Ransomware is your biggest threat, NCSC CEO tells business

As head of the National Cyber Security Centre, Lindy Cameron believes company leaders must improve preparedness and resilience by educating staff – and themselves

Lindy Cameron is a difficult person to reach. That’s understandable: as CEO of the National Cyber Security Centre (NCSC), she’s at the forefront of the UK’s fight against computer security threats. While it’s tough for a journalist to negotiate an interview, it’s reassuring that she’s dedicated to her task. 

The NCSC provides advice and support for public and private sector organisations, helping them avoid computer security threats. Cameron took the helm in October 2020, succeeding inaugural CEO Ciaran Martin, who stepped aside after four years in the job.

Ransomware presents the most immediate danger to the UK

Her assessment of cyber threats, themes and advice should be required reading for CIOs and other members of the C-suite. Indeed, on the rare occasions she has spoken in public since taking up the role, she hasn’t held back.

For instance, in March she warned of the UK’s need to be “clear-eyed about Chinese ambition in technological advancement”. Speaking in her first address as CEO, she chided China’s “hostile activity in cyberspace” while adding that “Russia [is] the most acute and immediate threat” to the country.

Ransomware: an immediate danger 

The former number two at the Northern Ireland Office has over two decades of experience working in national security policy and crisis management. She was equally forthright and insightful in October’s keynote speech at Chatham House’s Cyber 2021 conference, where she reflected on her first year at the NCSC and identified four key cybersecurity themes. The most alarming is the pervasiveness of ransomware, the scourge of business leaders.

In May, US cloud-based information security company Zscaler calculated that cybercrime was up 69% in 2020. Ransomware accounted for over a quarter (27%) of all attacks, with a total of $1.4 billion demanded in payments. And those figures didn’t include two hugely damaging breaches that occurred in 2021, marking an elevated scope for bad actors.

July’s ransomware attack on multinational remote management software company Kaseya affected thousands of organisations and saw the largest ever ransomware demand of $70 million. The REvil ransomware gang that claimed responsibility for the attack ordered ransoms ranging from a few thousand dollars to multiple millions, although it’s unclear how much was paid. The gang said 1 million systems had been impacted across almost 20 countries. While those numbers are likely to be exaggerated, the attack triggered widespread operational downtime for over 1,000 companies.

The Kaseya incident came two months after the attack on Colonial Pipeline, one of the largest petroleum pipelines in the United States. The attack disabled the 5,500-mile system, sparking fuel shortages and panic buying at gas stations. Within hours of the breach, a $4.4m ransom was paid to DarkSide, an aptly named Russian hacking group. Despite the payment – later recovered – the pipeline was down for a week.

“Ransomware presents the most immediate danger to the UK, UK businesses and most other organisations – from FTSE 100 companies to schools; from critical national infrastructure to local councils,” Cameron told the October conference. “Many organisations – but not enough – routinely plan and prepare for this threat, and have confidence their cybersecurity and contingency planning could withstand a major incident. But many have no incident response plans, or ever test their cyber defences.”

Managing and mitigating cyber risk

The sheer number of cyberattacks, their broader scope and growing sophistication should keep CIOs awake at night. The latest Imperva Cyber Threat Index score is 764 out of 1,000, nearing the top-level “critical” category. Other statistics hint at the prevalence of cybercrime in 2021: some 30,000 websites on average are breached every day, with a cyberattack occurring every 11 seconds, almost twice as often as in 2019.

Cybersecurity organisation Mimecast reckons six in 10 UK companies suffered such an attack in 2020. In her Raconteur interview, conducted a fortnight after her appearance at Chatham House, Cameron reiterated her concerns.

“Right now, ransomware poses the most immediate threat to UK businesses, and sadly it is an issue which is growing globally,” she says. “While many organisations are alert to this, too few are testing their defences or their planned response to a major incident.”

Organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued

Despite the headline-stealing attacks, businesses aren’t doing enough to prepare for ransomware attacks, says Cameron. Cyber risks can and must be managed and mitigated. To an extent, CIOs and chief information security officers (CISOs) are responsible for communicating the potentially fatal threat to various stakeholders.

Cyberattacks are different from other shocks as they aren’t readily perceptible. They are deliberate and can be internal and external. They hit every aspect of an organisation – human resources, finance, operations and more – making them incredibly hard to contain.

“The impact of a ransomware attack on victims can be severe,” Cameron continues, “and I’ve heard powerful testimonies from CEOs facing the repercussions of attacks they were unprepared for. Attacks can affect an organisation’s finances, operations and reputation, both in the short and long term.”

Building cyber resilience 

CEOs can’t hide behind their security teams if breached by a cyberattack. Cameron warns that defending against these incidents can’t be treated as “just a technical issue” – it’s a board-level matter, demanding action from the top. 

“A CEO would never say they don’t need to understand legal risk just because they have a General Counsel. The same applies to cybersecurity.” 

