Cyber: caught in the headlights?

Many companies’ boards are in a state of “almost paralysis” about the cyber threat they face, says a leading online-risk expert.

The trouble is that many firms simply do not understand the digital threat confronting them.

“One CEO said to me: ‘The problem is this debate is controlling us, we’re not controlling this debate.’ That is not a good position for a [company’s] board to be in.” That is the challenge confronting many businesses today, says Brian Lord, Managing Director of PGI Cyber.

Companies may be in danger of repeating the mistakes of Y2K – when businesses spent huge sums to protect themselves against a threat that never materialised – unless they get to grips with understanding what are the particular cyber threats facing them, says Lord in a video interview with Hiscox Global Insight.

Organisations can only manage their cyber risk if they understand where it is coming from and what information those threat actors are going to want from them.

“This isn’t a question of how much money you spend: it’s about how you apply that money smartly to the threats you face, rather than to a whole load [of threats] that you don’t,” says Lord. “Organisations can only manage [their cyber] risk if they understand where [it] is coming from and what information those threat actors are going to want from them.” He adds: “The threat to a large retail organisation is very different to a bank or to a defence prime [contractor].”

It is important that businesses do not overcomplicate the cyber threat they face, he points out. “At the end of the day it is a risk of doing business in the 21st century. The sooner we can manage it like any other risk the better…It will allow organisations to take their own risk management decisions, understand the threat they’re facing, and decide which risks they…are prepared to tolerate and which they will transfer.”

Zero-breach defence unrealistic

It is unrealistic for companies today to aim at preventing any data security breach, says Lord. “If you try to… stop anyone getting in then you wouldn’t be able to use your technology, which is one of the most fantastic business enablers, properly.” 

If you try to stop anyone getting in then you wouldn’t be able to use your technology, which is one of the most fantastic business enablers, properly.

Instead, Lord advocates taking a layered approach: “You put the most sophisticated layers in place around the stuff that you care about most… In some areas you will want to know what is happening 24 hours a day, [whereas] there are other parts of your system where you will worry less.”

It needn’t be very expensive for a business to protect itself from cyber attack, he asserts. For small businesses, completing the government’s “Cyber Essentials” scheme should be sufficient: “You’re removing yourself from being the lowest of low-hanging fruit for drive-by criminals – and most of them are just drive-by criminals.”

Growing cyber-terrorist threat

Government warnings of militant Jihadi groups trying to launch online attacks, has stoked fears of a wave of “cyber terrorism”. In a speech in November, George Osborne said: “For our country…the internet represents a critical axis of potential vulnerability…The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost.”

Lord, who spent over 20 years fighting online threats to the UK and was formerly GCHQ’s Deputy Director for Intelligence and Cyber Operations, says cyber terrorism is simply one element of militants’ strategy. “Cyber terrorism doesn’t create terror; it can create panic and uncertainty but not terror.” But whereas there is a “high psychological barrier to entry” to committing physical acts of terror, Lord says, “if you’re talking about hacking…it is still perceived as being not that bad.”

I think the point is how willing organisations are to share that they have been attacked.

Asked what potential targets cyber terrorist might focus on, he states: “I think it depends on how imaginative a terrorist organisation wanted to be. The inevitable targets are high impact ones that would stimulate a public reaction … [these] would be everything on which people rely in their day-to-day lives: transport, banking, electricity, gas, telecommunications.”

“Cyber Armageddon”?

The potential cost of a major cyber-terrorist attack could run into billions of pounds, with some senior insurance figures warning that it could potentially cost more than the industry can afford. But, several of the “cyber Armageddon” scenarios that have been sketched out in the media are “Hollywood-esque”, Lord says, and are “certainly beyond the capabilities of just about most state actors”. At this time, he said, the most likely major attack would be: “a systemic denial of service that denies [essential] services.” A terror group or hostile state could commit a strike like this “and let the public reaction do the rest,” he argues.

Skills gap a problem

The government has pledged £1.9 billion to bolster the UK’s defences against cyber attacks, including the creation of a National Cyber Centre, as well as an extra 1,900 staff for the intelligence agencies. But, the biggest challenge to defending against cyber attack is the dearth of skilled IT specialists that can stay one step ahead of the hackers, Lord says. “There just aren’t enough of them. It’s not that… there’s a pipeline of them coming through.” 

Protecting the country against cyber attack is “a joint effort between the government and private sector,” he concludes. “The key thing is how information about cyber threats and cyber attacks can be shared. Information sharing is an area that has been advocated by the government, and it has done a lot to set up mechanisms to do that, [but] they are probably still not utilised most effectively. I think the point is how willing organisations are to share that they have been attacked.”