In Focus

Cybersecurity

It’s widely accepted that the risk of falling victim to a cyber attack has become just another part of doing business. But, especially in sectors where good customer service can give firms a competitive edge, the key to preventing a breach from causing excessive reputational harm is to communicate effectively with your stakeholders about the problem. 

In January, Royal Mail was hit by a ransomware attack that prevented it from sending parcels out of the UK. The nation’s biggest postal service came under intense media scrutiny, yet it took a week for its CEO, Simon Thompson, to confirm publicly that the ongoing disruption had resulted from a directed cyber assault. 

Another January incident, affecting the US Federal Aviation Administration (FAA), was so serious that flights had to be grounded. In scattered communications, the government agency insisted that it had yet to find any evidence indicating that a cyber attack had caused the outage in its air traffic control system. Several weeks on, little further information has entered the public domain.

Customers expect prompt, clear and honest communication when the services they’re depending on are disrupted, which is not always easy for an organisation to provide while it’s still trying to clear up the mess. What did Royal Mail and the FAA do right and wrong – and what lessons in emergency comms can these cases teach us?

The impact on the public

Experts agree that the responses of both organisations could and should have been clearer. While they did make statements, their initial outreach was “vague, which led to speculation and left the public frustrated”.

That’s the view of Jan Quach, global director of customer success engineering at cybersecurity specialist Logpoint. He believes that, when a provider’s services are seriously disrupted, it should publicly acknowledge the problem immediately. 

“It isn’t necessary to state the cause at this stage, but you do need to say that matters are under investigation,” says Quach, who adds that it’s also important to tell customers when they can expect an update. “Neither Royal Mail nor the FAA did that, which fuelled the rise of online theories and negative stories.”

Yet there can be understandable reasons for a slow PR response, especially if an attack involves ransomware. The inner workings of most large organisations tend to have “many moving parts, outsourced services and bespoke systems, which all add to the drag factor”, notes Chris Boyd, lead malware intelligence analyst at Malwarebytes. 

Royal Mail’s reaction time was “roughly on par” with those of other big enterprises that have faced similar situations, he says. “If an organisation grinds to a halt or announces a cyber attack without immediately going into details, there’s a good chance that a few days of silent damage analysis and containment will precede a mention of ransomware.”

Lauren Wills-Dixon is a solicitor and expert in data protection at law firm Gordons. She agrees with Boyd that, when a cyber incident occurs, it can take time for the victim to understand the full extent of the problem with any level of confidence.

This factor can make stakeholder comms difficult and it’s usually why the initial message is vague, Wills-Dixon says. “Only after technical teams have worked to understand what has happened with certainty will more details filter through.”

How victims can improve their responses

Unclear post-incident comms can usually be attributed to the lack of a highly developed, well-rehearsed crisis response, argues Stephen Bailey, who leads the global privacy practice at cybersecurity consultancy NCC Group. 

In Royal Mail’s case, its CEO’s lengthy radio silence “resulted in the narrative centring on the missteps of the organisation’s response, rather than the attack itself”, he notes, adding that better preparation would have helped both Royal Mail and the FAA. 

“This means having an actionable crisis plan in place and an agreed decision-making hierarchy.” Bailey says. “If you believe you’ll need external support – such as a hotline for affected parties or a dedicated response and recovery team – ensure that they’re on a retainer and can be activated immediately.”

Preparation is especially important when speaking to the media. “If you’re putting a spokesperson forward, whether that’s the CEO or someone in a comms role, ensure that they’re fully briefed. Otherwise, there’s a risk that they’ll look as though they’re evading questions,” he says, pointing to Thompson’s uncomfortable experience at a hearing of the Commons select committee on business, energy and industrial strategy last month.

Bailey would advise any firm to decide now on the communication style it would use in the event of a serious cyber breach. Its leaders need to ask themselves questions such as: “Are we going to be as transparent as possible or share only what’s absolutely necessary without obfuscation?”

He also recommends training a small team to be the first point of contact for external stakeholders seeking information about the incident. 

“Be consistent with your communications,” Bailey urges. “Include what happened, how it’s being addressed and what measures will be taken to prevent future incidents.”

