One of the biggest challenges for industries trying to adapt to cyber threats is the fact they are essentially trying to deal with the unknown, according to Robert Wainwright, senior cyber partner at Deloitte and former Europol chief, who received a knighthood in 2018 for services to policing and security.
“And as a result, they are going from one notable cyber security incident to another and reacting each time, but essentially they need to get a bit more on the front foot and anticipate better where the next blow will come from,” he told Computer Weekly.
To that end, Wainwright said there needs to be a better, more systematic engagement in threat intelligence, and businesses need to adopt a strategic principle of resilience rather than be influenced by security suppliers and consultants that drive the sales of products and services through fear.
“I am astonished that there is not better, more mature versions of industry threat-sharing platforms – and with law enforcement of course – to use data and networking to understand better the nature of the threat and how it dynamically changes on a daily basis.”
Resilience, he said, is about recognising that the threat will never go down to zero and that cyber attack at some point is inevitable, and then assessing what investments need to be made in detection systems to identify attacks as soon as possible and in response capabilities to absorb that blow when it comes.
“There is a whole set of resilience type measures that are important for any company, and those are the things that matter most to the executive boards that I deal with.”
At the same time, Wainwright said that in many organisations, basic information security standards are still not being met, which is why the government-backed Cyber Essentials scheme is a good thing, adding that the not for profit Global Cyber Alliance (GCA) has something similar specifically for small businesses.
The GCA Cybersecurity Toolkit, he said, provides good, simple advice for achieving an adequate level of security on a limited budget. Further underlining the importance of getting security basics right, Wainwright said the volume end of cyber crime remains opportunistic in nature, where things like ransomware is used against low value targets in high volume to generate criminal profit.
“This approach is still working and growing because some of the Cyber Essentials requirements very often are not met in large tranches of industry, allowing cyber criminal groups to be lazy and exploit the same unpatched vulnerabilities time and time again. That is why we still see so many data breaches, particularly in the health sector, because of the richness of the personal data in the sector.”
Alongside that, however, Wainwright said there is also a perceptible trend towards direct targeting of internal networks to overcome more advanced defences. “And there we see a growing footprint of state actor capability, sometimes to make money, but very often for destructive impact.”
This nation state activity or sponsored activity represents the top tier of offensive cyber capability, said Wainwright. “That is very difficult to defend against and it is beyond Cyber Essentials territory.”
Another key aspect of the cyber threat, he said, is that the world has become increasingly interconnected in a digital ecosystem. “The lengthening of global supply chains has made it very difficult to contain ourselves from the threat of accidental infection, even with advanced security controls.”
Top level executives, especially in the finance industry, are most concerned about the risk of catastrophic loss, according to Wainwright.
“They understand they will always have to contend with data breaches, and while these will always be messy and uncomfortable and will now be accompanied with GDPR issues, these are par for the course. But what really worries them is the impact of catastrophic loss. I think there is an existential element to cyber security these days that needs to be factored in.”
In financial services, however, the approach of protecting things by default is fairly widespread, in contrast to most other industry sectors. “This reflects a systemic problem we have in industry, where the voices of the leaders of the cyber security practice are generally not very well heard in the right places.
“That’s because it has grown from a bottom up approach from a very non-mainstream part of the business into something that suddenly represents this catastrophic risk.
“As a result, many companies are struggling to get the right governance fit, the right leadership model and the leadership personality to meet the very challenging requirement of understanding tech and driving the business, while at the same time being someone who is adroit in business management in terms of working horizontally across all parts of the business, including external stakeholders and the board. It is a big task to find those people because they generally do not exist.”
And the ability to understand cyber risk as part of business risk, varies from industry to industry, according to Wainwright. “In critical infrastructure industries, it has to be taken a lot more seriously – and probably is – as well as in the financial sector definitely.
“However in telcos I would expect it to be better than it is. There are problems to be fixed. That is pretty clear in the warnings coming out of GCHQ and NCSC in the recent controversy around certain technology companies from other countries and 5G.
“The point that government is making, is that there are some pretty essential things that we have to fix today in that industry, and I would agree, based on what I see. I think the investment in cyber security could also be a lot better in the health industry, but that is an industry where funding issues are a dominant part of the play, and there are many other industries where it is not yet in the right shape.”
In light of concerns about catastrophic cyber incidents, Wainwright said it is a good idea for organisations to join those that are investing in resilience capabilities to ensure that if they are hit they are able to recover, and an important part of resilience is ensuring organisations have the right backups and that all suppliers meet basic security standards.
“Supply chain integrity is really important. Organisations need to know who they are dealing with and what security controls those third-party suppliers have in place because we are seeing more incidents where attackers are coming in through some third-party back door.”
In addition to resilience and supply chain security, Wainwright said organisations need to have a good understanding of what digital assets they have and how they might be vulnerable as well as understanding their adversaries.
“Few seem to really understand why a malicious state actor might hit them and what the most recent trends are in the dark web around the cyber toolkits and services that are being traded in enormous quantities.
“I am surprised there are not better industry platforms for this. There is a lot of talk of those, but we have not done much of it [information sharing]. In many industries there is some disquiet about doing that because of competitive concerns, but cyber security needs to be a non-competitive part of an industry that is normally defined by competition.”
While there have been some good public-private initiatives around cyber threat information sharing, Wainwright said these are pretty niche. “I don’t see this as a mainstream part of the architecture response and it should be.
“When I speak to CISOs, CIOs or to board members of many industries they say that is a good idea and there is a lot of reasoning and thinking that that would be good, by they don’t know how to go about it, so I think to an extent, it is still virgin territory and it shouldn’t be.”
Another key piece in cyber defence that Wainwright would like to see more widely adopted is the use of data analytics.
“It’s not as if organisations haven’t realised there is real power to be had by combining data, and it has been used for tremendous commercial effect in another part of the forest, but it can be used for tremendous impact on security as well,” he said.
Most of the leaders in this regard are in the financial sector. “Just by combining cyber fraud and money laundering data, for example, organisations are able to see all the non-obvious connections in criminal activity that were not apparent before, and this concept seems to be gaining traction.
“The more disparate information sets that you can patch together – social media, dark web forums, IP addresses – the more you start identifying these non-obvious connections. When organisations and industries make connections across multiple data sets, it can be extremely powerful.”