Cyber Breach Surveys – Yesterdays Fish and Chip Paper? Guest post from Julia McCarron

News and information from the Advent IM team.

Advent IM Director, Julia McCarron, lends us her view on the latest cyber survey…

I saw this morning that yet another Government survey has been revealed saying once again that ‘nearly half’ of UK firms had suffered a cyber security attack or breach. It seems that we are being given a very similar statistic pretty much every month, so I wonder whether we are becoming victims of cyber security fatigue.

The report claims that 46% of firms surveyed have been victims of some form of cyber security incident. It further states that amongst medium and large companies the proportion of firms affected by cyber security attacks/breaches has risen by 66% – I find this statistic interesting without further justification (I accept there may be some but not in the articles I have read).

Is it that incidents have risen? Or is it that detection of incidents has risen? That sophistication of attacks has risen? That reporting of incidents has risen. All of the above, some of the above, none of the above?

One thing for sure is awareness of cyber security incidents has definitely risen. How can it fail not to when there seems to be some form of breach in the news at least once a week? Even over the Easter break we’ve had reports of a YouTube hack, an update to the RingGo car parking payment app exposing UK drivers’ personal details and claims that the Foreign & Commonwealth Office has been deliberately targeted by a criminal enterprise in a 12 month phishing attack.

Is it all old news, are we becoming immune to the incidents we hear about in the press? As cyber security specialists I sincerely hope not. But what leads me to ask the question is a statement by Professor Andrew Martin at University of Oxford. He stated,

“A lot of businesses have responded to the problem with a box-ticking exercise or by paying an expensive consultant to make them feel better – it’s far from clear that what people are doing is protecting them very well,”

Let’s take the first point. The box-ticking exercise. In part I would agree with this. Especially amongst smaller business with less budget to counter cyber security incidents and less internal knowhow on what to do. They want to be seen to be doing something so they tick a box and hope they never get audited or caught out. And that’s the key thing – they hope they never get audited or caught out. We have seen some success with the Government’s Cyber Essentials scheme. Whilst not the runaway take-up that was originally hoped for, it is a good starter for 10 for businesses that want to demonstrate to their clients and staff that they are doing something. Its limitations are that whilst validated by an external source, that external source does not validate the reality of the responses in person. Therefore, it could be seen as a sort of tick box exercise. Statements are brief and only worth the paper they are written on, unless something goes wrong or your supplier audits you and finds out that the controls you stated are in place are actually vapourware. Cyber Essentials Plus (the next level) does test how easy it is to combat your cyber security controls from the outside but that test is only ever as good as the day it was carried out – threats change hourly. And it does not negate all of the other tick box/text box responses made.

That brings me to the ‘paying an expensive consultant to make them feel better’. As a very competitively priced consultancy that strives to bring value to clients through its services, you would not expect me to agree with this! Firstly, I’ve never known any organisation pay expensive fees to ‘feel better’. Secondly, I’m sure there are some consultants out there with the Jerry Maguire “show me the money” ethos, but the more forward thinking of us know that’s not the way to develop business and retain clients. What having a professional, external consultant does is demonstrate that an independent source has verified your current cyber security controls, against best practice, and has provided an assessment of compliance both positive and where improvement is needed. Surely, if you don’t have the internal knowledge or expertise this is a sensible solution? And we are definitely finding more organisations seeking this kind of validation.

Our Professor also states that it’s difficult for most people to distinguish malicious emails or websites from safe ones. Again, I’m not sure I would agree with this statement in the current climate. I believe some phishing emails and malicious sites are so sophisticated that even those of us in the industry need to look two, three, four times to be sure, but there are some key things that are common sense:

• The Prince of Burundi who has hit hard times because his parents where in a fatal car crash and needs $100,000 deposited into an account … COMPUTER SAYS NO.
• The bank authentication details that have been breached, click on this link to verify your details … COMPUTER SAYS NO. Your bank will never contact you in this way as many have spent £millions telling you with TV adverts. And a dead giveaway … if it’s not your bank …. #enoughsaid.
• Emails from strange named senders.
• Anything with obvious spelling mistakes.
• Emails with no footers detailing company information.
• Websites ‘Under Construction’ or consisting of one page with very little content.
• I could go on but … COMPUTER SAYS NO.

And this is also where staff training comes in. Give them advice – it’s not so much look for an unknown source as one that doesn’t ring true. Make sure that if your staff are unsure they know who to ask. 9 times out of 10 it just needs a good cyber security culture creating – part reporting (who do I tell), part warning (what was that new threat ICT told me about), part awareness raising (what typical things do I look for). An effective mechanism of prevention is a two-way partnership of communication between staff and the cyber security team.

The final thing with this survey that I also wonder about is this – “The government’s survey indicates, however, that fewer businesses in 2017 consider cybersecurity to be of “very low priority”. It said 74% now agreed it was a high priority issue for senior management.”

I’m really not sure that we are seeing the move to Board level moving nearly fast enough. Who were asked the questions? If you were to ask the vast majority of operational managers should this be a Board priority they would say 100% yes. If you asked the Board I suspect many pay lip service to the importance because ‘The Cyber’ is probably something important, but financial risk remains the priority. Eyes are still not open to the fact that by not addressing cyber security at Board level you could lose money; through loss of business, downtime and reputational damage to name but a few. There are still a great number of eyes wide shut when it comes to Board responsibility for cyber security. Talk in their language and show them the money implications. Then they will start listening and taking it seriously. This is one of the reasons why we are developing Cyber Security and Risk Training for Business Leaders, to raise the threat level where it needs to be raised.

So to end, another week, another survey. I hope though that we are not getting cyber security fatigue out there, that messages are getting through but more importantly to the right people. And that the next survey gives a more positive message that the awareness is paying off. No more tick boxes but instead considered risk mitigation that is effective against cyber-attacks. In the words of the loveable Sergeant Phil Esterhaus, “Let’s be careful out there”.

Share this Post