Wills-Dixon cites the recent attack on JD Sports as an example of strong post-incident communications. “These were honest, apologetic, solution-focused and not overly technical,” she says.

The legal considerations

There are also statutory requirements such as the EU update to General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 to take into account in the event of a breach. Factors influencing post-incident comms include whether personal data is involved, whether hackers have exploited the data and whether people’s rights are at risk, Wills-Dixon explains. 

“If there is a significant risk, the organisation must work hard to reassure its customers and mitigate the reputational damage,” she stresses.

In the UK, any security breach involving personal data must be disclosed to the Information Commissioner’s Office. “The obligation is to report within 72 hours, even if there are still unknowns surrounding the incident,” Wills-Dixon says

Overall, the most effective response will involve a holistic and “big-picture” approach to stopping the attack and mitigating its impact. This includes containing the breach, restoring data, dealing with communications, seeking expert guidance, undertaking legal reporting and avoiding a silo mentality. 

To avoid lasting damage to your brand’s standing when a cyber attack hits home, speed of communication is key, according to Wills-Dixon. Such incidents are likely to “result in a temporary reputational hit”, she says, “but it is better for organisations in the longer term to be open, sharing details and controlling the narrative as soon as they can, rather than burying their heads in the sand.”

Fuelled by human intrigue and technological experimentation, cybercrime has become a global industry, turning over an estimated $1.5tn (£1.24tn) last year.

The adoption of advanced technology by civil society has always been mirrored by those seeking to use it for unlawful purposes. As internet usage proliferated in the noughties, cybercrime started to become a lucrative business and an item on boardroom agendas, but a new kind of threat has emerged in recent years.

High-profile incidents – including the WannaCry ransomware attack that froze NHS systems; the Stuxnet worm that damaged Iran’s nuclear programme; and serious data breaches at Target, Yahoo and Equifax – have shown that cybercrime has become a full-time enterprise for activists and state-backed actors as well as felons.

Some of these entities are collaborating and trading tools and services anonymously on the dark web. It all points to a growing professionalism of cybercrime, where groups are structured like enterprises and have been known to advertise jobs, offering up to $20,000 a month for highly skilled practitioners.

“There has almost been a democratisation of threat actors,” notes Jonathan Jaffe, CISO at US-based insurer Lemonade. “You have a variety of simplified services, requiring fewer skills and making the field more accessible to threat actors. Out of that, you get interesting, complex, organised institutions.”

New attacks show growing criminal sophistication

Such democratisation has also given cybercriminals the chance to increase the scale and efficiency of their attacks. Security researchers have found early experimentation with conversational AI tools such as ChatGPT for phishing scams, the use of cloud platforms to automate attacks and the adoption of bitcoin for untraceable financing.

The use of ransomware grew faster in 2022 than it had in the preceding five years combined, according to Verizon’s Data Breach Investigations Report. It’s no wonder when the business model – infiltrate a firm’s network, encrypt all the data and extort payment to unlock it – continues to prove successful.

Newer lines of business have been burgeoning too. Under the cybercrime-as-a-service (CaaS) model, malware developers, hackers and others market what they can do online, for instance, with ‘access-as-a-service’ offerings selling entry into corporate networks that have already been compromised. 

Such a high level of criminal sophistication is proving a headache for both businesses and governments. Taking down the complex infrastructure that supported the Hive ransomware required the combined efforts of law enforcement agencies in 13 countries, for instance.

The problem has led some key institutions, such as the World Economic Forum, to suggest that the cyber defences of many businesses, governments and individuals are being rendered obsolete at an alarming rate.

Christopher Adjei-Ampofo, CIO and CISO at digital trading platform Uphold, has witnessed such sophistication at close quarters. Criminals recently spoofed his firm’s hiring process, writing job adverts, conducting online interviews and sending employment contracts, thereby fooling prospective recruits into thinking that they’d been selected. These ‘employees’ all bought laptops and shipped them to the threat actor in the belief that they were following instructions to send their devices to Uphold for configuration.

“There is an army of people – and they are so sophisticated,” he says.

Intricate scams of this type do at least seem relatively rare. Jaffe says that low-level ID phishing and port-scanning attacks are the most common, while Ash Hunt, CISO at financial services firm Apex Group, reports that “about 90% of the loss exposure I’ve seen is driven by accidents. It’s death by a thousand cuts – the tiny issues that are low in severity but high in frequency.”

