National Cyber Security Centre points to increased threat in 2018, warns about impact of GDPR
- Summary:
-
The National Cyber Security Centre’s annual report outlines the most significant cyber challenges facing business over the coming months.
Between October 2016 and the end of 2016, the NCSC recorded 34 significant cyber attacks (ones that required a cross-government response), with WannaCry, which impacted huge swathes of the NHS, being the most disruptive.
The report also notes that there were 762 less serious incidents recorded, ones that were confined to single organisations. The NCSC said that 2018 will “bring more of these attacks”.
Commenting on the release of the findings, Ciaran Martin, Chief Executive of the NCSC, said:
We are fortunate to be able to draw on the cyber crime fighting expertise of our law enforcement colleagues in the National Crime Agency.
This joint report brings together the combined expertise of the NCA and the NCSC. The key to better cyber security is understanding the problem and taking practical steps to reduce risk.
This report sets out to explain what terms like cryptojacking and ransomware really mean for businesses and citizens, and using case studies, shows what can happen when the right protections aren’t in place.
Donald Toon, director of the NCA’s Prosperity Command, added:
UK business faces a cyber threat which is growing in scale and complexity. Organisations which don’t take cyber security extremely seriously in the next year are risking serious financial and reputational consequences.
By increasing collaboration between law enforcement, government and industry we will make sure the UK is a safe place to do business and hostile zone for cyber criminals.
Full and early reporting of cyber crime to Action Fraud will be essential to our efforts.
The report states that the most prominent threats during 2017 were the result of ransomware, DDoS attacks, massive data breaches, supply chain compromises, as well as fake news and information operations.
It pointed to a number of examples that made headline news, including the NHS WannaCry debacle, as well as the data breaches experienced at Uber, Yahoo and Equifax.
NCSC was keen to highlight that businesses will face increased pressure to protect themselves as a result of the forthcoming GDPR regulation, which could see hefty fines imposed for those that are seen to not be taking the necessary precautions. The report states:
Cyber attacks have resulted in financial losses to businesses of all sizes. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. Attacks have also triggered declines in share prices and the sacking of senior and technical staff held to account for massive data breaches.
The enforcement of the General Data Protection Regulation (GDPR) in May 2018 could, under certain circumstances, lead to severe fines for organisations which fail to prevent data breaches, which result in a risk to the rights and freedoms of individuals.
Under the General Data Protection Regulation (GDPR), which will come into force from May 2018, organisations will have a duty to report to the relevant supervisory authority data breaches which are likely to result in a risk to the rights and freedoms of individuals. In cases where the risk to affected individuals is high, individuals will also have to be notified.
A notifiable breach must be reported to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of the organisation becoming aware of the breach. Notification may take place in phases where investigations are still ongoing. NCSC expect to see an increase in the number of reported cyber incidents as a result. Under GDPR, data controllers will have a responsibility for ensuring processors carrying out work on their behalf also comply with GDPR principles.
Future risks
As well as looking over the challenges faced by organisations over the past year, the report also delves into the risks facing organisations in the coming months. These include:
- Data breaches and legislation - Data breaches make headlines, as we saw with Uber, Yahoo! and Equifax, and can lead to huge reputational damage for companies. The NCSC notes that commentators are quick to point to poor security management as the cause and it adds that this will only “increase in the coming year with the implementation of new regulations (GDPR)”. As a result, the NCSC states that organisations need to have completed risk assessments and put appropriate security measures in place. They also need to detect incidents quickly and to have planned and practised how to respond in the event of an incident occurring. Business continuity plans must be tested, and a media relations person should be ready to react to any fallout of a cyber incident.
- Cryoptojacking - The NCSC states that the technique of delivering cryptocurrency miners through malware has been used for several years, but that it is likely in 2018-19 that one of the main threats will be a newer technique of mining cryptocurrency which exploits visitors to a website. Throughout 2017, there has been an increase in cryptojacking (that is, using an individual’s computer processing power to mine cryptocurrency without their consent). In December 2017, it was reported that 55% of businesses globally were impacted by cryptominers.
- Supply chain compromises - Criminals target commercial software, compromising end users and harming the reputation of the software providers. It is likely to continue, as it is extremely difficult to mitigate these threats, as users download software or updates issued by the legitimate supplier and have no way of knowing that software has been compromised
- Worms - Having seen the success of using worms to propagate ransomware in the WannaCry attack, it’s possible that hackers may be encouraged to use this automated and faster method of spreading malware through a network and beyond.
- Internet of Things - The NCSC’s report notes that with the number of devices connected to the Internet continually increasing, it is highly likely that we will see more attackers using the Internet of Things (IoT) to commit crimes. It highlights Gartner’s prediction that there will be 11.2 billion things connected worldwide by 2018, and adds that many internet connected devices sold to consumers lack basic cyber security provisions. With so many devices unsecured, vulnerabilities will continue to be exploited and used for activities (such as DDoS attacks) without the user’s knowledge.
- Cloud security - As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals, the report states. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored. This could lead to high profile breaches involving UK citizen information.
My take
A useful reminder to all types of organisation that security is becoming increasingly difficult to manage and that the threats are only going to increase. GDPR puts more onus on companies to get their house in order, and rightly so. Read through the guidance offered by NCSC and the ICO and be proactive. Don’t wait for a serious attack to start thinking about why this is so important.