WannaCry was the breach that catapulted cyber security into the headlines last year. The NHS, an organisation close to our hearts and an integral part of our country’s infrastructure, experienced a cyber attack that brought it to its knees. 19,500 medical appointments were cancelled, the ransomware locked staff out of their computers at 600 GP surgeries, and five hospitals had to send ambulances away. However, the most significant impact of the breach was on public confidence in UK institutions’ ability to defend themselves against hackers.
Yet this was what the National Cyber Security Centre (NCSC) described as a category two incident – and a category one attack can be expected “within the next few years.” A category one attack would be defined as an attack on “inter-bank payment systems, NHS data networks and industrial control systems that monitor and operate physical infrastructure (such as nuclear power plants or railway signals)” according to The Parliamentary Office of Science and Technology.
Cyber Attacks on National Infrastructure
Crash Override was one such attack on a government energy sector. In December 2016, a cyber attack on Pivnichna substation left Kiev and its surrounding area without power for an hour in what was believed by Ukrainian officials to be a deliberate act of sabotage by Russian hackers. While not the first of its kind, the Crash Override hack was a stark reminder that attacks that happen in cyber space can have real-world consequences. In fact, the consequences could have been far worse than an hour of darkness: experts believe that it could have inhibited the kill-switch feature that keeps vital hardware from overheating, damaging transformers or other equipment. With The Parliamentary Office of Science and Technology report warning that many CNI’s (Critical National Infrastructure – nuclear power plants, government communication systems, defence etc) have “legacy systems”: older technology that has been upgraded piece by piece, often relying on less secure systems that they are connected to, causing worrying chinks in the armour.
Unfortunately, the report warns that foreign hackers are regularly attempting to “manipulate public opinion, demonstrate an attacker’s prowess, conduct espionage or cause physical disruption” in the UK in addition to using ransomware for financial gain, with defence, finance, energy, telecommunications and government sectors being particular targets. The alarming thing about Ukraine’s Crash Override attack was that it could have been much worse – and it could happen here.
User Error in Cyber Security
While a category 1 attack is by definition an attack on a CNI, now is the time for everyone to be tightening up their cyber defences. For CNIs, regardless of any vulnerabilities within the digital architecture of these large organisations, employee diligence can go a long way. A report by The Boston Consulting Group found that 72% of data breaches were the result of an organisational failure, a process failure, or employee negligence. With email phishing being one of the main points of entry for hackers, anyone with an email address in an organisation has the potential to inadvertently cause a data breach or prevent one. Recently, the story of how soldiers using Strava, a fitness app that tracks running routes taken by its users, revealed the location of US military bases through its heatmaps shows how data security policies in large organisations often can’t keep up with changes in their members’ online behaviour. What’s needed is a wider education on good digital hygiene for everyone in an organisation, not just the IT department.
Impact on Small and Medium Enterprises
However, it is not just CNIs and large organisations that could fall foul of a category 1 cyber attack. Small and medium businesses (SMEs) are being targeted with malware. A report by insurance company Zurich shows that almost one in six (16%) SMEs have fallen victim to a cyber-attack in the last 12 months, equating to more than 875,000 nationwide. For businesses in London, that figure rises to 23%. While the most serious and coordinated of cyber attacks may have their sights set on the larger targets, malware can spread to the suppliers, partners and customers, many of whom are SMEs. In many cases, SMEs are the intended target, as they have a reputation for weaker cyber defences that hackers can exploit or test out new malware on.
Even when not the central target of a cyber attack, if a CNI is taken out of action then there will be a ripple effect. Should an incident like the attack on Ukraine’s power grid happen in the UK, SMEs must have a business continuity plan in place in order to minimise the disruption. If the power goes out, could you contact all of your employees without the use of email? If transport is severely disrupted, will you be able to alert all your staff to warn them to stay at home? If you have thought of these kinds of scenarios and have a plan in place – are those plans accessible to everyone in the office and working from home?
With GDPR coming into effect this May, organisations of all sizes need to ensure that their cyber security is stronger than ever or face hefty fines from the ICO (whose website, ironically, was taken down on Sunday due to a crypto-mining malware attack). An impending category 1 cyber attack should be all the motivation needed for a data security revamp and extra foolproofing of business continuity plans. After all, there is no surefire way to safeguard against hackers: preparedness is the only way to minimise the impact on business.
Cyber Security Resilience
So what steps can all organisations take to ensure resilience in the event of a serious cyber attack?
- Invest in cyber security. The NCSC recommends investing in Security Incident Management, integrated into wider business continuity and disaster recovery planning.
- Make sure that the whole organisation, not just “IT” are involved in cyber security training.
- Have a response plan ready that is available to all staff in the event of a data breach. If servers become unavailable, such as in the event of a ransomware or DDoS attack, then these plans must be available offline.
- After a breach, review the effectiveness of your organisation’s response. An attack will happen – use it as an opportunity to find out how you can become a more resilient company for it.
The Parliamentary Office of Science and Technology report estimates that cyber crime will cost the UK roughly £1-27bn per year. The Crash Override attack on the power grid in Ukraine and the exposure of military base locations by Strava users demonstrate how cyber security can have dangerous, real world consequences beyond the financial implications. While we don’t know for sure when a category 1 attack will happen, we can be certain that it will – and every member of an organisation needs to do their bit to prepare.
YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at www.yudu.com/sentinel or contact us on Twitter @YUDUSentinel.