How can CIOs and CISOs respond to the heightened threat?

Vicki Gavin, head of information security at education firm Kaplan International, argues that maintaining an effective defence comes down to ensuring good ‘security hygiene’. This entails regularly reviewing your systems and procedures.

“You don’t just install a lock on your front door and think ‘my work here is done for the next 25 years’,” she says. “You’re constantly re-evaluating whether you have the right protections in place. Whether you’re talking physical security or cybersecurity, it’s the same thing.”

Technology and security chiefs have long extolled the virtues of taking a layered defensive approach. This is espoused by the US National Institute of Standards and Technology’s “identify, protect, detect, respond, recover’ framework, which recognises that remediation is as important as detection.

There’s an understanding that there is no silver bullet to cybersecurity, but a belief that an effective defence starts with people rather than technology.

The CIO, or the CISO where a firm has one, must have boardroom accountability for security and enough budget to invest in the necessary resources and introduce security principles earlier in the software development cycle. Robust awareness programmes should send a strong message that cybersecurity is everyone’s responsibility. 

“You’ll need to engage the hearts and minds of your board colleagues,” Gavin stresses. “And you don’t make that happen just by quoting stats.”

Hunt believes that CISOs and CIOs must take a more analytical approach to risk if they’re to stand any chance of mounting an effective defence against each fast-developing cyber threat.

“They need to do risk analysis modelling, a decision-based approach under which they can work out which events are most likely to occur and generate the highest amount of loss,” he says. “They can then use that information to inform investment decisions.”

CIOs and CISOs should also mandate and lead routine incident-response exercises, while their regular engagement with the boardroom on security matters can build trust, improve alignment and even encourage more investment. Jaffe recalls that, when he worked as a cybersecurity consultant, he had a client in clothing retail. “At that company, the board said: ‘Here’s $60m – don’t be the next Target.’”

Yet he believes that broad cooperation among the potential targets of cybercrime is the best way to keep the collaborative criminals at bay. To this end, Jaffe wishes that state agencies, security vendors and supply chain partners would share more intel. He accepts that there is understandable resistance to doing this, especially among organisations that have fallen victim to attacks. 

Such businesses will “only want to make public what information they’re obliged to reveal, for PR or regulatory reasons. So that does prohibit organisations from sharing useful knowledge before their peers are also hit.”

Adjei-Ampofo agrees, citing a case where Uphold identified someone who’d stolen a customer’s assets. The firm worked with the trading platforms to lock those funds, but the money eventually had to be released on a legal technicality, partly because the FBI’s response was too slow. 

“That”, he says ruefully, “was a lost window of opportunity.”

Even as it was winding down last year, the infamous Russian-based gang behind the Conti ransomware mounted successful attacks on Costa Rica’s public institutions in a bid to foment a popular uprising. The government of President Rodrigo Chaves refused to pay up, but it had to declare a state of emergency to deal with the fallout. 

Another Russian-linked group, prolific LockBit ransomware gang, has attacked more than 1,000 organisations worldwide and extorted at least $100m (£83m) to date. Among its targets in 2022 was a children’s hospital in Canada, although it apologised for that attack and gave the victim a free decryptor in a rare show of conscience. 

Since the start of the Covid pandemic there has been a huge increase in the frequency of such attacks. The ransom demands tend to be onerous. Despite this, the victims – terrified of data loss and the associated legal and reputational costs – often give in to them. Proofpoint data indicates that 82% of UK organisations hit by ransomware attacks in 2021 chose to pay up. 

Showing a determination to crack down on the increased threat from cyber attacks, the US and UK governments recently announced joint sanctions against seven Russian individuals linked to the prolific Trickbot cyber gang. The sanctions make it illegal to make ransomware payments to Trickbot and are a first of their kind.

But demands for new laws that would prevent companies from paying any ransoms or require them to report ransomware attacks are becoming more insistent. Legislators around the world have been debating what to do about this. 

Proponents say that this is a common-sense way to discourage attacks, but others argue that this risks re-victimising businesses and that monitoring and enforcing such regulation would be tricky. 

