New assessment warns industry that cyber criminals are “imitating nation state attacks”

The annual assessment of the biggest cyber threats posed to UK businesses has been published after being produced jointly for the first time by the National Crime Agency (NCA), the National Cyber Security Centre (NCSC) and industry partners emanating from multiple sectors. The 24-page assessment – badged as “the most detailed of its kind to date” – emphasises the need for increased collaboration between industry, Government and law enforcement in the face of what’s now a growing and fast-changing threat.

The report discusses the trend of criminals imitating the way in which suspected nation state actors attack organisations such as financial institutions, and the risks posed by the ever-increasing number of connected devices, many of which are not always made secure by manufacturers or end users.

It also highlights increased levels of aggressive and confrontational cyber crime, particularly through Distributed Denial of Service (DDoS) attacks combined with extortion, as well as ransomware (which encrypts victims’ computers and demands a ransom in return for restoring control to the user).

Particularly through the contribution of the private sector companies forming the Strategic Cyber Industry Group, the report notes the cyber security challenges faced by businesses and urges them to report all cyber crime to ensure that the UK has an accurate and detailed intelligence picture.

The assessment additionally highlights the resources available to companies of all sizes, particularly the large firms which often present the most attractive targets for attackers.

The report’s findings were presented at the NCSC’s Cyber UK Conference in Liverpool on Tuesday 14 March.

Up-to-date picture of the threat landscape

Donald Toon, director for economic and cyber crime at the National Crime Agency, said: “We have worked with the NCSC and valued private sector partners to produce this assessment, setting out an up-to-date picture of the threats posed to business including ransomware, DDoS and evolving financial Trojans. These threats demonstrate the need for a collaborative response across industry, law enforcement and Government with the ultimate aim of protecting customers and the UK economy.”

Toon continued: “Businesses reporting incidents of cyber crime is going to be essential if we’re to fully understand the threat and take the most effective action against it. While 100% protection doesn’t exist, making cyber security an organisational priority and ensuring up-to-date processes and technology can protect against the clear majority of attacks. The NCA and its partners continue to have significant success against cyber crime through identifying and arresting criminals at home and abroad, working to deter young people from becoming involved in criminality and disrupting the ways in which criminals make and launder their money.”

Ciaran Martin, CEO of the National Cyber Security Centre, commented: “The National Cyber Security Centre exists to benefit the whole country. As the national technical authority for cyber security in the UK, our agenda is unashamedly ambitious. Put simply, we want to be a world leader in cyber security.”

Martin added: “Cyber attacks will continue to evolve, which is why the country must work together and at pace to deliver hard outcomes and groundbreaking innovation designed to reduce the cyber threat to critical services and deter would-be attackers. No single organisation can defend against the threat on its own so it’s vital that we work together to understand the challenges we face. We can only properly protect UK cyber space by working with others, including the rest of Government, law enforcement, the Armed Forces, our international allies and, crucially, with the business community and, indeed, wider society.”

Don Smith, technology director at SecureWorks and a representative of the Strategic Cyber Industry Group, observed: “The development of technology throughout history has given smart criminals new ways to obtain what they want: e-mail spawned the development of phishing and spam, online banking led to the creation of viruses that target bank accounts and the Internet of Things will doubtless bring opportunities for new methods of attack. Many businesses face understandable difficulties in reporting cyber crime incidents, but knowing that revealing such information might prevent further harm to their business is essential. This assessment proves that collaboration is key to protecting our assets and targeting the cyber criminals.”

Securing sensitive data

Thales, a leader in the fields of critical information systems, cyber security and data security, has just announced the results of its 2017 Thales Data Threat Report: Advanced Technology Edition, issued in conjunction with analyst firm 451 Research.

According to the report, 93% of respondents will use sensitive data in advanced technology environments (defined as cloud, Security as a Service, Big Data, the IoT and container) this year. A majority of those respondents (63%) also believe their organisations are deploying these technologies ahead of having appropriate data security solutions in place.

