"Approaches are becoming more sophisticated and access to those approaches much easier to obtain. We are increasingly seeing cyberattacks against businesses being run more like government intelligence operations."
TONY REEVES, PA CYBER SECURITY EXPERT
How big is the cyber security issue for UK plc?
Cyber security is one of the top ten threats facing UK plc and it is moving up the list at an alarming rate. The UK Government Cabinet Office estimated last year that cybercrime costs the UK £27bn every year. Government and businesses are taking the issue seriously, but it needs a response from across UK plc at every level. This is a threat that cannot be ignored as recovery may not be possible after an unprepared business has been hit.
Is the issue getting better or worse?
We are seeing the issue getting more sophisticated in approach and also broader in reach. Technical competence is no longer needed in order to conduct sophisticated attacks, and complex attacks that just a few years ago were exclusive to government agencies are now being launched regularly against companies. Quite simply, more people are able to launch sophisticated attacks for minimal cost or risk, and awareness of that threat is still at a dangerously low level.
Is there evidence that cyber criminals have become more active in recent years?
Organised crime has entered cybercrime in a big way, as cybercrime is now more profitable than drug dealing and without the costs or risks. There has been an increase in cybercrime during the recession, fuelled by ease of access to the tools and the relative ‘anonymity’ of attacks. Hacker tool kits capable of closing websites or stealing passwords are available that require no more technical skill than being able to enter a web address and click a button. Many people also see cybercrime as victimless in the same way that they view illegally downloading music files as harmless. This means that more people are tempted to dabble in cybercrime, mistakenly believing that they are not hurting anyone and will probably not get punished. It also means that cybercriminals come from different backgrounds.
And is there evidence that cyber criminals are becoming more sophisticated in their approach?
Approaches are becoming more sophisticated and access to those approaches much easier to obtain. We are increasingly seeing cyberattacks against businesses being run more like government intelligence operations. Police, courts and businesses need to keep up with this trend of sophistication. It is going to get much harder to detect and prosecute online crime as more professional criminals enter the sector and operate from countries that make UK prosecution harder to obtain.
What are the most common mistakes that businesses make where cyber security is concerned?
Quite simply, 96 per cent of attacks could be stopped if businesses got the basics right. PA Consulting Group’s recent interviews with key UK companies revealed that many fail to protect their businesses in cyberspace because they do not understand the extent of the risk to which their businesses are exposed. As a result, they are unable to make the business case for action. There is the growing feeling of, ‘we cannot do everything so may as well do nothing’. This is a flawed belief as there are many simple measures that help individuals and businesses from becoming the victim of cyber-crime.
Are there simple, practical measures business owners can take to ensure they don't become a victim of cybercrime?
Most companies that PA Consulting Group speaks to know what most of the basics measures in cyber security involve, but fail to implement them correctly for a number of reasons. The advice is that businesses cannot look at this as a technical problem but need to consider the risks across the whole organisation.
For all businesses, it is essential to have a robust, integrated, business-led and risk-based approach to cyber security; one that inspires confidence rather than simply achieving compliance.
In short, businesses should: Scale efforts in terms of what is at risk; Ensure that all employees understand their role in protecting business assets; Understand where its data is stored and how to protect it based on its value to the organisation; Implement a strong password policy across the business; Restrict physical and network access to systems; Ensure that individuals log on as themselves by destroying all anonymous or generic accounts.
Tony Reeves is a cyber security expert at PA Consulting Group.