For nation states, operating in cyberspace is somewhat akin to opening Pandora’s box. The benefits of global connectivity are there for all to see, but the cloak of invisibility – and deniability – that it affords hackers is very difficult to circumvent. Launching a physical attack as an act of war is difficult without someone recognizing you, but many cyber-attacks are near impossible to trace back to the source.
It's why nation-state attacks are one of the biggest threats UK businesses face today. But most are woefully underprepared to deal with a state-backed attack, despite both the private and public sectors being prime targets for state actors seeking to access, abuse and exploit the country’s critical infrastructure.
This must change, and quickly. Businesses risk falling victim to some of the most crippling cyber-attack techniques, including ransomware, which can compromise a company’s ability to trade for between 20 and 30 days on average. For a company with £100m turnover, that’s roughly a cost of £274,000 per day in lost revenues. No one is safe, either when even the country’s most well-known and embedded organizations like Royal Mail can fall victim.
Surprising soft spots
While hackers’ tactics are growing in sophistication, we aren’t making their jobs difficult enough. And businesses aren’t making it easy enough for themselves to recover when cyber attackers do break through security barriers, either. It’s why ransomware has become such a popular form of attack, and so profitable for sophisticated cybergangs; figures suggest that such attacks could cost businesses as much as £120 billion globally. Clear proof, if any was needed, that they are no longer single, isolated threats.
One of the biggest mistakes businesses in their defense is make is omitting devices and systems that don’t hold sensitive information themselves. Unfortunately these devices can still provide a route to other systems that do – so called ‘soft targets’ – from security frameworks or vulnerability mapping exercises. These seemingly harmless devices may appear undesirable to attackers, but they provide exactly what hackers need to pass the network perimeter undetected. For example, when a satellite company conducted penetration testing, white hat hackers were able to gain access into a code machine and from there move laterally to access the satellite’s navigation system.
Were this a real-life scenario involving a ransomware attack coordinated by a state sponsored, co-located and technically sophisticated cyber group, the consequences could have been far greater. And unfortunately for many businesses, it is plausible, a real-life scenario.
Jonathan Bridges is Chief Innovation Officer at Exponential-e.
The time and place for exposure in cyber
The omnipresent threat and potential scale of nation state attacks makes action at a corporate level imperative. But ultimately, defending against them requires government intervention. The NCSC is an organization set up by the government to educate on and encourage good cyber practices. And despite its best efforts, it’s yet to make itself truly front and center when it comes to providing businesses and individuals with security advice and advocating for careers in cyber. Sadly, too few businesses know what it is or what it does, and that shouldn’t be the case. Many counterpart organizations connected to the world of cyber and nation states are tasked with maintaining their cloak and dagger reputations, but the NCSC isn’t like GCHQ; there’s no need for it to hide.
It needs to act as a single source of truth, encouraging businesses to adopt more sophisticated, military style defence tactics to prevent nation state attacks and break the ransomware trend. It’s no longer just about individual businesses but protecting the country and its infrastructure.
Military tactics call for military defenses
Military defense may sound overboard, but it’s only right when nation-state attacks are increasingly sophisticated, often state-sponsored and exhibit military-style tactics in their own right. They’re one of the biggest threats businesses have ever had to face, and organizations must take a leaf out of the attackers’ books by implementing military-grade defenses that both cut off attacks at source, and set the expectation that businesses should get back online in a matter of days, rather than months.
Attackers are constantly upping the stakes and pooling resource into ransomware, too. So the threat will continue to grow, and that dire need to adopt ‘military grade’ protection that proactively identifies vulnerabilities, and prepares businesses for attacks from state-backed OCGs, will continue to increase.
Doing what you can
Yes, both the government and the NCSC simply have to play their part in encouraging and supporting efforts to stave off these sophisticated tactics if the UK is to maintain its barrier of defense. But changes at a governmental level won’t happen overnight. So, it’s in businesses’ and the country’s best interest for them to take matters into their own hands where they can.
The ransomware landscape is evolving at an unprecedented scale. It’s now an incredibly high-stakes game with huge money at play, especially given the prevalence of state backing. So traditional cyber defense methods, put simply, are not enough to keep this kind of threat at bay; businesses have no choice but to batten down the hatches, and military-style defense must be the way forward.