santiago silver - Fotolia
Criminals are carrying out more online attacks on UK businesses than ever before, according to the latest joint cyber threat report by the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) in collaboration with industry partners.
Publication of the Cyber threat to UK business industry 2017-2018 report coincides with the start of the three-day CyberUK 2018 conference in Manchester that is to be attended by more than 2,200 specialists from across government, industry and law enforcement.
The report details some of the biggest cyber attacks from the past year and notes that risks to UK businesses continue to grow in terms of financial loss, reputation damage and even physical harm as was seen in the global WannaCry attack that affected the NHS.
Emerging threats are also highlighted, such as theft from cloud storage and the hijacking of computers for illicit cryptocurrency generation. This is in addition to the fact that supply-chain compromises of managed service providers and legitimate software such as MeDoc and CCleaner have provided cyber adversaries with a potential stepping stone into the networks of thousands of companies.
“It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” the report said.
According to the report, a basic cyber security posture is no longer enough, but most attacks will be defeated by organisations that prioritise cyber security and work closely with government and law enforcement.
The key to better cyber security is understanding the problem and taking practical steps to reduce risk, according to Ciaran Martin, chief executive of the NCSC, which was created as part of the five year National Cyber Security Strategy (NCSS) announced in 2016 and supported by £1.9bn in investment.
“This report sets out to explain what terms like cryptojacking and ransomware really mean for businesses and citizens, and using case studies it shows what can happen when the right protections aren’t in place,” he said.
The NCSC is the cyber arm of GCHQ, a leading technical authority on cyber security. Since launching in October 2016, it has responded to more than 800 incidents and its Active Cyber Defence programme has blocked more than 54 million malicious emails spoofing government departments.
Growing cyber threat
Martin notes in the foreword to the report that the past year has seen no deceleration in the tempo and volume of cyber incidents, as attackers devise new ways to harm businesses and citizens around the globe.
However, despite these threats to the nation’s security, he said he is “confident” in the UK’s ability to combat the attacks that organisations face every day. The report underlines that failure to do so could result in the crippling of smaller organisations and significant loss in stock market value for powerful multinational organisations if they lose the personal data and trust of customers.
“The NCSC’s aim is to make the UK an unattractive target to cyber criminals and certain nation states by increasing their risk, and reducing their return on investment,” wrote Martin. “We have adopted a proactive approach to dealing with the increasingly challenging cyber landscape and in tandem with the NCA are taking a proactive approach to combating cyber crime.
He added: “Together with our law enforcement colleagues from the NCA, the technical experts here at the NCSC have been instrumental in helping citizens and organisations of all sizes protect themselves with the aid of guidance and other bold initiatives like the Active Cyber Defence programme.
“My hope is that by sharing our experiences of exposure to cyber incidents, we raise awareness across the board and, as a result, improve the nation's cyber defences for good.”
The report notes that UK firms are under increasing threat from ransomware, data breaches and supply-chain weaknesses, which can mean serious financial and reputational damage.
It cites real-life case studies from businesses damaged by cyber crime, including ransomware attacks that have affected companies ranging from multinational firms to independent restaurants.
Cyber crime under-reported
While law enforcement and government have battled many cyber threats in the past year successfully, the report highlights that under-reporting of cyber crime by businesses means crucial evidence and intelligence about cyber threats and offenders is lost.
Donald Toon, director of the NCA’s Prosperity Command, which covers economic crime and cyber crime, said organisations that do not take cyber security extremely seriously in the next year are risking serious financial and reputational consequences.
“By increasing collaboration between law enforcement, government and industry, we will make sure the UK is a safe place to do business and a hostile zone for cyber criminals,” he said. “Full and early reporting of cyber crime to Action Fraud will be essential to our efforts.”
The NCA hosts the National Cyber Crime Unit (NCCU), which leads the UK’s law enforcement response to the cyber threat. NCCU deputy director Oliver Gower said the report not only underlines the fact that the cyber threat is increasing, but also that organisations and individuals have social responsibility to report cyber crime to enable law enforcement officers to carry out investigations.
However, he expects that after the compliance deadline on 25 May 2018, the EU’s General Data Protection Regulation (GDPR) will have a significant and positive effect on improving security around personal data and driving up cyber crime reporting, because of the mandatory personal data breach reporting it requires and the heavy fines that can be imposed for failing to do so.
“We are working with the Information Commissioner’s Office [ICO] around encouraging organisations that report breaches under the GDPR to also report any associated cyber crimes to Action Fraud,” he told Computer Weekly, pointing out the organisations will also be required to report to the ICO if personal data they hold is rendered inaccessible due to a ransomware attack, for example.
As a positive consequence of GDPR breach reporting, Gower said UK law enforcement is preparing for an increase in cyber crime reporting against a background of increasingly aggressive, smart and agile cyber threats.
“We are pleased with the investment we have been able to secure from government to sustain and improve the capabilities of the NCA and UK policing in general to cope with more scenarios like WannaCry,” he said.
In terms of preparing for increased cyber crime reporting, Gower said the NCA has looked at projected cyber crime levels in the context of the different grades of cyber attacks affecting UK business to calculate the resource levels required.
“So that means having more forensics officers, more intelligence officers, more investigators and more sustained relationships with industry,” he said.
At the same time as increasing capacity, Gower said the NCA is working with government on improving legislation to ensure tougher and more appropriate sentences for convicted cyber criminals to serve as a greater deterrent to would-be cyber criminals.
In the past year, he said, UK law enforcement has demonstrated its increased capacity with 100 arrests of suspected cyber criminals in 2017, a 30% increase in actions aimed at disrupting cyber criminal operations and support services such as money laundering, and more convictions and work against cyber crime than ever before.
“Policing is being modernised and as a result cyber criminals are not anonymous and we are increasing our proactive capabilities to improve our rates of arrest and conviction, with law enforcement departments dealing with cyber crime including more coders, architects and data scientists working alongside investigators,” said Gower.
According to the NCSC, CyberUK 2018 includes state-of-the-art industry and government displays on the exhibition floor demonstrating cutting-edge technology to help the UK thrive in the digital age. This is as well as a series of lectures, keynotes, panel debates and workshops relating to the NCSC’s four objectives of nurturing cyber skills and understanding, reducing and responding to attacks.