BY : CAROLE O’BRIEN
As CYBERUK 2022, the UK Government’s flagship cyber security event, has closed its doors for this year, there was a clear message, Cyber-attacks are increasing and we need to act now. Reports are also indicating that the Russia-Ukraine War have continued to escalate the Cyberattack risk and businesses must measure, assess, plan and deliver their security now.
MITIGATE CYBER RISKS DURING THE RUSSIA-UKRAINE CONFLICT.
The first attacks carried out by Russia toward Ukraine did not come from a gun, they were fired from a keyboard. In an effort to engage the enemy and increase success on the battlefield, Russian military commanders have targeted Ukrainian banks and defence networks with destructive cyberattacks.
Although what started off as traced attacks directed at Ukraine news is growing on the known Russian linked hackers ‘Killnet’, declaring war on the 10 countries that have stood up to Putin. This includes the UK and already there is evidence of DSoS (Distributed Denial of Service) within the Italian Police and a failed attempt during the Eurovision Song Contest and the list is growing daily. Supply chains seem to be disproportionally affected and with the continued disruptions caused by Covid-19 the effects could be even greater.
This may all seem irrelevant and beyond the worry of a smaller business, but everyone needs to act. Your data is spread across everyone you deal with and the spiderweb of data spread goes far beyond the first connection. We all rely on the defences of others as our employees, customers, suppliers rely on our security to help protect them. You will see ‘Increase your alert and monitoring sensitivity, stay informed, but do not over-react’ or similar across many cybersecurity news and cybersecurity supplies updates but this is based on a business that already has good security in place, so what happens if a business is not at that level already?
LOW HANGING FRUIT
The news that hits the papers is the large corporations, huge ransomwares, and catastrophic effects. This is only the tip of the iceberg and to believe that nothing is going to happen to you, or not to plan a security strategy is extremely risky. As with a fruit tree, it is easier to pick the lower fruit even though it may not be as big as the top ones. When you do take the time and effort to reach the top, you make sure everyone knows, yet the overfilling baskets picked from the bottom are not mentioned. Unfortunately, hackers also employ this principle. Most attacks are neither particularly sophisticated nor aimed at a specific company. Rather, a hackers’ reward is by grabbing what they can easily reach due to the sheer numbers.
WHAT MAKES A BUSINESS A LOW HANGING FRUIT?
The chance that your business will be affected at some point by a cyberattack is significant, but there are a number of key indicators that increase your risk even further and raise the resulting damage. Lack of knowledge, mindset and misaligned or missing processes are areas that need to be addressed and below are just a sample of areas that make a business an easier target and /or the consequences having a greater impact.
- Having systems or software that are not up to date on software updates/patches
- Not having a register of hardware, software and data assets
- Thinking their data is not valuable or a hacker would not be interested in them
- Having a principle of hope philosophy
- Relying on your supply chain, customers, and employees to have good personal security
- Does not have a security strategy that is reviewed, assessed and measured regularly
- Has a single layer or inadequate security system
- Does not have visibility on incoming and outcoming traffic
- Does not communicate with 3rd party security providers adequately to have an understanding and measure of their provision
- Siloed departments having autonomy including purchasing new software and applications
- Does not have a contingency plan to disconnect high-risk external connections
- Has not adapted security to encompass hybrid/home working
- Does not educate all end users of the risks and current threats
- Does not have cyber attach response plan, insurance or budget for attack.
All of the above can be addressed promptly and companies must do more for cybersecurity and expand their digital know-how. The reasons why the risks have increased does not really matter but the understanding that they have, does. The realisation that doing nothing is not an option, as the effects go far beyond our own businesses. There will be costs involved to take your business higher up the tree but being proactively as secure as possible are minimal in comparison to the effects both commercially and in reputation on your business.