There are 2 myths that stand in the way of boards understanding the threats posed by cyberattacks and ensuring their businesses can be safe against cybercriminals and hackers.
These misconceptions about cybersecurity were identified by Ciaran Martin, CEO of the National Cyber Security Centre – the cyber arm of GCHQ – who warned organizations: “There isn’t much of an excuse any longer for not knowing about security as a business risk”.
First, too many organizations still believe that all cyberattacks are targeted, meaning that unless they’re specifically selected as the objective of a hacking campaign, they won’t fall victim. Second, some board-level executives don’t engage with cybersecurity because they believe it to be too complicated – in some cases even being fearful of the complexities they perceive as being involved.
Speaking at the European Information Security Summit in London, Martin warned there are still businesses that believe they will not be in the sights of cyber criminals, so aren’t at risk from suffering the negative effects of a cyberattack.
“Tell that to the Western business leaders hit by NotPetya in the summer of 2017,” he said, referring to the malware campaign launched against Ukraine by Russia, which quickly spread around the world, knocking businesses offline and doing vast amounts of damage.
“The Russian target here was quite obviously Ukrainian infrastructure, but it damaged – amongst other things – British advertising and pharmaceutical companies, as well as the shipping giant Maersk,” said Martin.
The impact of NotPetya forced Maersk to reinstall 4,000 servers and over 45,000 PCs, with losses caused by serious business interruption estimated to amount to over $300m, despite the shipping firm never being the intended target of the attack.
Weeks earlier, the global WannaCry ransomware incident provided what Martin described as “an even starker illustration” of how unsuspecting organizations can find themselves the victims of a major cyberattack.
The UK’s National Health Service found itself an unwitting victim of the campaign spread via an aggressive worm-like virus launched by North Korea in an effort to extort ransoms.
“That makes small, British NHS bodies a uniquely absurd target, but they were attacked and disrupted nonetheless,” said Martin.
But board members believing their organization won’t actually face the risk of a cyberattack isn’t the only myth that needs to be dispelled. The NCSC boss described how some boards feel it be too complex a problem to truly understand, but pointed out how organizations deal with complicated issues every day, and that at its core, a cyber-managing security strategy isn’t much different.
“When I view businesses in the UK and around the world, I’m often amazed by the sheer complexity and sophistication of the businesses and the risks that they manage,” said Martin.
“A company that can extract stuff from way below the ground, a company that can transport fragile goods to the other end of the planet in a really short period of time, a company that can process billions of financial transactions every hour is more than capable of managing cybersecurity risk”.
Even simple activities like ensuring systems and software are up to date can go a long way to protecting organizations from cyberattacks.
Martin described how this approach could have helped organizations around the world avoid becoming victims of Cloud Hopper, a data-stealing espionage campaign, which Western authorities have attributed to China’s state-backed hacking group APT10.
Much of the campaign was based around distributing phishing emails containing malicious Word documents, which – when opened – ran macros that retrieve malware.
Martin explained how if the targeted organizations had applied relevant patches, the vulnerabilities exploited by the attackers wouldn’t have been open.
“Don’t blame the people who opened the files – had the organizations been running an up-to-date Office application, it wouldn’t have got through,” Martin stated.
“The fundamental point here is that the infection was able to persist and spread and do harm due to poor cybersecurity. In this specific case the attack wasn’t advanced, the group didn’t need to be persistent and there was nothing really threatening about it – that’s not good enough and that’s what we need to address,” he said.
The NCSC has previously issued advice to senior executives on the 5 cybersecurity questions they should be able to answer in order to ensure their company isn’t at risk from hacking threats.