Two cyber security myths you need to forget right now, if you want to stop the hackers

[The AchieVer]

Two cyber security myths you need to forget right now, if you want to stop the hackers

The wrong attitudes towards risk and complexity could leave you open to attack.

 

 

 

 

Two myths stand in the way of boards understanding the threats posed by cyber attacks and ensuring their businesses can be safe against cyber criminals and hackers.

These misconceptions about cyber security were identified by Ciaran Martin, CEO of the National Cyber Security Centre – the cyber arm of GCHQ – who warned organisations: "There isn't much of an excuse any longer for not knowing about security as a business risk".

First, too many organisations still believe that all cyber attacks are targeted, meaning that unless they're specifically selected as the objective of a hacking campaign, they won't fall victim. Second, some board level executives don't engage with cyber security because they believe it too be too complicated – in some cases even being fearful of the complexities they perceive as being involved.

Speaking at the European Information Security Summit in London, Martin warned there are still businesses which believe they will not be in the sights of cyber criminals, so aren't at risk from suffering the negative effects of a cyber attack.

"Tell that to the Western business leaders hit by NotPetya in the summer of 2017," he said, referring to the malware campaign launched against Ukraine by Russia, which quickly spread around the world, knocking businesses offline and doing vast amounts of damage.

"The Russian target here was quite obviously Ukrainian infrastructure, but it damaged – amongst other things – British advertising and pharmaceutical companies, as well as the shipping giant Maersk," said Martin.

The impact of NotPetya forced Maersk to reinstall 4,000 servers and over 45,000 PCs, with losses caused by serious business interruption estimated to amount to over $300m – despite the shipping firm never being the intended target of the attack.

 

Weeks earlier, the global WannaCry ransomware incident provided what Martin described as "an even starker illustration" of how unsuspecting organisations can find themselves the victims of a major cyber attack.

 

The UK's National Health Service found itself an unwitting victim of the campaign spread via an aggressive worm-like virus launched by North Korea in an effort to extort ransoms.

"That makes small, British NHS bodies a uniquely absurd target, but they were attacked and disrupted nonetheless," said Martin.

But board members believing their organisation won't actually face the risk of the cyber attack isn't the only myth which needs to be dispelled. The NCSC boss described how some boards feel it to be too complex a problem to truly understand – but pointed how organisations deal with complicated issues every day, and that that its core, a cyber managing security strategy isn't much different.

"When I view businesses in the UK and around the world, I'm often amazed by the sheer complexity and sophistication of the businesses and the risks that they manage," said Martin.

 

"A company that can extract stuff from way below the ground, a company that can transport fragile goods to the other end of the planet in a really short period of time, a company that can process billions of financial transactions every hour is more than capable of managing cyber security risk".

Even simple activities like ensuring systems and software are up to date can go a long way to protecting organisations from cyber attacks.  

Martin described how  that this could've helped organisations around the world avoid becoming victims of Cloud Hopper, a data stealing espionage campaign, which Western authorities have attribute to China's state-backed hacking group APT10.

Much of the campaign was based around distributing phishing emails containing malicious Word documents which when opened, ran macros which retrieve malware.

 

Martin explained how if f the targeted organisations had applied relevant patches, the vulnerabilities exploited by the attackers wouldn't have been open.

"Don't blame the people who opened the files – had the organisations been running an up-to-date Office application, it wouldn't have got through," he said.

"The fundamental point here is that the infection was able to persist and spread and do harm due to poor cyber security," Martin said.  While the APT in APT10 stands for 'Advanced Persistent Threat' the attack wasn't that advanced.

"In this specific case the attack wasn't advanced, the group didn't need to be persistent and there as nothing really threatening about it – that's not good enough and that's what we need to address," he said.

 

The NCSC has previously issued advice to senior executives on the five cyber security questions they should be able to answer in order to ensure the company isn't at risk from hacking threats.

 

 

Source