By: Conrad Prince Former deputy head of GCHQ
Cyber risk is a challenge for businesses – big and small and they are growing significantly in scale and impact. For boards across all sectors, this needs to be addressed as a top priority risk. At board level, while driving growth the C-Suite will be expected to anticipate and manage cyber security risk as a key priority.
Cyber crime is big business. Ransomware attacks, where businesses are “locked out” of their computer systems unless they pay the attackers for a “key”, have grown dramatically, nearly doubling in the first half of 2021, while the average ransom paid rose by 82%. JBS, the world’s biggest meat processing company, admitted to paying an $11 million ransom to regain access to their data and systems.
Businesses worldwide of all sizes and types are targeted by criminal ransomware attacks. These attacks do not simply hold a company’s data to ransom – they often lead to commercial operations coming to a halt. And recovery takes time and can be very expensive and disruptive for the business.
Cyber risk is a challenge for businesses – big and small
High profile victims of ransomware so far in 2021 include Colonial Pipeline, the largest fuel pipeline in the United States, which had to cease operations for a period; Norwegian energy technology company Volue which was held to ransom, resulting in shutdowns at water and water treatment facilities that affected 85% of the Norwegian population; and Transnet, the South African port operator was hit by ransomware, causing disruption and delays at several of South Africa’s busiest ports. One report claims that nearly half of US hospitals disconnected their networks in the six months to August 2021 due to ransomware - either taking proactive action to avoid a breach, or because they were forced to do so by a severe malware infection.
"In reality middle market businesses are just as likely to be attacked as the large corporates. The high-profile media cases encourage a ‘it won’t happen to us’ attitude risking increased vulnerability"
Sheila Pancholi, Partner and National Technology Risk Assurance Leader at RSM UK was quoted to have said in RSM UK’s The Real Economy Cyber Security Report.
Pancholi continues, “In contrast to the large organisations who have departments dedicated to cyber security, medium sized organisations unfortunately find themselves in the situation where they react to cyber crime only after they have been the subject of an attack. This can be costly and disruptive to business operations. For many smaller businesses it could simply cripple the business”.
A concerning trend is that criminals are now starting to launch cyber attacks with a degree of complexity which was once the preserve of state actors. The ransomware attack on software company Kaseya in July 2021 is one example. This was a so-called ‘supply chain attack’, using a previously unknown flaw in Kaseya’s technology, it infected the company’s clients and hundreds of their customers, evading traditional defences such as antivirus software. The criminal gang responsible demanded a record ransom of $70 million.
States worldwide are also using cyber, mainly for spying, including industrial espionage and theft of intellectual property. One recent report shows that nation state cyber operations have doubled since 2017, with one third of these attacks apparently targeting businesses. One of the most high-profile recent examples was the Russian attack on US tech company SolarWinds, which exploited vulnerabilities in trusted technology products to breach the defences of thousands of organisations.
Companies involved in leading edge research, including health research, technology, defence and security are likely to be targets for state cyber attacks, as are companies who are suppliers to government and might be used as a back door to reach government targets.
In reality middle market businesses are just as likely to be attacked as the large corporates.
Cyber security starts at the top
Boards need to be focusing on cyber as a key priority. Many are, but the picture is still mixed across different sectors. The starting point is for the Board to acknowledge cyber as a risk, develop a good understanding of what they need to protect and how much risk they are willing to take.
Furthermore, they should get an independent assessment of their cyber risk profile and the effectiveness of their current cyber security protections. Based on this, companies need to fund cyber improvement programmes, and ensure they have access to the cyber skills they need, including independent expert advice at Board level if needed. Increasingly companies are looking at cyber as a resilience issue and putting plans in place to ensure the minimum disruption to operations when an attack happens – rather than assuming one will never get through.
The supply chain risk
Understanding the supply chain is critical, as this is increasingly a preferred route for attackers. The EU’s cyber security organisation has predicted a fourfold increase in cyber supply chain attacks over 2021. Getting assurance of supply chain security is tough, but it is important to make cyber standards a core part of commercial agreements with suppliers. The same applies to the Cloud. Cloud migration can bring significant efficiencies, but it is essential Boards understand that outsourcing services to Cloud providers does not mean they have outsourced the risk.
From a middle market perspective, Pancholi says, “As new technologies are being introduced, such as web apps, they are not being tested effectively, and security becomes an afterthought rather than developers adopting the concept of security by design. Increased interconnectivity and end points provide more opportunity for cyber criminals to intercept systems or identify weak points that can be exploited”.
Being able to demonstrate high cyber standards is increasingly important as governments worldwide step up cyber and data privacy regulation, and adopt new measures to address the cyber challenge.
The Cyberspace Administration of China has responded to concerns about attacks on critical information infrastructure with new regulations requiring organisations to have a crisis plan, run crisis drills and report incidents. New legislation in Australia gives crime agencies significant new powers to disrupt suspected cyber criminal activity. In Europe, the EU presented a new EU Cybersecurity Strategy at the end of 2020, and the UK will announce a new cyber strategy before the end of this year.
Since taking office in January, US President Biden has made cyber security a significant part of his administration’s effort, with a wide-ranging programme backed by a $2 billion investment. Measures announced so far include introducing new cyber security requirements for government agencies, imposing sanctions on Russia for its cyberespionage activities, and developing cyber security standards for critical infrastructure.
Biden has also emphasised the importance of public private partnerships. He held a high-profile summit in August 2021 with leading US tech companies, banks and critical infrastructure providers. Afterwards, various participants announced funding commitments totalling over $30 billion to enhance cyber security and to provide training to boost the cyber security workforce.
What does the future hold for cyber security in the middle market?
The private sector, particularly the growth sector businesses who are emerging in their expansion as potentially well-funded targets for attacks, is increasingly going to have to view the cyber threat as real.
According to Pancholi, “The businesses that are managing this challenge most effectively are those with a fully engaged leadership. Executives and members of the C-Suite need to be implementing innovative new technologies hand in hand with robust risk management processes. Embedding a security culture in businesses is the best protection against the cyber threat, and this must start at the top”.
At board level, while driving growth the C-Suite will be expected to anticipate and manage cyber security risk as a key priority.
Conrad Prince is the former deputy head of GCHQ, the UK government’s cyber intelligence and security agency, and is a senior adviser to a range of state and private sector organisations.