Why Cyber Security should be everyone’s business

Professor Kamal Bechkoum

 Cyber security cannot be left to the IT department alone. It demands a holistic approach from organisations and individuals alike, writes Professor Kamal Bechkoum, Head of School of Business and Technology at the University of Gloucestershire.

Published: 25/10/2018 14:27

​Cyber security cannot be left to the IT department alone. It demands a holistic approach from organisations and individuals alike. With an ever-changing cyber threat landscape a concerted effort is needed from everyone, based on strong national and international public-private partnerships, writes Professor Kamal Bechkoum, Head of School of Business & Technology at the University of Gloucestershire.

5G, wireless accessibility and the Internet of Things will serve to connect some seven trillion new devices to the Internet as we enter 2019. This interconnectedness poses new and complex challenges to security.

Nation-state Attacks

Earlier this year reports from the NCSC indicated that Russia is exploiting network infrastructure devices such as routers around the world. The aim: To lay the groundwork for future attacks on critical infrastructure such as power stations and energy grids.

In April 2018, the US and UK governments hit out at state owned Chinese telecoms firm ZTE, with the NCSC writing to UK telecoms providers to warn that using the firm's equipment and services could pose a national security risk.

The physical damage possible as a result of these types of attacks is already clear. In August last year, a petrochemical company with a plant in Saudi Arabia was hit by an assault designed to trigger an explosion.

Threats on critical infrastructure are real. Whether it is nuclear, water, energy, aviation or defence, whether it is the health sector or the financial services, the threats to physical infrastructure are serious. Last August, the FBI warned British banks that their ATMs could be mass-hacked by cyber criminals 'in the coming days'.

There is of course another type of threat from state-sponsored cyber attacks, which targets intellectual property or simply aims at disrupting the democratic process of nation states.

Attacks on Businesses

  • 18% of UK organisations don't know how many cyber-attacks they suffered last year
  • Nearly eight in 10 experienced down-time due to security incidents
  • The average number of security incidents faced by UK companies increased by 23% to 5,792

Insider threats remain one of the most worrying sources of cyber threats to businesses, which can lead to both financial loss and reputational damage (Morrison's are still paying for the data breach that was caused by a disgruntled employee).

 

HOW?

Permanent Residency

Threats such as these are after “permanent Residency", they can infiltrate the network then lurk these network systems for years without any action and without being spotted… Once they gather enough information about the systems and when the time is right they deliver their attack!

Phishing

Phishing is still one of the key methods to get into systems. Automated AI-based phishing tools are today delivering some sophisticated attacks that can easily fool unaware users into clicking on the wrong link or downloading the wrong attachment, or indeed filling forms (including sensitive data) within a fake website that looks the piece!

 

WHAT IS THE WAY FORWARD?

Public Private Partnerships

The key in staying ahead of the criminals, however, is to combine all our efforts and intelligence. Academia and the education sector, the private sector, public agencies and law enforcement organisations have to work together and share best practice and intelligence.

No single organisation can defend against the threat on its own and it is vital that we work together to understand the challenges we face." Ciaran Martin CEO, National Cyber Security Centre

The supply chain should not be ignored in this endeavour!

Education, Education, Education

When it comes to cyber security no digital infrastructure, including policies and procedures, is bullet-proof, no matter how sophisticated it is. We have to have in place education and training programmes that prepare our employees and citizens for the era of IoT.

Whether it is through bite-size training programmes, apprenticeships, or fully-fledged university degrees the efforts of education establishments, industry and public agencies have to come together to make the nation cyber-prepared and increase our cyber resilience, with the citizen being our first line of defence.

Finally, there is no graduation ceremony

No one person, company or state, will ever be fully prepared to the extent that nothing else needs doing. The threat landscape keeps changing and so must our preparedness.