Ten things we learned about cybersecurity from the GRC Summit London 2018

On 12 and 13 November, this year’s Governance, Risk, and Compliance (GRC) Summit came to London and a key takeaway was the importance of talking about cybersecurity.

The National Cyber Crime Unit’s Paul Edmonds gave a detailed talk around the subject and here are ten key points we think you should know about in the cyber space.

1. Cybersecurity is a tier one threat

While it may not seem like one of the largest and most dangerous threats of current times, cyber-attacks are a serious risk to the UK and everyone living in it.

So much so that they have been ranked as a tier one threat, which puts them on a par with war, terrorism, and natural disasters.

The takeaway? Every single business must prioritise protecting themselves from cyber-attacks.

2. Good security is not enough

Edmonds said: “Good security is no longer enough”.

In the interconnected world that we live in today, we are all vulnerable to cyber-attacks. These vulnerabilities will be exploited as attackers get more and more intelligent.

Prevention strategies like firewalls and antivirus software are not sufficient on their own. Your business also needs detection tools – automated detection technology – such as continuous monitoring and automated alerting to put it in the best position against possible cyber-attacks.

3. There are 2 key types of threat

The two threat types every business should be aware of are breaches and malware.

Data breaches, and their cousin, data exposure, have both been quite prominent in 2018. Data exposures are when data is stored and protected badly so it is exposed on the internet and available to anyone who comes across it. A recent example of one is when firm Exactis exposed about 340 million records on a publicly accessible server.

Malware is when what’s known as malicious software operates on the victim’s computer and often the user doesn’t know anything about it until it’s too late. For example, there was the WannaCry ransomware attack of May 2017 which attacked Windows computers by encrypting data and then demanding ransom payments via cryptocurrency. It was estimated to impact more than 200,000 computers in 150 countries around the world.

4. Attack vectors are changing

People used to be the only target of a cyber attack, but attack vectors are changing and changing quickly.

Now attackers are moving to focus on the supply chain which is likely a reaction to businesses tightening security on their own systems.

Portable devices are also a target as they can easily be stolen or infected via easy-to-implement remote attacks.

5. There are four types of cyber criminal

Cyber criminal profiles are always changing, but the key groups businesses must be aware of today are:

• Serious organised criminals – these groups have a clear financial motivation and are highly professionalised and specialist in the way they perform attacks.
• Young offenders – these are predominantly teenagers and male (though there are exceptions). They often commit the crimes by being part of hacking forums and can be vulnerable individuals who are being influenced by others online.
• The cyber ‘as a service’ user – this can literally be anyone who decides to perform an attack.
• Near state actors – these are in hard-to-reach jurisdictions, for example the North Korean programmer who was part of the famous hacking group behind the Sony Pictures and Wannacry hacks. They will often go to extreme lengths to avoid being caught.

6. Pulling off a cyber attack is a team effort

To achieve a big, organised attack like the WannaCry and NotPetya incidents, there would be different stages to the attack and different skills needed to pull each stage off.

The assault would start with the hacker themselves and move straight to the coder who would do the exploiting. The spammer is the one who disseminates the information to perform the attack. Then there is the information vendor who would sell and/or track the data. Finally the mules exploit the data and pass it to the launderers who generate the revenue from it.

7. Cyber resilience is vital

As cyber criminals grow in numbers and intelligence, resilience is becoming more and more essential. It is a feature businesses cannot afford to be without.

For example, Microsoft had released a patch a month before WannaCry hit and those with this newest patch were protected from the attack.

8. We are building new protection tactics

To achieve this resilience, businesses should be looking at having all of the following.

• Vulnerability and management patching
• Controlling code execution
• Analytics for threat monitoring
• Good access control
• Defence in depth
• Backup procedures

9. Incident management is essential

What do we mean by incident management? Quite simply it is dealing effectively with an incident if one does arise and the way it is dealt with depends on its categorisation.

In current incident management, C6 attacks refer to single attacks on a member of the public compared with C1 attacks – attacks on national government infrastructure.

Whatever the categorisation, Edmonds said reporting incidents is very important to prevent them from happening again and improve our knowledge of them

10. Cybersecurity is a business-critical function

According to Edmonds, the debate is no longer whether to have cybersecurity capabilities or not. Your business is exposed to a very likely attack if you do not have it.

Now the question is how do we make our cybersecurity smart enough to outwit the criminals and the technology they use to perform these attacks?