One of the biggest challenges we face dealing with cybersecurity is the way it’s perceived as an IT issue. The reality is that cybercrime exploits gaps in security at every level. Criminals use every means available to them to penetrate a company’s defences: telephone calls; fake documents; and identity theft. Likewise, the effects of cybercrime have destructive repercussions that go well beyond the online-realm. Cybercrime may happen in virtual space but the real-world impact is very tangible.
The WannaCry crisis earlier this year is a good example of the way cybercrime can directly affect the physical world.
WannaCry is a simple piece of ransomware that infiltrates Windows operating systems. It caused huge financial losses for affected businesses - Cyence estimated the total cost in the billions - but it also shut down hospitals, halted railway systems, and closed factories and offices.
On the day WannaCry appeared, hospital staff in England were powering up their computers and finding blank screens with messages demanding payment of a ransom to unfreeze their systems. Hospitals were forced to turn away patients while they dealt with the crisis.
WannaCry wasn’t the work of some super-villain, just hackers looking to get-rich-quick. The malware itself was a relatively simple self-replicating ransomware virus that could travel across networks easily and invisibly. Ransomware has proven to be a very successful model for cybercriminals. Weighing the devastating effects of losing all their files against paying a one-time ransom people tend to feel they have got-off lightly by taking a financial loss. But the disruption and harm that WannaCry caused was on a scale we associate more with warfare than extortion.
WannaCry was a high profile incident because of its widespread effects, but it is not the only serious cybersecurity crisis to hit the headlines in recent years.
In December 2015 a widespread electrical blackout plunged Western Ukraine into darkness leaving more than 200,000 people without light or heating in the middle of the European winter.
A detailed investigation of the event revealed that the blackout was the result of a cyber-attack.
Robert M. Lee, a cyber-warfare expert and former US Air Force Operations Officer who assisted in the investigation of the Ukranian blackout, commented:
"(This attack) was brilliant. In terms of sophistication, most people always focus on the malware. To me what makes sophistication is logistics and planning and operations and what's going on during the length of it, and this was highly sophisticated.”
Following the Ukranian incident there has been widespread speculation about the possible involvement of espionage agencies in the attack. Robert M. Lee has stopped short of attributing the Ukranian cyber-attack to a specific source but is on record as saying that its complexity indicates the possibility of collaboration between cybercriminals and nation-state actors:
“This had to be a well funded, well trained team, but it didn’t have to be a nation-state. It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.”
I refer to these high impact cases - WannaCry and the Ukranian cyber-attack - to make one main point: the problem we’re dealing with here is significant and volatile.
Countering cybercrime we need defences; plural. One layer of protection can’t be expected to do the job when the threat is so complex and unpredictable.
I spend a lot of time thinking about cybercrime as a business risk problem, so it’s easy to lose sight of the fact that the threat cybercriminals pose to companies exists as part of a much bigger picture. Security and law enforcement agencies are treating cybercrime as a national security issue because of the large-scale harm it can inflict, and yet in the business world, people are only starting to come to grips with the true scale of this problem.
The Australian Government has been proactive on cybercrime issues. Dan Tehan - former Minister Assisting the Prime Minister for Cybersecurity - is on record saying that we need to take cybersecurity ‘incredibly seriously’ and advocates a layered defence strategy.
Speaking to the press in 2016, Dan Tehan said:
"When it comes to cybersecurity, being prepared isn't just having a wall that will block and protect from attacks. Instead, being prepared means minimising risk... No police force can guarantee that they will eradicate crime completely. But we can make it a lot harder if the windows aren't open, the doors are locked, and there is a strong cop on the beat."
In the business world, we really need to evolve our thinking on cybercrime. I think that it’s important for business leaders to start thinking of cybersecurity in the same way governments understand national security (the two things are becoming one and the same anyway).
When we consider the way nation-states handle security we can see that it’s a layered strategy. There are multiple agencies protecting us from attack: police forces; intelligence agencies; the military; all these institutions provide an overlapping shield from the threats that are readily perceptible like bombings and hijacking. Government agencies are starting to adopt this multi-layered defence strategy to combat cybercrime as well.
In my recent articles about whaling and the Uber ransom incident I’ve talked about how a single cybercrime incident can result in huge financial losses. It’s hard to overstate the scale of this problem.
Prevention is the only strategy that works dealing with cybercrime. Simply running an occasional virus scan on your laptop doesn’t cut it anymore - it’s like defending yourself from terrorism by keeping a baseball bat under your bed. Most businesses are also likely to have native security provided by an email platform like Office 365, and the smart ones will layer that with a specialist advanced cloud email security solution like MailGuard.
To successfully confront the new wave of cybercrime we have to use every resource available to us, because that’s exactly what cybercriminals are doing. One means of defence just isn’t enough. It only takes one person naively clicking on one link to bring a company to a standstill.
No government would approach national security with just an army, or just a navy, or just a police force. We have multiple, overlapping security organisations because that’s what it takes to protect ourselves from complex threats. Cybersecurity is no different. No defence against cybercrime is 100% effective, but if we adopt a layered defence strategy, we at least give ourselves the best possible protection.
We have to close the gap between the sophistication of cybercriminals and the approach we take confronting them. It’s not enough to understand the threat, we have to understand our opponents. The cybercriminals seeking to attack us are the kind of people who built WannaCry. They are versatile, creative and unscrupulous.
We need to place multiple barriers in their way because it’s hard to predict the shape of their next attack.
If you would like to learn more about solving the complex cybersecurity challenges facing business leaders today, please read my book Surviving the Rise of Cybercrime. It's available to download, here.