The national Cyber Security Centre and National Crime Agency have today released their joint report on the cyber threat to UK business. The headlines are certainly powerful and could give any business leader sleepless nights:
- The cyber threat to UK business is significant and growing.
- This threat is varied and adaptable.
- The rise of internet connected devices gives attackers more opportunity.
- The past year has been punctuated by cyber attacks on a scale and boldness not seen before.
Further, the report points out that the opportunities for attackers are increasing and the technical skills required to carry out an attack are decreasing, which means that the number of people capable of launching an attack is increasing. However, the good news is that it is possible to defend against all but the most determined and technically capable attackers. Basic “cyber hygiene can thwart the vast majority of threats.
- Malware and services are traded on the dark web; enabling unskilled people to launch attacks
- Cyber extortion (ransomware, DDoS etc) has increased and is targeting specific businesses for increased reward
- “Internet of Things” botnets are growing – to the extent that government intervention and product recalls are becoming necessary.
- Financial exploits have become more targeted and less visible
- The threat to mobile devices (smartphones) is low but growing.
- Social media is a significant attack vector, exploiting the trust and familiarity associated with these sites.
- Large scale data breeches continue to hit the headlines.
How can we deal with these threats?
As I said above, simple, basic, measures will prevent the vast majority of attacks. The Cyber Essentials steps (boundary control, secure configuration, access control, malware protection and patch management) are still an effective starting point. Key decision makers should engage with the risk assessment and mitigation process. This is true for cyber risks just as it is true for any other risk. Cyber threats affect the whole business, not just the IT department, and so you need a whole-business approach to dealing with them.
Similarly, awareness-raising, information-sharing and incident reporting are vital safeguards. Your customer-facing staff are far more likely to receive and respond to messages from an unknown and un-trusted origin than your IT security team. Do they know how to recognise a suspicious request and how to deal with it?
Of course, we are happy to help you with your cyber security management and with awareness training. Simply contact us for a free initial consultation.