The board of directors had some hard decisions to make. The company had just taken over a hydro-electric power plant.
The office IT systems and the SCADA industrial control system were connected to the internet, and all were potentially at risk from hackers and viruses. There was little, if any, security in place.
Welcome to the City of London Police’s cyber security simulation game. Unveiled this week as part of the force’s Cyber Griffin programme to help companies in the Square Mile improve their security, the game is designed to encourage company boards and their IT teams to think and prepare for security problems before they happen.
Acting as directors, we had an annual security budget of £100,000 and a wide range of options to spend it on. Firewalls, anti-virus, CCTV, asset audits, threat assessments, operating system upgrades and security training – we needed them all, but with a limited budget, we had to prioritise.
Everyone chipped in with their thoughts:
“We could go for the basics like anti-virus first, and then do a threat assessment later.”
“We also need CCTV because we don’t know who is working there.”
“We need a firewall in the office as well because they are all on Facebook at lunchtime.”
“What about the risks of GDPR [General Data Protection Regulation]? If our customers’ emails are hacked, we could be exposed to huge fines, which would put the company out of business.”
“So we have really nice employees that look really lovely, bringing cakes in for everybody, who are actually planting devices everywhere?”
The discussions were both thought-provoking and maddening. Whatever choice we made, we were, by default, leaving another part of the business vulnerable.
Ben Shreeve, previously at Lancaster University and now part of the cyber security group at Bristol University, developed the game to help business leaders understand the complexities of cyber security.
The power plant is made from Lego, and players can choose to spend their annual security budget on a sometimes bewildering range of options, represented by coloured playing cards.
Make the wrong decision, and you risk being hacked, attacked, fined by regulators, and potentially going bankrupt.
Many companies have taken part in the game over the over the past two years, and it has attracted interest from police forces outside the City of London, include the Metropolitan Police and regional forces.
Charlie Morrison is a sergeant in the City of London Police’s cyber crime unit. He encourages board directors to play the game with their IT security staff as part of the Cyber Griffin programme.
“There is a fair bit of friction between the CEOs and the IT guys,” he said. “The IT guys are fundamentally frustrated by the fact that they need the CEOs to understand the problems. The CEOs feel it’s a fundamentally technical issue. And each of them, through their own experiences, feels that the other is at fault.”
After two hours, board members start to view their IT specialists in a different light, says Morrison. They realise that security is a board issue, but the company’s reputation and mission are in the hands of the IT department.
“We think the game is a really good way of starting to get the decision-makers in those businesses thinking about the concepts behind cyber security,” he said. “The game is really good at getting you to think about those things ahead of the day.”
There has never been a greater need for cyber security training. The number of data breaches, many orchestrated by state-sponsored organisations, reached record levels last year, according to research by the National Cyber Security Centre.
The companies affected included Yahoo, which admitted that three million customers had been affected by a breach in 2013, and Equifax, where personally identifiable information on 145 million US users and 700,000 UK users was compromised.
Many of these attacks start not with technology, but with people, and the mistake many boards make during the simulation is to focus too much on technological solutions. Many attacks begin with criminals sending out phishing emails, which attempt to trick members of staff into opening documents that are linked to malware.
Organised criminal gangs and nation-state-sponsored groups can go to extreme lengths to research a target on social media to create an extremely convincing spear phishing attack.
“We have come across an incident where there was some shoulder surfing – someone in a room in a coffee shop, listening,” said Morrison. “That is something that, to my knowledge, has happened but it is very rare.”
Morrison has met companies that have fallen victim to a sophisticated phishing attack, in which a criminal had sent an email purporting to come from the CEO requesting the immediate transfer off hundreds of thousands of pounds to a bank acccount. The scam – known as CEO fraud – is surprisingly common, and it is not unusual for companies to lose huge amounts of money.
In another case, a criminal walked into an office with a cleaning kit, saying he was there to clean the Macs. The next day, the company discovered 20 computers were missing.
