Cyber Security Centre and the National Crime Agency, shows there is an increasing security threat around the exposure of personal or precious information and how it can be held ransom by cyber criminals. However, it’s not just about our own personal data. Everyday devices, such as smartphones and smart watches, are increasingly used within the business environment to access and share data, often through cloud services, so there should be wider concerns about the cyber security risk to UK business. Many organisations are shocked by the dozens of cloud services that are typically being accessed by their staff, their so-called ‘shadow IT’. The blurring of personal and business information boundaries, coupled with the convergence of smart devices and cloud services needs to be properly understood if organisations are to avoid high profile cyber incidents such as Yahoo!, TalkTalk and Swift. And the increasingly strong regulatory environment brought about through changes like the General Data Protection Regulation (GDPR) coming into full force next year, will expose organisations without cyber strategies or proper protective measures in place.”
Peter Turner, Avast Security Expert says: “Today’s news from the National Crime Agency and the National Cyber Security Centre about the rising risk of ransomware isn’t surprising. 2016 has been dubbed ‘the year of ransomware’ after we tracked unprecedented levels of ransomware attacks and the emergence of new strains and 2017 is currently set to be no different. Between October 2015 and June 2016 at AVG, an Avast company, we detected 20,044,360 ransomware threats globally. Given that each attack on average demands a 1 bitcoin ransom (with an average monetary value of around $500 during this time period), we saved consumers and businesses globally at least $10,022,180,000 worth in ransom payments by preventing such attacks. Based on our long-term statistics, we save at least one device from a ransomware attack every single second.
“Consumer and businesses can help to protect themselves against ransomware by ensuring they have the latest digital security installed and ensuring they maintain their devices by keeping all apps and programmes up to date. They also need to be vigilant about not opening suspicious emails and attachments or downloading software from unauthorised sources which may not be official and could contain ransomware. Observing simple rules and being smart about what we do online are all important defences against ransomware.”
Andre Stewart, VP EMEA at Netskope, said: “Cybercriminals are always on the hunt for vulnerable information, that is nothing new. However, the plethora of connected IoT devices in use across homes and businesses today only widens the scope for potential attacks. Against this backdrop it’s no surprise that the threat posed by ransomware is growing, and now it’s up to UK businesses to recognise the problem and take steps to mitigate the scale and pace of changing cyber threats.
“Within today’s cloud environments, ransomware can quickly spread to other users through cloud app sync and share functionality – creating a dangerous “fan-out” effect. In fact, Netskope research has revealed that 43.7 per cent of malware found in enterprises cloud services have delivered ransomware. To help combat the rise of ransomware and an increasingly complicated cloud threat landscape, IT teams need deeper intelligence, protection, and remediation to help them stop malware and ransomware in their tracks. They will also need complete visibility into employees’ use of cloud services, plus the ability to scan for ransomware in the cloud – and to take action to prevent the malware spreading to avoid damage to the wider organisation.”
Richard Henderson, global security strategiest at Absolute, said: “Nothing has impacted – or will continue to impact – the cyber threat landscape as much as internet-connected devices. With smart devices increasingly saturating the market, the risk of hacking and ransomware attacks is rising significantly. What’s particularly worrying about the Internet of Things (IoT) and the abundance of easy-to-use hacking tools available is that hackers no longer need the advanced skills or expertise traditionally required to gain access to enterprise networks. Devices are often inadequately protected in comparison with more traditional network defences, which means that when a device connects to the corporate network, or is quickly exploited, it has the potential to provide a very easy access route to the company’s confidential data. Internet-enabled devices are rapidly being seen as low-hanging fruit for cyber criminals.
“It’s paramount that organisations ensure that every ‘thing’ that is connected to their network is necessary. This could mean limiting how employees connect to their personal smart devices during work hours, or creating separate and segregated networks for IoT devices. Regardless, policies and procedures must be enforced and adhered to. If these devices are connected to their network, businesses must implement full management of these devices, tracking and monitoring them to secure enterprise data and network access. Full implementation of the GDPR, which will force businesses to prove that their data is protected in a breach situation, is rapidly approaching, so it’s crucial that new security policies are drafted and existing ones are adapted to manage the influx of security-poor devices that will continue to flood the enterprise. Having a persistent connection to all devices – whether it’s a smartphone, an employee’s watch or the kitchen’s connected kettle – is fast becoming essential for businesses protecting their assets and remaining compliant.”
Zach Lanier, research director, Cylance, said: “While the NCA report highlights a number of threats, perhaps the most notable (but not unsurprising) one is the increase in Internet connected devices. In particular, the Internet of Things and the attack surface that comes with it. We’ve already seen record-breaking DDoS attacks using insecure embedded devices, and with the rapid proliferation of even more IoT devices, it’s likely we’ll see that activity again in the near future. The NCA report also points out the high probability of mobile and IoT devices getting hit with ransomware, which seems like a natural evolution (in fact, in late 2016, some smart TVs were already being infected with ransomware). Between that and all the other threats the NCA report predicts for 2017, consumers and businesses will need to bolster their security and remain steadfastly aware of the risks they may face.”
