We are at war and every organisation is in the crosshairs

The threat posed by cybercrime has never been higher, and it's only getting worse. Governments now recognise cyberthreats for the acts of war or terror that they are.

Yet many businesses are still unable to answer the simplest questions about their cybersecurity, or they assume that "IT has it covered." Why aren't businesses taking these threats seriously?

We talk to businesses every day, from many sectors, who have recently experienced a network breach, ransomware encryption, phishing attack or some other form of cybercrime. The damage is profound, the disruption can be catastrophic. But the usual business security investment is only 10 per cent of what the average breach takes from them.

Make no mistake: such attacks today are likely not to be instigated by opportunistic hoodie-wearing hackers. Since 2018, a range of attacks in the UK have been attributed to state actors or criminals, with Russia, China, North Korea and Iran all identified as sources.

It's time for business leaders to realise that, like it or not, their organisations are operating in the middle of a battlefield. It doesn't matter how small you are or which sector you operate in. In cyberwar, every organisation is in the crosshairs.

Top priority: securing the UK communications network is now a legal issue

In 2020, The Telecommunications (Security) bill introduced new laws that place responsibility on telecoms firms to increase security across the entire UK network. With billions of pounds going into the 5G and full fibre networks, this bill aims to strengthen the security framework for all technology utilised, in order to protect users and data. Fines of up to £100,000 per day will be issued to those in contravention.

This decision followed reports such as that published by the NCSC in 2018. It found that the Chinese "APT 10" attack on global networks (also known as Cloudhopper) targeted a range of UK organisations across aerospace, defence, telecoms, professional services, utilities and more. This disruptive and widespread intrusion was one of the largest to date, directed at the UK and allies with the ultimate aim of accessing trade secrets and disrupting economies.

The network is always the way in. Securing national networks should absolutely be legislated. However, it is still not enough to keep businesses safe. Industry is the lifeblood of the economy and the generator of cash, so we will always be a target. And business networks do not stand alone. They are linked via business communications, supply chains and IoT to other networks all over the world, where we are seeing similar activity.

International acts of terrorism

There was an attempt earlier this year to poison a Florida town's water supply with lye via a system breach. Then there was the $5m ransomware attack on Colonial Pipeline, which delivers 45 per cent of America's gasoline. This was quickly followed by another for $11m on JBS, the world's largest meat processor, supplier of over 20 per cent of all meat in the states.

The point is these are massive attacks on significant organisations that aim to cause huge disruption and damage. Former director of the US Cybersecurity and Infrastructure Security Agency, Christopher Krebs, warned that "everyone is in play" and vulnerable to international hacking gangs. US local government systems are among other organisations to suffer recent attacks.

The situation is now recognised as so serious in the USA, that ransomware investigations are being elevated to a similar priority as terrorism.

Your cyber resilience strategy to survive the war

Despite better government awareness of the nature of cybercrime and new legislation to help secure national communications networks, your business is still only as resilient as you make it.

Data and money make your business a target, whatever your sector, and it is guaranteed that, while you read this, your network is being attacked. This is unlike any warfare from history - every civilian and every organisation have been placed on the front lines. Your business needs to make sure it has a clear plan to cope with this relentless bombardment.

Cyber resilience is not a question of impulsively buying another piece of technology. There are no magic bullets here. You need a strategy first. One that aligns the people, processes and technology and allows you to forecast ahead through whatever new advanced, persistent threats emerge.

Start with four questions, to see how much work needs to be done:

1. Are you actively anticipating an attack, with solutions mapped to critical controls to make sure you're protected and ready when at attack occurs?
2. Are you confident your business would withstand an advanced, sustained attack?
3. What is your breach recovery plan? This should be as solid as your BCP and DR plans.
4. How do you plan to incorporate lessons learned from any breach into your future cyber resilience strategy to help it evolve?

This article was originally published in CRN, by Josh Budd in June 2021.