The MJ turned to BT’s top cyber security experts, Mike Pannell and Neil Mellor, for comments on the findings on the latest reader survey. Their insight comes from decades of personal experience and BT’s expertise as a global network provider. BT employs a 2,500-strong cyber force, providing round-the-clock security for itself and its customers, including parts of the UK’s Critical National Infrastructure. This gives them a unique perspective on cyber threats, with the resources and tools to help us all stay one step ahead.
How do you expect the frequency and severity of cyber-attacks to change in the near future?
Mike Pannell, chief technology officer, cyber and secure systems, business and public sector, BT: High profile global malware and ransomware attacks like WannaCry will continue and should not be ignored. However in 2018, the proportion of such attacks will continue to decline with easier techniques such as imposter fraud, credential theft, the stealing of passwords etc. now being used more often; local authorities are unlikely to be exempt from these threats.
Stolen account credentials are increasingly used to commit targeted attacks. For example, a number of hospitals were compromised with ransomware contained in email from doctor ‘A’ to doctor ‘B’ about patient ‘C’. There is an implied trust in emails from people we know and there is a greater success of malware getting through.
Imposter fraud is very easy to commit, neither local authorities nor their citizens are immune from impersonation. Even without stolen credentials, many organisations’ email systems offer little protection, such as domain-based message authentication, reporting and conformance (DMARC), against fraudulent email from a person in authority asking for money to be transferred to a client account.
Increasingly, citizens are looking to use social media to communicate with organisations. A person may tweet ‘how do I pay by council tax’ and get a response from @NewcastleCC giving details of where to send payment. A mechanism is needed to detect fake social media accounts falsely representing your name or organisation.
Nobody can confidently predict all the likely outbreaks in 2018, but the ingenuity of attackers is tremendous. Continually changing threats require a comprehensive approach to cyber security; without a broad investment in security improvements, councils remain at risk.
Neil Mellor, director, BT security: The frequency, intensity and complexity of cyber-attacks have escalated very significantly over the past two years and we can expect this to continue in the near future. The commercialisation of cyber-attack tools and information is making it possible for non-experts to rent attacks, such as distributed denial of service (DDoS) or malware, as a relatively inexpensive service from highly organised crime organisations. This puts damaging cyber weaponry into the hands of any individual or group. Organised cyber-attacks increasingly use multiple attack vectors such as surveillance and social engineering, as well as exploiting technical vulnerabilities, so our defences need to be equally holistic, covering physical, people and cyber aspects in order to be effective.
How can organisations put in place the right technology and staff awareness/action – and how can this be kept up-to-date in the face of a changing landscape of threats?
Mike Pannell: To be truly ready to withstand a cyber security threat, a culture change is required. It will be unlikely to happen overnight, but continuous education on the risks of dark data will slowly change staff’s habits of collecting and storing data they do not need, thus averting the risk of exposing their organisation to the cyber threats. More measures need to be urgently put in place to raise staff awareness. Recent research by Accenture Research showed that 55% of British workers can’t recall receiving cyber security training, while a fifth weren’t sure they could identify a phishing email.
Accenture found that 70% of employees who received training said that it improved their ability to respond to cyber threats with a quarter believing that training provided more effective protection against phishing scams than having the authorities do more to track down cyber criminals.
Neil Mellor: The starting point of any defence strategy should always be a sound assessment of the risk faced by an organisation, detailed knowledge of information held, its value and location, and an accurate inventory of IT assets and their vulnerabilities, which should be constantly scanned and refreshed. Armed with this information, the right technologies, processes and skills can be invested in to mitigate the cyber risk to an acceptable level.
Any final thoughts or comments on the actions local councils should consider?
Mike Pannell: First of all, preventative hygienic measures don’t cost much – simple mandatory online training for all staff could be an easy and cost-effective answer to the increased threat.
Secondly, General Data Protection Regulation (GDPR) should not be a revolution over existing best-practice data handling policies, and those organisations who already had robust polices are likely to find GDPR a small and non-costly step.
GDPR is a great opportunity for organisations to conduct a data detox, i.e. to review the data they hold and decide which data they actually need. With the upcoming data protection reform, the GDPR, data should not be kept longer than necessary. There must be an organisational policy on data retention and hopefully policies are in place across organisations to check their main email storage. Collaboration tools like SharePoint can help employees store and locate data easily, and organisation-wide email archiving will support data discovery and storage. If staff can easily locate relevant material, they won’t feel compelled to hoard data ‘just in case’, and the GDPR framework will be slightly easier to comply with. When you know the data you hold, you can take steps to protect it.
Crucial to this is a philosophy of ‘security by design’. Security tools should not be seen as an extra cost – the digital transformation which councils across the UK are relying on to transform public service delivery implies that the new digital ecosystem is designed with security at its core. This is exactly what GDPR encourages organisations to do – to build security in by “design”.
Neil Mellor: The resources committed to cyber defence need to be commensurate with identified risk to any organisation. That risk should be quantified in terms of, for example, potential fines – i.e. GDPR, Information Commssioner’s Office – and loss of important or sensitive information, damage to critical infrastructure or services, loss of public confidence or reputational damage. If this can be made explicit it makes decisions by board members or elected officials more objective in allocating scarce budget resources between competing priorities and enables a balanced risk profile to be maintained.
It is not just about investing in up-to-date technology. A more comprehensive approach is needed. For any organisation, cyber security must feature near the top of the CEO agenda.
