Emily Moore spoke to cyber attack experts Lynne Capie and Dougie Grant about the effects of digital security breaches and why things are likely to get worse before they get better
MOST of us probably have one or two key confidantes with whom we share details about our lives, but we are also increasingly aware of the risks of sharing personally identifiable information online and the need to control who has access to our data.
For 40 million UK voters, though, this control was taken away from them following one notable cyber attack, when their personal information accessed by hackers and exposed. And this, as Soteria director Lynne Capie and Nihon Cyber Defence managing director Dougie Grant say, was not an isolated incident.
Indeed, the pair – whose companies have recently formed a strategic partnership designed to help businesses and organisations to prepare for, and respond to, a cyber attack – say that the threat of such an incident is “one of the greatest risks facing companies today”.
“It is really important to be aware of the continually evolving risk that cyber attacks pose to organisations and to prioritise and manage this risk effectively,” said Dougie. “As state actors are increasingly turning to cyber crime, and attacks are becoming ever more sophisticated, it is vital that businesses address this threat at board level. It is not just an issue for the IT department to manage.”
Illustrating this point, Dougie highlights the UK government’s classification of cyber crime as a “tier-one national security threat”, putting such attacks on the same level as terrorism. And this, as Dougie explains, is not just because a ransomware attack has the potential to bring a business to its knees.
“The impact on a business can be catastrophic, as we saw earlier this year when KNP Logistics, one of the UK’s largest privately owned logistics firms, blamed a ransomware attack on its collapse,” he said. “But the consequences can be much greater. In the case of Hackney Council, the breach affected healthcare, stopped any house purchases from taking place for nearly 12 months and impacted people’s benefit payments.
“Meanwhile, attacks on schools and universities have affected the studies of hundreds of thousands of students, while attacks on utility companies have had devastating impacts on entire communities. It’s a regularly cited example, but the ransomware attack on Colonial Pipeline led to fuel shortages for millions of US residents and businesses.
“Outages and service-delivery impacts such as these are far more harmful than any damage caused to an organisation’s IT systems.”
And Jersey is not immune to these incidents, with many local businesses and schools having been targeted recently.
“We know that Island businesses are under constant attack and we have seen some very large offshore cyber attacks here over the years,” said Lynne. “With cyber crime constantly evolving and Jersey being a key offshore finance centre, it is inevitable that any business holding data will be attacked at some point.”
The severity of that attack will, say Lynne and Dougie, depend largely on the defences that the business has put in place – and these defences are not, they stress, limited to technical solutions on the network.
“While having the right measures in place across your IT systems is important, that is only one element of the plan,” said Lynne. “To be fully prepared, all of your stakeholders need to be aware of their roles and responsibilities in the event of an attack. Protocols and plans need to be in place across the organisation and, critically, these protocols need to have been agreed at board level.
“Not only is it important to have a plan in place, but that plan needs to be rehearsed, so that everyone has the capacity and resources to deliver in the areas they are responsible for. It sounds very basic but it can make all the difference to a company’s response.”
Another key factor to consider, says Lynne, is communication.
“You have to establish and agree your battle rhythm,” she said. “How are you communicating? What is happening and when? You have to control the communications narrative and that means managing your stakeholders’ expectations, and ensuring that both your colleagues and customers know what is happening.”
This, she stresses, is particularly important when it comes to protecting an organisation’s reputation.
“When you look at the finance industry, the digital environment in which it operates means that it is very quick and easy for clients to move money and funds around,” she said. “If your organisation’s security is compromised, it will not take long for your clients to relocate their structures. Promoting a message of safety and security is key in reducing this risk, which can be achieved through empowering your colleagues with the right information to reassure your customers.
“Once your internal and stakeholder communications are sorted, you then need to consider the media. We all know how quickly news can travel, so keeping the media updated is critical in ensuring that you remain in control of your own narrative.”
While communication is a core part of the incident response, training about how to recognise and respond to a breach is also vital, adds Dougie, whose company is among a handful of UK businesses to hold the National Cyber Security Centre Level 2 Cyber Incident Response accreditation.
“While you can, and should, have all sorts of technical defences and monitoring tools in place, it is not just the technical teams who need to be alert to any attacks,” he said. “Anyone logging in and seeing a suspicious-looking email in their inbox needs to know how to react. And if someone does click on a link in a phishing email, not only do you need the technology in place to detect and contain that breach, but every staff member needs to know how to respond.
“In so many cases, we come across instances of ‘shelfware’, where an organisation has drawn up a plan, put it on a shelf and forgotten all about it. That can be devastating.”
But with so many demands on people’s time, it is perhaps unsurprising that, despite a growing awareness of the risks of cyber crime, many organisations are still not as prepared as they should be.
“To try and gauge just how prepared the Island is, the Cyber Security Centre for Jersey [formerly CERT], is carrying out a survey which includes SMEs, the hospitality, charitable and finance sectors to see what measures organisations have in place and to identify any gaps,” said Lynne.
But with the risks constantly evolving, how do businesses prepare for ever-increasing levels of attack?
“Although the technology is always moving on and the geopolitical landscape is leading to a higher number of threats all the time, when it comes to preparing for an attack, it doesn’t really matter to the victim who the attacker is,” reflected Dougie. “Whether you come up against a hacktivist, a hostile state or a financially motivated cyber crime group, the defences and response planning needed is the same. They are all malicious actors, using the same tactics to penetrate your systems, and attributing blame is not the first priority.
“Instead, communication and identifying how the criminals entered your network, and whether they are still there, should be first. You then need to patch the network to ensure that they can’t get back in before thinking about how to reduce the impact that any data exposure may have.”
Only when those steps have been taken, and the attack has been reported to the relevant regulatory and law-enforcement bodies, do attribution and investigation enter the equation and this, says Dougie, is a particularly difficult and sensitive area.
“Our crisis negotiators can advise businesses on whether to engage or disengage with the hackers,” he said. “This is a very tricky area, as every group has different motivations, but it is something that we can look at one a case-by-case basis.”
Indeed, with cyber attacks now forming part of countries’ war strategies as well as being used to extort money from organisations, there is nothing straightforward about this area.
“In many ways, we are only at the start of the cyber security journey, and the risks and challenges are only going to escalate over the next few months and years,” said Dougie.
“Although it’s not what businesses want to hear, this is a situation which will only get worse before it gets better. It really is only a matter of time before an organisation is attacked.”
Against this background, Soteria is hosting a round-table event on 29 November, with speakers including Lynne, Dougie, Jersey Cyber Security Centre director Matt Palmer and JT global head of risk and security Peter Lescop. Anyone who would like to attend this event should contact Soteria to register their interest.