The US’s increasingly strong stance against ransom payments

One of the places these conversations are playing out is the US, where officials are increasingly concerned by the criminal activity that ransomware payments help fund. 

“In the context of the Ukraine-Russia conflict, bad actors waging cybercrime campaigns are a threat not only to networks and data,” says Julie DiMauro, director of compliance training at Compliance Week and adjunct professor at the Seattle University School of Law, “but they further a crisis that the US is actively trying to assuage.” 

By paying ransomware fines companies could unwittingly be breaking sanctions or, in the US, engaging with individuals or organisations listed on the US Treasury’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List. In 2021, OFAC issued this advisory notice: “The US government strongly discourages all private companies and citizens from paying ransom or extortion demands.”

DiMauro notes that directives not to make ransom payments “further valuable national security goals, such as curbing terrorist financing”.

Senate bills such as the Cyber Incident Reporting Act of 2021, which stipulate companies would have to report all ransomware incidents have so far failed to pass Congress, but states are taking the issue into their own hands. North Carolina and Florida have both banned state government entities from paying ransoms connected to ransomware attacks, while similar legislation is under discussion in states like New York.

Ransomware regulation in the UK

In the UK, the Network & Information Systems Regulations dictate that service providers and operators of essential services must report cybersecurity incidents of “substantial impact” to the UK’s Information Commissioner’s Office (ICO). Examples include when an incident results in a loss of confidentiality of data and affects more than 15,000 UK users. Last July, the ICO and NCSC both urged companies not to pay ransoms and requested that solicitors stop facilitating those payments. Meanwhile, the UK government is proposing new laws on cybersecurity standards. 

Right now, cybersecurity insurance that covers ransomware payments – and the fact that ransomware payments are tax-deductible in some countries – normalises ransomware payments as simply the cost of doing business in the digital age. 

“I would like to see a law in the UK that would ban ransom payments,” says Subhajit Basu, associate professor in information technology law at the University of Leeds. “Not just that, I would like to see much tougher regulation – if possible, outright banning – of cryptocurrency operations as most ransom payments happen through them.” 

A major argument against companies paying ransoms is that, on average, only 65% of the data is recovered after the organisation pays for the decryption tool, and only about 8% of organisations that pay manage to recover all of their data. Even so, many point out that legislation preventing payments would be difficult to enforce and might end up penalising the companies least able to recover from attacks. 

“Criminalising what [companies] may see as their remaining route to recovery is arguably serving to further punish organisations for falling victim to the threat,” says Steven Furnell, professor of cybersecurity at the University of Nottingham. He notes that whether making ransom payments illegal would act as a deterrent depends on what penalty the crime would incur. “If the organisation has suffered a significant incident that may otherwise jeopardise a large amount of business, then paying a fine may seem a small price in comparison.” 

The best offence is a good defence

Ultimately, prevention is the best solution, and experts argue that more effort must be made on the part of the government to help businesses fortify their cybersecurity measures, such as implementing multifactor authentication systems, says Basu. 

At a minimum, though, most argue that ransomware incident reporting is a crucial intermediate step. Right now, many companies choose not to share whether they have fallen prey to an attack, meaning that there’s a dearth of accurate data on this. “Disclosures would help to reveal the full scale of the threat, which could help to shape the level of resources made available to combat it and support potential victims,” says Furnell. 

David Wall, professor of criminology at the University of Leeds, advocates taking lessons from how the financial sector tackles fraud. Businesses should be encouraged or compelled to form an independent body to which they could report both attacks and their impacts (for example, data loss). 

“Cyber-extortionists exploit the stigma of a ransomware attack by playing to the psychology of fear of potential embarrassment and business backlash of having to report compromised systems or a breach of privacy,” says Basu. 

A culture of data-sharing and collaboration could help change that. 

During Microsoft’s quarterly earnings call at the end of January, its executive chairman and CEO, Satya Nadella, pointed out that the annual turnover of its cybersecurity arm had hit the $20bn (£17bn) mark – up from $15bn the previous year. Only a few days beforehand, the software giant had revealed plans to lay off 10,000 workers in anticipation of an overall slowdown in revenue growth.