While concerns about data security in cloud environments remain high, they’ve dropped off since last year. In 2016, 70% of respondents voiced worries about security breaches from attacks targeting cloud service providers. In 2017, 59% expressed fears. The second biggest concern, cited by 57% of respondents, is ‘shared infrastructure vulnerabilities’ followed by ‘lack of control over the location of data’ (55%).

On the SaaS side, 57% of respondents report that they’re leveraging sensitive data in SaaS environments, which is up from 53% in 2016. When it comes to SaaS insecurities, respondents are most fearful about online storage (60%), online back-up (56%) and online accounting (54%).

Garrett Bekker, principal analyst for information security at 451 Research, stated: “Most major cloud providers have larger staffs of highly-trained security professionals than any other enterprises. Their scaleability and redundancy can provide protection from the kinds of DDoS attacks that may plague on-premises workloads. Perhaps as a result of the recognition of these public cloud security realities, security concerns overall for public cloud are now waning.”

Big Data and the IoT: big hype, big security threat?

Big Data is a big topic of conversation, so it might be unsurprising to learn 47% of respondents are using sensitive data in Big Data environments. When it comes to security, respondents cite their top fear as ‘sensitive data everywhere’ (46%) followed by ‘security of reports’ (44%) and ‘privileged user access’ (36%).

IoT adoption is even higher, with 85% of respondents taking advantage of IoT technology and 31% using sensitive data within IoT environments. Despite IoT’s popularity, and despite the personal or critical nature of many IoT tools (such as medical and fitness devices, video cameras and security systems), only 32% of respondents report being ‘very concerned’ about their data.

When pressed on their top fears, 36% of respondents cited ‘protecting the sensitive data the IoT generates’ followed by ‘identifying sensitive data’ (30%) and ‘privacy concerns’ (25%).

Although less than five years old, container environments have proven to be exceptionally popular. 87% of respondents have plans to use containers this year, with 40% already in production deployment. Similar to the emerging IoT environment (and owing to their relative immaturity), there remains a lack of enterprise-grade security controls in most container environments. Security is cited as the foremost barrier to container adoption by 47% of respondents, followed by ‘unauthorised container access’ (43%), ‘malware spread between containers’ (39%) and ‘privacy violations resulting from shared resources’ (36%).

Encryption: the security strategy of choice for advanced technologies

While advanced technologies show great promise and business benefits, they’re relatively young and, in some cases, untested. Understanding this risk, respondents are gravitating towards a proven security control – encryption.

According to the report, 60% of respondents would increase their cloud deployments if cloud service providers offered data encryption in the cloud with enterprise key control. Data encryption (56%) and digital birth certificates with encryption technology (55%) are also listed as the two most popular security options for IoT deployments. Rounding out the list is containers, with 54% of respondents citing encryption as the foremost security control necessary for increasing container adoption.

Peter Galvin, vice-president of strategy at Thales e-Security, commented: “The digital world we live in, which encompasses everything from the cloud to Big Data and the IoT, demands an evolution of IT security measures. The traditional methods are not robust enough to combat today’s complicated threat landscape. Fortunately, the adopters of advanced technologies are hearing and acting on the message, as evidenced by the number of respondents expressing an interest in or otherwise embracing encryption. Putting an ‘encrypt everything’ strategy into practice will go a very long way towards protecting these powerful, yet vulnerable environments.”

Organisations interested in both taking advantage of advanced technologies and keeping data secure should strongly consider deploying security toolsets that offer services-based deployments, platforms and automation, discovering and classifying the location of sensitive data within cloud, SaaS, Big Data, IoT and container environments and leveraging encryption and Bring Your Own Key (BYOK) technologies for all advanced technologies.

*Download copies of the 2017 Thales Data Threat Report for salient advice on cyber security Best Practice

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts