ra2 studio - stock.adobe.com
“But one thing I always try to get across to boards is that this is a manageable risk,” he told the FT Cyber Security Summit Europe in London.
“It differs from other risks that they are used to, but it is manageable. And while it can’t be mitigated 100%, it can be mitigated.”
A useful approach with boards, said Hannigan, is to get them to understand that cyber attackers are mainly serious, organised, collaborative and that they understand data and how it can be monetised.
“Getting boards to focus on data and really understand what their attackers are likely to do is the most effective way of getting them to approach this in a way they understand.”
The two big lessons of 2017, said Hannigan – whether that be from WannaCry, NotPetya or Equifax – are that if organisations do the basics they can escape most of the worst attacks, and what really differentiates a “serious incident” from a “catastrophe” is how it is handled.
“This includes how the incident itself is handled, how the damage is limited, what has been done in advance to limit the damage, and how the organisation communicates with regulators, customers and media,” he said, adding that Equifax was the “poster child” for how not to do it.
Expect cyber threat to worsen
Looking to the future, Hannigan said businesses can expect “more of the same”, with attackers using the same sorts of tools going forward.
“But critically, I think they will get better at using them. WannaCry was a reasonably sophisticated tool, but used rather ineptly. Attackers will get better at using such tools, and there are also far more sophisticated tools out there, and they will start to use them too,” he said.
Without a doubt, said Hannigan, the technical sophistication of the threat is going to get worse, which is related to the trend overlaps between state and criminal cyber attacks.
“In many of the attacks in 2017 it was clear that they were not purely criminal, but state-directed in some way, which is likely to be an increasing trend,” he said.
Greater state involvement in cyber attacks, he said, is likely to bring yet more sophistication and increase the likelihood that attacks will be destructive in nature and result in more collateral damage, in the way that the NHS was part of the collateral damage caused by the WannaCry attack.
“The critical thing is that there are players out there now behaving badly enough not really to care, either because they have no stake in the international system, or they are willing to live with a threshold of collateral damage and unintended consequences to achieve their goals,” said Hannigan.
Next, he underlined the threat posed by the internet of things (IoT), saying that while it is a “wonderful opportunity” it is also going to amplify all the existing security challenges.
“There will have to be greater regulation of hardware and software, and in the short term greater self-regulation. Companies will have to take responsibility for making sure the procurement decisions they make around CCTV cameras, for example, are made with cyber security in mind because they cannot afford to wait for regulations to be introduced,” he said.
Hannigan then highlighted the fact that insider help is a feature of many attacks, ranging from ideological actors, through disgruntled employees to negligence and incompetence. “This is all about human behaviour,” he said, which has to be factored in to any cyber defence plan.
“Further out is terrorism. We know that individuals in groups like ISIL [Islamic State], mostly because they are young men, love the idea of destructive [cyber] attacks, but are a long way from having the capability.
“But, as always with terrorism, intent and capability will meet at some point, so businesses, particularly CNI [critical national infrastructure providers], have got to ensure they are protected against this kind of attack before then,” he said.
Find new cyber security talent
Finally, Hannigan said organisations needed to help tackle the shortage of cyber skills in the short term because it would take a long time for the education sector to improve the flow of cyber skills.
“In the meantime, there is a pool of people in every organisation who have the aptitude, enthusiasm and skills that needs to be identified and tapped into to plug the gap in the short to medium term.
“We can’t continue poaching talent with ever-increasing salary offers. This is unsustainable. Instead, we need to encourage the people who like doing this and give them the right skills.
“We need to keep finding new ways of identifying talent, and it doesn’t have to be just people in their 20s. There are people mid-career and returning to work who have an aptitude and an interest in doing this, and we really have to tap that pool if we are to make any progress,” he said, adding that a greater focus on attracting women into the profession was needed.
Collaborative effort to improve protection
Hannigan said he was “reasonably optimistic” because although it might get worse for a while, he believed it would ultimately get better for a number of reasons.
“It will get better because there is a lot of investment going into cyber security that there wasn’t in the past that will start to pay off, there is great academic research going on in many countries like the UK, and governments, telcos and ISPs have understood that we have got to rebalance this by doing some of the stuff we have expected individuals to do.”
For far too long, said Hannigan, there has been an unrealistic expectation that individuals should be able to manage every aspect of cyber security. “We have got to do more at an international, national and enterprise level,” he said.
Read more about information security skills
- Cyber security skills a priority for UK government.
- An anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, according to a security industry panel.
- Information security professionals need to grow their skills, engage with the business, increase security awareness and set business goals and tailor their messages, say experts.