Businesses aren’t prepared for the new era of cyber warfare
The war in Ukraine has underlined the importance of maintaining our cyber security, highlighting the need for new cyber security provisions enshrined in law, as well as tax credits for those companies that take them seriously, writes Rich Kellen.
The daily images of bombed-out Ukrainian cities and citizens taking shelter in underground metro stations suggest that Russia's invasion of Ukraine is being played out in traditional theatres of war. The images not seen are those of cyber attacks out of Russia, and many companies around the world simply aren't prepared. We have a short window to act if we are to survive the next era of cyberwarfare.
Cyber expert Mark Burnett has predicted a hacker could, on average, guess 16 out of 1,000 passwords because the combinations most people use are so common. Some of the 50 most used passwords include 123456, password, and batman.
Similarly, the IT department at the NHS failed to install a crucial patch upgrade to their Windows Operating System which ransomware hackers from North Korea were able to exploit. It affected 80 of 236 regional NHS trusts across the country, putting the entire system offline for several days, affecting 595 doctors' surgeries, and costing an estimated £92million. The so-called 'WannaCry' outbreak affected over 200,000 computers in over 150 countries and cost a total of £6 billion.
Fundamentally, we should take cyber security as seriously as we take protecting our homes from being robbed.
In response to increasingly muscular sanctions, Russians are aiming for financial pressure points too. Ukraine has been a primary target so far. In the lead up to the invasion over 70 government websites were hit.
Cyberwarfare is also not just about hacking. When it's combined with a campaign of misinformation it can inflict lasting damage. Ukrainian citizens were said to have received fake text messages telling them the entire ATM network was down, encouraging a mass withdrawal of savings and a potential collapse of the local currency.
A popular method of attack is Denial of Service (DoS) where a system or hosting server becomes so overloaded by fake bots it crashes the entire site for several days. Only large corporations with big servers have the resources to deal with these. Smaller companies can take a hit.
It's a lot easier for autocratic regimes to protect themselves against such attacks as much of the internet is – theoretically – controlled by the state as in the case of North Korea or China.
In 2011 during the height of the Arab Spring, organised largely over social media, President Mubarak attempted to block access to the global internet only for protestors to arrange satellite and dial-up connections to get around this. All of this makes hacking more of a challenge. The West does not censor the internet and in the post-pandemic age most companies are now 'digital-first'.
Yet as a cyber security expert, I'm still shocked by the lack of basic cyber security provisions that most companies have. Many still have not put in place multi-factor authentication, good patch management, email filtering or the use of secure RDP/VPN. Most insurance companies that offer reasonable rates won't cover businesses that don't have all these bases covered. Most small and medium-sized enterprises and a surprising number of big corporations don't bother with cyber security insurance due to the requirements and cost.
Governments should put in place a minimum cybersecurity standard for companies. Only requiring robust cybersecurity for those handling government information and banking is too narrow. If a company gets hacked, the impact reverberates across society. By requiring a basic level of cyber security provision by law, we can defend our economies and society at large against the impact of warfare's latest evolution; cyber security attacks.
Yet we should not only make use of the stick but also the carrot. Just as we have done with renewable energy, we should offer tax breaks for those companies who invest in their cyber security. Asking firms to invest in cyber security overnight without financial support is unreasonable. Firms must be both encouraged and compelled by law to take cyber security as seriously as they need to.
Cyber attacks are a big threat to our way of life. Individuals and corporations must take action, but such is the threat there must also be action at the government level. As we head into this new era of warfare, putting cyber security provisions into law, beyond just reporting, and using tax incentives to reform corporate cyber culture, are critical next steps to take.