But cyber crime is difficult to police. “You can’t necessarily arrest your way out of the problem because of the transnational, electronically multiplied way it operates,” said Morrison. “You also have difficulty in finding victims because of the under-reported nature of the crime.”
But initiatives like the City of London Police’s cyber security game can make a big difference. The main cyber security threats are: script kiddies, who use off-the shelf hacking tools to find vulnerable IT systems; hacktivists, who are politically motivated; organised criminal groups, who are out to make money; and nation states.
“If I was looking at any other area of policing, I would be looking at very different tactics to try to combat them,” said Morrison. But in cyber crime, the same defences have an impact against all of the attackers. “That is a huge opportunity,” he added.
The City of London Police’s Cyber Griffin programme aims to help companies in the City become better prepared to respond to cyber attacks. That includes sending specialist trainers into companies to talk to them about their business continuity plans. The programme will cover threats and recovery plans, assist the company in how it views risks, and what it needs to do to reduce them.
Another area where the City of London Police believes it has something to offer is teaching businesses how to use police decision-making techniques during a live, high-pressure cyber attack simulation. Companies that take part can expect the attackers to have done their homework, and to have come prepared with social engineering attacks that they can use against the company executives.
“It is going to be stressing the decision-making process,” said Morrison. “The end result would be that the company has had a chance to drill their plan, and if they find it useful, to use police mechanisms for making decisions.”
Help for CISOs
The third element of the programme is what Morrison calls a “brains trust” for chief information security officers (CISOs). There are many industry groups out there that specialise in sharing intelligence about security threats, but Morrison sees the group as playing more of a support and advice role.
“One of the things that the police can offer is that we are entirely neutral,” he said. “One of the things in cyber security is that everyone is trying to sell you something. We are bringing a group of experts together that make a really eclectic team that you can trust. When you come for advice, we can ensure it is fair and impartial.”
The group will bring together police cyber crime specialists, network security experts and other highly skilled security gurus, alongside CISOs, from companies in the Square Mile.
“My feeling is that CISOs are in incredibly high-stressed roles, people who are desperate to advance their company’s security in an area that is not very well defined at the moment,” said Morrison.
“This group is about help and support. If we get intel sharing as a result, then I am incredibly happy with that, but I don’t want people to feel that when they come to the group, they are going to get pumped for information. I want people to go there and genuinely get help that they can trust, to go away and make their organisation safer.”
Morrison said he is ready to move quickly, but wants to see what companies in the City feel they need most before deciding how to allocate resources. He has already built up a network of companies and contacts though his work in the cyber crime unit.
But back to the game – and our small group of directors decide to call in consultants to audit our assets. The results are frightening: every operating system is out of date, unpatched and vulnerable.
Worried about huge fines under GDPR, we decided to spend our remaining budget upgrading our sever and encrypting the data on our PCs. Shreeve replaced our old systems with shiny new pieces of Lego.
We waited nervously as Morrison reported back:
- The WannaCry virus has somehow made it onto your network. All computers in your office have been locked with ransomware. You decide to pay the ransom, a total of £5,000. Luckily, this unlocks all of your computers and you get all your data back.
- A university student who is studying information security stupidly decided to practise hacking by trying to hack into your company. He could not believe how easy it was, that a company like yours did not have a firewall. Luckily, he is a future white hack, and he decides to report you to the news instead of stealing from you. The story has a negative impact on sales akin to £12,000.
- A board script kiddie decided to practise hacking by trying to hack into your company. He could not believe how easy it was to hack in as you did not have an office firewall. Unfortunately, he is a future black hat hacker, and decides to intercept payment requests via an email provided by a remote access Trojan. He ends up committing a mandate fraud to the tune of £17,500.
But it could have been worse – by the end of the game, the company has survived and is still in business and the defences deterred some of the worst attacks. All the directors agree that next time, they would do things differently.
Bill Goodwin took part in a cyber security simulation run by the City of London Police as part of the force’s Cyber Griffin security programme for businesses in the Square Mile.