Government research into cyber breaches has found that two thirds of large UK businesses were hit by a cyber breach or attack in the past year. The Cyber Security Breaches Survey (2016) urges British businesses to protect themselves from the growing threat of cyber attack. Here to comment on this news are security experts from Barracuda Networks, Digital Guardian, Intel Security, QA, Kaspersky Lab, Performanta ltd, A10 Networks and Thales e-Security.
Wieland Alge, VP & GM EMEA, Barracuda Networks:
We see multiple studies of this kind carried out across Europe – all of which show the same patterns – and yet companies are still not taking the necessary actions to protect themselves and their customers. Many companies are still ignorant to the fact that everyone has become a target. An astonishing number are still surprised that they have been attacked at all. The simple truth is that the digital transformation of crime has happened at a greater speed than the digital transformation of companies and also the transformation of cyber defence.
“That said, modern spyware and malware threats are not at all simple to defend against. The crucial change in recent years has been that traditional malware scanners cannot detect these newer advanced threats. What’s more, the increase in mobility and sheer volume of devices has exponentially increased the potential attack surface. We are in a kind of golden age for digital crime. The business has injected change at accelerating speed into all elements of IT and many organisations are simply trying to keep their security stable. It has become quite easy for attackers to find an unprotected door.
Thomas Fischer, Global Security Advocate, Digital Guardian:
“This new government study reflects the difficulty that organisations have in prioritising their IT and security budgets. In most cases, firms rush to fix the latest high profile vulnerabilities, instead of understanding what the real risk is and looking at where to best use their resources. For example, the report finds that malware or spyware is present in nearly 70% of attacks. But this is only one cog in the complete attack lifecycle. These are the methods of choice as they can be used to target an end user with phishing emails or malicious web sites. One of the easiest methods to compromise a business is to compromise an end user.
“Of particular note is the fact that only a fifth understand the dangers of sharing information with third parties. The issue of supply chain security is a complex matter. Many businesses assume that both upstream and downstream business partners are secure. But the question is how to validate this? Many believe that if their business partners are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn’t take into account any changes in the company’s infrastructure or advancements in attack techniques.
“This is why it is key to understand where and how internal employees and external contractors are using data. This means putting in place controls to ensure that data is shared in a secure manner with authentication, encryption and access rights, according to different roles and data types. Another important factor is user awareness, providing the right tools for users to take informed decisions when sharing and editing data.”
Gordon Morrison, Director of Government Relations, Intel Security:
These findings are a reminder that cyber attacks are a blight on British businesses and the wider digital economy. There are no quick fix solutions to this threat, but initiatives like the National Cyber Security Centre and the Cyber Essentials programme are a step in the right direction for raising awareness and protecting both the public and private sector from attack.
Tackling this problem requires a combination of skills training, technology investment and a strategic partnership between industry experts and government to ensure the UK is best protected against hackers.
Bill Walker, Technical Director, QA:
So far, this year has been a bumper time for cyber threats, cyber attacks and cyber crime and the government’s most recent statistics reflect exactly that. With this investment the Government appears to be taking the threat to business and infrastructure very seriously. We wholeheartedly welcome this investment. Businesses need hands on experience and training in order to prepare for the worst. They need their staff to be able to simulate and react to a real life threat in a secure physical environment.
David Emm, Principal Security Researcher, Kaspersky Lab:
In light of the Government’s research that shows two-thirds of big UK businesses have been targeted by cyber-attack, Kaspersky Lab has advice for businesses to ensure they’re protected but also prepared with a solid security strategy in place.
Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on website code and running penetration tests on corporate infrastructure. It’s also vital that companies implement an education programme, to raise security awareness among employees. It’s crucial that businesses ensure that all passwords are hashed and salted. Customers that entrust private information to the care of a business should be safe in the knowledge it is kept in a secure manner and all companies who handle private data have a duty to ensure it.
When comparing this years results to last years, this year companies were more likely to rate cyber risk as being of top/group risk at 49%, and least likely to rate it as a medium/segment risk, 25%. This has increased considerably compared to previous years, where companies were more likely to rate cyber risks as low/operational risks and least likely as top/group risks.
The best way for organisations to combat these types of cyber-attacks is at the beginning; by having an effective cyber-security strategy in place before the company becomes a target.
Elad Sharf, Security Research Manager, Performanta ltd:
The government’s recent “Cyber Security Breaches Survey” confirms what many in the UK’s cyber security industry have known for some time; that the levels and frequency of cyber-attacks on companies is rapidly increasing. There are distinct reasons for this, from the wide availability of malicious tools on the dark web, and the increasing connectivity of businesses creating many more vulnerabilities, to the prevalence of BYOD and its inherent risk. The government now plans to invest heavily in cyber-security with £1.9bn allocated over the next 5 years. However positive this reaction, it can be seen as a delayed response to the unfolding problem, since as a country we require talented cyber security professionals to mediate this challenge immediately. The UK needs more initiatives to grow the cyber security industry and combat the ongoing skills shortage in this sector, such as incentivising students to choose security as a career path. It can currently take up to 6 months to find a suitably skilled person to fill a role, this cannot continue. As every company begins to come to terms with the risks laid out in this survey, and seeks to do something about it, the government has a responsibility to make sure that there are trained individuals ready to take on this challenge. The number of threats targeting British companies will only continue to increase, and it is now the time to ensure that the strength of the industry and government’s collective response is up to the challenges the future is sure to bring.
Ron Symons, Regional Director, A10 Networks:
The latest figures on cyber security should not be this dire. The necessary defences are now available to those companies which take the initiative and invest wisely.
For example, the rise of encryption is playing a big part in the failure of security systems. Many existing solutions can’t see into Secure Sockets Layer (SSL) traffic, which makes it the perfect route to smuggle viruses and malware into company networks. In order to better protect themselves, organisations must ensure they have SSL inspection tools in place to ensure they can detect malicious activity or risk leaving a large proportion of their network unguarded.
Another contributing factor is the complexity of modern networks. The average company is now running an organic combination of on-site servers, in-cloud services and mobile devices. Add to that the rise of the internet of things and you have a major security challenge. For many companies, the task of securing so many dispersed entry points is daunting. Instead, organisations should invest in converged security solutions that consolidate the defence of multiple network and traffic types, providing IT departments with a simplified dashboard to ensure the whole network is secured.
John Geater, CTO, Thales e-Security:
With half of firms admitting they still haven’t taken action to identify where vulnerabilities are in their organisation, the next high profile breach is only around the corner.
Cyber-attacks on large companies are occurring more and more frequently and businesses must invest in robust privacy-by-design defence mechanisms – such as encryption – to protect valuable intellectual property and customer data.