The Responsible Leadership Series in partnership with Teneo
Thirty-seven per cent of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) in the past 12 months, and 41 per cent of UK consumers claim they will never buy from a business again after a security breach. It is not surprising, then, that improving cyber-security does not just mitigate risk, but adds shareholder value. It is the responsibility of the CEO to embed a security-first culture across their organisation – but are companies able to move quickly and invest enough to stay one step ahead of the cyber-criminals? Has cyber-security been nudged down the boardroom priority list in favour of, say, diversity & inclusion and climate change? Do shareholders have sufficient visibility on the level of risk, and the adequacy of companies’ protection? Is customers’ data less safe than it was, say, 5 years ago?
Cybercrime is accelerating, and poses a threat to almost everyone in our increasingly digitised world. In the past year or so it has climbed up the international agenda (to be top of the list for the Biden-Putin Summit, and part of the G7’s post-Carbis Bay communique), and landed as an issue on news desks around the world. Part of the reason for this hockey-stick curve of activity is that ransomware has emerged as a highly profitable and efficient crime, and when it comes to risk versus reward, “literally everything favours the attacker”.
Tortoise was joined by Ciaran Martin, Founding CEO of the National Cyber Security Centre; Dave Palmer, Chief Product Officer at Darktrace; and Martina King, CEO of Featurespace; for a discussion about the seriousness of cybercrime as it now threatens not only individuals but entire systems of finance, commerce and healthcare. Beyond business, the intrinsic vulnerability of our supply chain, and the sheer malevolence of criminals seeking profit online are becoming clear.
Beginning with a discussion of the hacking group REvil, which has a safe harbour within the Russian state from which to launch ransomware attacks like those that recently affected network company Kaseya, Ciaran explained that most ransomware groups are large organisations with a significant amount of computing infrastructure and would be “too big to hide” in non-sympathetic jurisdictions. He stressed that groups, like REvil, are illegal businesses that must achieve an operating scale way beyond being “teenagers in an upstairs bedroom”.
Martina pointed out that the huge scale of cyber-attacking groups means that businesses have to invest more and more in their defences. But the odds are stacked against them. The value of personal information – like credit card details – has fallen due to better fraud detection, cutting-edge security technology, and behavioural nudges that drive users to be more conscious about their online safety. This has made the average digital citizen harder to extort, Dave explained, and has meant that the “low hanging fruit” for cyber-criminals is no longer in the wallet of everyday internet users. Rather, it’s in industrial scale attacks on businesses that are still scrambling to mount a defence.
Fraud has been a significant loss item for businesses for some time, but the industrial scale of cybercrime being seen around the world today may force us into a new way of addressing it. The ransoming of entire corporate networks is a new and more severe issue. So, is this a watershed moment in the way we tackle cybercrime?
Martina suggested that ransom is becoming a “cost of doing business” in banking, commerce or other sectors – much like fraud is today. But, as cyber criminals become increasingly bold, is it simply time for tougher legislation and more aggressive policing?
We certainly need stronger law enforcement collaboration, and for the international community to take a tougher diplomatic stance on the issue. Dave was optimistically hopeful that egregious attacks on infrastructure, healthcare and supermarkets could be stopped if these diplomatic shifts were translated into coherent policing and action. Special attention must also be paid to the mechanisms that exist to turn cryptocurrency into real money, as crypto represents a major channel in which attackers are able to easily benefit.
The discussion ended with a much clearer sense that the world has moved from consumer fraud, a sort of “cyber-pickpocketing” to systemic cybercrime that could threaten whole industries, or nations. Cybercriminals will continue to impact the infrastructure that supports our way of life, not just the businesses we rely on, and there’s a real urgency with which we must both understand and tackle this change.
Editor and Co-founder
Founding CEO, National Cyber Security Centre and Professor, University of Oxford
Chief Product Officer, Darktrace