Government advisory on Cyber Threats – Why do they matter to business?
You may be aware that the National Cyber Security Centre (NCSC), the UK’s agency for Cyber Security, has recently issued a Cyber Security advisory notice related to Russia’s attack on Ukraine. The advice states that all organisations should improve their Cyber Security & resilience in response to the “heightened threat” associated with the attack.
Similar advice has also been published by other international agencies including CISA (The Cybersecurity and Infrastructure Agency) and the FBI in the US, and the Australian Cyber Security Centre (ACSC).
What may not be clear to you is why this is relevant to you and your organisation.
If you have been following the news, you will no doubt have heard about the importance of Cyber activity in this and other conflicts. Cyber attacks now form a critical part of most conflicts and have the potential to make a huge difference. Attacks that compromise power grids, communication networks, water supplies and other key infrastructure can be devastating to one side and a key advantage for the other. There have already been several successful attacks on banking systems in Ukraine, and attacks are ongoing.
Attacks are also happening from both sides. High profile hacking groups have publicly announced intentions to support both sides of the conflict, and have begun to attack each other, as well as key targets on each side.
OK, but why does this make Cyber Security more important now?
Just because supporters on both sides of the conflict, as well as the government agencies themselves, are launching cyber attacks on each other, why would that matter to UK businesses? The NCSC advisory itself states that it isn’t aware of any specific threat to UK organisations, so why issue and advisory at all? Why not wait until there is a specific threat (if there is)?
There are three main reasons why this advice is important, and relevant to businesses and organisations of ALL sizes and in ALL sectors.
Lack of preparedness
This may or may not apply to your organisation, but a vast number of businesses and other organisations are poorly protected and inadequately prepared for a cyber-attack. The NCSC is well aware of this through studies such as the annual Cyber Security Data Breaches Survey, and even before the conflict the UK government has been increasing its activity around awareness campaigns outlining the importance of Cyber Security & Resilience. Again though, why does the Ukraine situation heighten this threat? This is explained below, but a critical factor in the release of the NCSC advice is that improving Cyber Security & Resilience is not an overnight task. Under prepared organisations need to act as soon as possible.
Supply chains and collateral damage
The primary concern in the short term is that the methods that cyber attackers use to gain a foothold within organisations where they are looking to gain access to systems and data are often not direct. This can frequently result in compromises of data and systems other than those of the “primary target” organisation being affected, either because they are being used as a “way in” to another organisation that is better protected that they are, or by chance.
Cyber criminals are always looking for the “weakest link”. If a sophisticated hacker or cyber criminal is trying to access the network of a well-protected organisation, then first attacking a smaller company who supplies to the main target, and either shares data with them or even communicates frequently via email is often much easier. Phishing emails account for a high percentage of the initial “ways in” to organisations, and if an email can be made to look like it comes from someone you frequently communicate with (easy if the smaller organisation is compromised) then the effectiveness of this method increases dramatically.
The other significant risk is unintended consequences of supply chain attacks. This has been seen before with attacks which have affected large commercial organisations such as shipping company Maersk, and public sector organisations such as the NHS. In the case of Maersk, the NotPetya attack was attributed to Russia with the target being Ukrainian organisations and was launched via an update mechanism for some accounting software. This was highly effective in compromising users of that software, which included not only Ukrainian customers, but also Maersk (amongst others). The attack reportedly cost Maersk an estimated $300 Million. They were not the intended target.
The WannaCry ransomware attack which caused havoc across a large number of NHS trusts in 2017 was, again, not targeted specifically at the NHS, and yet 80 of 236 NHS trusts across the UK were impacted, along with 595 GP practices. The NHS published a full report into this in 2018. The fear is that an increase in similar types of attacks and methods could adversely affect large numbers of UK organisations – even if they are not the intended target.
The further concern is that if the conflict escalates, one of the initial forms of escalation may be cyber related between Russia and other countries, including the UK. This could lead to a significant increase in cyber-attacks against UK and other international organisations. Couple this with what we’ve explained in the previous two sections, and you can see how this could quickly become very concerning for may under prepared UK organisations.
What to do
The NCSC is an excellent source of advice, and we strongly recommend reading and following the NCSC advice. Make sure that your senior management teams and boards are aware of the advisories, and bear in mind that effective Cyber Security is not just about technical measures, but heavily reliant on people (such as awareness training) and process (such as incident response planning) related measures, as reflected in the NCSC advice.
The NCSC website also publishes a great deal of targeted advice depending on the size and type of your business which can be extremely helpful.