These contrasting disclosures illustrate how the cybersecurity field and those working in it have escaped relatively unscathed from the wave of redundancies that’s swept through big tech in recent months. That’s largely because businesses are under siege online, facing a constant barrage from criminals using tactics ranging from phishing to ransomware attacks.

A landscape bristling with threats

The statistics make worrying reading for the potential victims of cybercrime. For instance, Verizon’s 2022 Data Breach Investigations Report indicates that the number of ransomware attacks rose by 13% between 2020 and 2021, the biggest growth in five years. It also notes that the use of stolen log-in credentials to hack into organisations in 2021 had increased by 30% since 2017. 

Damaging security breaches affecting high-profile organisations – for instance, the SolarWinds supply chain hack in 2020 and the Colonial Pipeline ransomware attack in 2021 – have at least spread awareness of the threat. 

A survey of business leaders published by the World Economic Forum in January found that 91% of respondents think that “a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years”. It also revealed that 43% believe that an attack is likely to affect their firms materially over the same period. 

The more that enterprises digitalise, the greater the cyber risk they run, notes Michael Mulligan, practice executive, risk and security services, at US-based IT recruiter TEKsystems. 

“There are just so many different digital access points – so many more opportunities for bad actors to exploit,” he says. 

Mulligan, who is based in Chicago, reports that hiring activity seems to be regaining momentum after a softening in demand for cybersecurity specialists among his firm’s clients in H2 2022. 

“What we’re seeing out of the gates in 2023 is that we’re kind of back to the level of activity we were seeing early last year,” he says. 

John Lynes is MD of Ashdown Group, a London-based IT recruitment specialist whose clients are mainly private firms employing 50 to 500 people. His experience of 2023 so far has been slightly different. He reports that “there is still huge demand for professionals in the cybersecurity space, although hiring is slowing down in line with the wider IT market”.

A web-based tracking tool hosted by Ashdown Group analyses IT vacancies from about 11,000 UK companies. According to this, the number of job postings seeking cybersecurity engineers in January was just over 400, down from 880 in August 2022.

Lynes attributes this decline to the broader downturn in the British economy, which saw weak growth in 2022 and is expected to shrink this year. But he adds that salaries for cybersecurity jobs still rose by about 17% on average last year, reflecting the continuing skills shortage. His firm estimates the UK median salaries for an information security manager and an engineer as £73,596 and £57,826 respectively.

Efforts to close the skills gap

There are about 4.7 million cybersecurity specialists working in a world that still requires about 3.4 million more to join their ranks, despite the addition of 464,000 professionals last year. That’s according to the International Information System Security Certification Consortium, a not-for-profit body providing qualifications in the field.

Closing this yawning talent gap is a goal of both public and private sector initiatives. Westminster’s National Cyber Strategy 2022, for instance, calls for the expansion of post-16 training programmes to enhance the cyber workforce, including “skills bootcamps” and the national roll-out of the Institutes of Technology.

Similarly, the newly created Office of the National Cyber Director in the US, with $100m in initial funding, has named cyber workforce development one of its key functions. And last month the US National Security Agency began one of its biggest recruitment drives surges in three decades, aiming to fill 3,000 roles, many of which relate to cybersecurity.

In the private sector, Microsoft and cybersecurity specialist Fortinet have been going to great lengths to tackle the skills shortage. In 2021, Microsoft started a programme for community college students, with the goal of filling 250,000 cybersecurity roles in the US by 2025. Fortinet has pledged to train 1 million people in cyber skills by 2026.

Time to retrain?

So far, then, the cybersecurity function seems to have escaped the worst of big tech’s big cull. 

“It’s an area of safety, relatively speaking, as cybersecurity solutions are often the last on the chopping block as businesses optimise their costs,” says Malik Ahmed Khan, an equity analyst specialising in technology at Morningstar. 

He also doesn’t expect the wave of redundancies to strike the publicly traded companies that specialise in cybersecurity, including Fortinet, Palo Alto Networks and CrowdStrike.

Underscoring this point, Rob Rashotte vice-president of global training at Fortinet, wrote a guest post on the website of tech recruiter Dice this month in which he urged newly redundant hi-tech workers to consider pursuing a career in cybersecurity. 

“Cybercriminals aren’t going away,” he pointed out. “Now, more than ever, cybersecurity talent is critical.”