Cybersecurity should be central to boardroom thinking, Cameron adds. “We need to go further to ensure good practice is understood and resilience is being built into organisations. Investing resources and time into putting good security practices into place is crucial for boosting cyber resilience.”

Cameron notes that the NCSC’s guidance, updated in September, will reduce the likelihood of becoming infected by malware – including ransomware – and limit the impact of the infection. It also includes advice on what CIOs, CISOs and even CEOs should do if systems are already infected with malware. 

Cameron, who was previously director general responsible for the Department for International Development’s programmes in Africa, Asia and the Middle East, echoes Benjamin Franklin’s famous maxim: “By failing to prepare, you are preparing to fail.” 

There’s a wide range of practical, actionable advice available on the NCSC website, she notes.

“One of the key things I have learned in my first year as NCSC CEO is that organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued,” she adds. 

Low-hanging fruit

At the Chatham House event, Cameron acknowledged that small- and medium-sized enterprises are especially vulnerable to cyberattacks. “I completely understand this is getting harder, especially for small businesses with less capability,” she said. “But it is crucial to build layered defences that are resilient to this.”

SMEs are the low-hanging fruit for cybercriminals, as they usually don’t have the budget or the access for sufficient IT support or security. “We appreciate smaller organisations may not have the same resources to put into cybersecurity as larger businesses,” Cameron says. 

The NCSC has produced tailored advice for such organisations in its Small Business Guide. This explains what to consider when backing up data, how to protect an organisation from malware, tips to secure mobile devices and the information stored on them, things to bear in mind when using passwords and advice on identifying phishing attacks.

Criminals will seek to exploit a weak point, which could include an SME in a supply chain. Larger organisations, says Cameron, have a “responsibility to work with their suppliers to ensure operations are secured. In the past year, we have seen an increase in supply chain attacks with impacts felt around the world, underlining how widespread supply networks can be.”

Supply chain concerns

Supply chain attacks were another of Cameron’s four key themes at the Chatham House conference. Such vulnerabilities “continue to be an attractive vector at the hand of sophisticated actors and … the threat from these attacks is likely to grow,” she said. “This is particularly the case as we anticipate technology supply chains will become increasingly complicated in the coming years.”

The most infamous recent supply chain attack was on SolarWinds, said Cameron. According to the former CEO and other SolarWinds officials, the breach happened because criminals hacked a key password – it was solarwinds123. This highlights the importance of strong passcodes for companies large and small. 

“SolarWinds was a stark reminder of the need for governments and enterprises to make themselves more resilient should one of their key technology suppliers be compromised,” Cameron said at Chatham House.

The two other areas of cyber concern she promoted were the vulnerabilities exposed by the coronavirus and the development of strategically important technology. “We are all increasingly dependent on that technology and it is now fundamental to both our safety and the functioning of society,” she said of the latter.

On the former theme, Cameron said that malicious actors are trying to access Covid-related information, whether vaccine procurement plans or data on new variants. 

“Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. The coronavirus pandemic continues to cast a significant shadow on cybersecurity and is likely to do so for many years to come.”

CIOs must keep this in mind as many organisations grapple with post-pandemic ways of working. This involves more remote workers using personal or poorly protected devices on unsecured networks, all of which play into the hands of bad actors.

“Over the past 18 months, many organisations will have likely increased remote working for staff and introduced new online services and devices to stay connected,” says Cameron. “While this has offered a solution for many businesses, it’s vital for the risks to be mitigated so users and networks work securely. Our home-working guidance offers practical steps to help with safe remote working.”

Post-pandemic cybersecurity 

Providing other essential advice, Cameron underlines the importance for organisations of all sizes to build their cyber resilience. 

“It’s vital that organisations of all sizes take the right steps to build their cyber resilience. Educating employees is an important aspect of keeping any business secure. Staff can be an effective first line of defence against cyberattacks if they are equipped with the right understanding and feel they can report anything suspicious.”

Businesses should put a clear IT policy in place that guides employees on best practices, while staff should be encouraged to use the NCSC’s “Top Tips for Staff” training package. 

“These steps are about creating a positive cybersecurity culture and we believe senior leaders should lead by example,” she adds. 

The NCSC’s Board Toolkit is particularly useful for CIOs, designed to help facilitate cybersecurity discussions between board members and technical experts. It will “help ensure leaders are informed and cybersecurity considerations can be integrated into business objectives”.

These conversations are now critical, as advances in artificial intelligence, the internet of things, 5G and quantum computing multiply attack surfaces. Reflecting on the NCSC’s work since its inception five years ago, Cameron says the organisation has achieved a huge amount, including dealing with significant cyber incidents, improving the resilience of critical networks and developing a skills pipeline for the future. 

“This is delivering real benefits for the nation, from protecting multinational companies to defending citizens against online harm. However, the challenges we face in cyberspace are always changing, so we can’t rest on our laurels.”