lolloj - Fotolia

Cyber threat to UK business significant and growing

The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies

The cyber threat to UK business is significant and growing, according to a joint report by the UK National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The threat is also broader than ever before, with attack surfaces being created constantly, said the report published to coincide with the NCSC’s first CyberUK conference taking place in Liverpool.

The rise of internet-connected consumer goods, digital industrial systems and online commerce, the report said, gives attackers more opportunity.

The NCSC said the Cyber threat to UK business report is aimed at informing debate on the current trends, future predictions and possible solutions.

The report reveals there were 188 high-level cyber attacks significant enough to merit NCSC involvement in the first three months of its operations, and “countless” lower-level attacks.

Robust engagement and active co-operation between government, industry and law enforcement, the report said, will significantly enhance cyber security across the UK.

The report highlights three key features of current cyber threat trends:

1. Technical expertise is not necessary to carry out attacks

Malware and services such as distributed denial of service (DDoS) are easily available for purchase and hire on the dark web and beyond. As a result, a growing number of people can launch attacks.

 2. Broadening of attack surface leading to more opportunities for attackers

The Mirai botnet is the most notorious example of this, but the phenomenon also affects mobile devices and wearables as well as industrial control systems (ICS) and other automated systems.

3. Threat actors are learning from and using one another’s skills and capabilities

Criminal groups are imitating suspected nation state methodology to attack financial institutions and more advanced actors are successfully using off-the-shelf malware to launch attacks.

Similarly, some state actors are willing to conduct financial and intellectual property theft or to conduct denial of service attacks which are more often associated with criminals or hacktivists.

The cyber threat is varied and adaptable, the report said. This stems from a mix of low-level, high volume, high-impact attacks with high-volume, opportunistic attacks where technical expertise is bought, not learned as well as highly sophisticated and persistent threats involving bespoke malware designed to compromise specific targets.

The report also warned that the lines between those carrying out the attacks are blurring with criminal groups imitating states to attack financial institutions, with more advanced actors exploiting off-the-shelf malware to launch attacks and with malware being traded aggressively on the dark web.

Game-changing cyber attacks

The report detailed five distinct “threat actors” each with their own motives, tools, techniques and capabilities.

In addition to cyber criminals, organisations face a cyber onslaught from nation states, terror organisations, hacktivists and both malicious and inadvertent insiders.

According to the report, there were five pivotal incidents that changed the security landscape in the past year that were “game changers” on a scale and boldness not seen before.

1. The cyber attack on power supplies in Ukraine

This was a “watershed incident” in cyber space, the report said, mainly because it’s the first confirmed case of cyber-enabled disruption to electricity supply on a regional scale.

2. The Bangladesh Central Bank cyber heist

This report said this was a “significant attack” because it targeted global financial services infrastructure, warning that the attacker or others are likely to try to repeat the success of this heist.

3. The US Democratic National Committee (DNC) breach

The sheer scale of the incident, the report said, highlights the vulnerability of political parties to cyber attacks intended to cause reputational damage, and businesses should take note.

4. The release of the Mirai IoT botnet source code

Using connected devices to launch historically large and sustained attacks is a step change, the report said, adding that it is highly likely that criminals will rent out the botnet to provide a premium DDoS-for-hire service.

5. The Yahoo data breaches

Although the “staggeringly” large breaches happened in 2013 and 2014, they were revealed only in 2016 and ultimately shaved $350m off the price of the Yahoo core business in the sale to Verizon.

Cyber security recommendations

Looking to the future, the report predicts that the most impactful attack will be against critical internet infrastructure such as the domain name service (DNS), that attacks on industrial connected devices will continue to increase, attribution will become more difficult and ransomware will hit connected consumer devices. 

The report recommends that UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.

The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.

Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic “cyber hygiene” to customers and employees.

Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.

Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.

Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.

CyberUK aims to be a ‘powerful platform’

Ciaran Martin, CEO of the NCSC said cyber attacks will continue to evolve, which is why the UK must work together “at pace” to deliver “hard outcomes” and ground-breaking innovation to reduce the cyber threat to critical services and deter would-be attackers.

“It is vital that we work together to understand the challenges we face. We can only properly protect UK cyberspace by working with the rest of government, law enforcement, the Armed Forces, international allies and, crucially, with business and wider society.

“That’s why CyberUK is an integral part to our ambitious agenda to make the UK a world leader in cyber security, and we are delighted to be able to share knowledge and expertise with many of our essential partners in Liverpool – the UK’s first ‘Smart City’,” he said.

Ian Levy, NCSC’s technical director, said CyberUK is aimed at providing a “powerful platform” for those entrusted with shaping and delivering information security across government, industry and critical national infrastructures (CNI) to engage in open, creative and collaborative debate.

“This is about building a community and engaging in real discussion. The conference won’t be a series of stuffy lectures and the speakers are all practitioners from across the community,” he said.

“We want to scale proven systems and create common causes across the across the entire community that will help us to put the government’s security strategy into action.”

Read more about cyber security

Read more on Hackers and cybercrime prevention