Cyber security isn't just about how your business acts

By Jack Durrant, BA (Hons), ACII

For the last few years, I’ve become interested in all things cyber. This awareness has mainly focused on cyber insurance, ransomware, and the dark web. I’d recommend for anyone interested in knowing more, to understand TOR (The Onion Router), and also Silk Road & The Dread Pirate Roberts (no not the fictional character). It makes an example of the criminalised entrepreneurship that’s so prevalent online – especially for those who conduct these nefarious activities under the cover of anonymity. There are also heaps of fascinating documentaries covering the stories and strategies that are used to leverage money, sell data, or redirect funds.

A colleague then suggested a brilliant podcast called the Darknet Diaries that details the dark side of the internet. It speaks of Edward Snowdon, the WannaCry attacks, Petya, Ddos on South Korea, and a host of scandals where perpetrators have tried – sometimes succeeding, sometimes failing – in obtaining illicit cash, bitcoin or Ethereum. It also talks about another side of cyber – penetration testing. This is where “non-threat actors” attempt to gain access exposing potential weak points in one’s own cyber or physical security. The podcast interviews many “white hat threat actors” on their methodology. Commonly this starts with simple social media searches so that the pen testers can replicate ID cards, to dupe other staff, or reception workers into allowing access to restricted buildings or areas. Access to these areas to the wrong person could potentially cause chaos and makes future cyber events exponentially more likely to happen.

Back in the world beyond the podcast, it’s easy to forget that the nature of cyber threats is as vast as the threat to a business’s bricks and mortar. We tend to blur the lines between ransomware, malware, denial of service, social engineering, data breach, or system failure into the same pot, when in fact each is as different as theft, fire, and flood.

To think that a single insurance policy will (and does) cover many cyber risks is astounding value and good common sense, particularly when you consider that many insurers partner this with a heavy focus on pairing policies with risk management, crises containment, notification applications, and a host of services to help businesses to become harder cyber targets.

Another real-life, real-time story has recently come to public attention. Manchester police experienced a severe data breach where threat actors secured ID badges, warrant cards, and ID numbers during a ransomware attack – which just happens to be local to my offices, adding to the gravity of this event.

The fact that the leak was from a third party makes it more devastating for the police, as they may be forced to bear some of the damages from a cyber-attack which wasn’t even directed at them. We can clearly see the impact this might have on the individuals affected in the police service. For example, insurers are very likely to consider the fallout from negative PR, asking themselves questions such as; If it were a business how would one go about disclosing such a thing to the information commissioner’s office? How should the service respond in reissuing sensitive documents then protecting their staff from potential future threats both online and offline?

Aside from this, there’s a risk of potential physical penetration into the buildings. That podcast I listen to often talks about the information required to do some in-person reconnaissance, such as how one might gain access to a building. Things like identifying documentation or replica ID cards are a much bigger threat than what appears on the surface and replacing and issuing new cards comes at quite some cost.

Cyber threats really do range from very low-tech right through to expensive cutting-edge zero-day exploits, and your business may not even be the one at fault.

This article barely scratches the surface of cyber. Given just enough time and patience, threat actors can be ingenious and unscrupulous in the ways they access something (or somewhere) they shouldn’t.

I’ll end with this message. Think of cyber protection almost like a high-level chess game. It’s worth making yourself a harder target to infiltrate. It’s worth transferring cyber risk. And it’s worth educating yourself so you and your business can be innovative and one move ahead in how you set your own defence while having the knowledge to adapt accordingly when the next and latest threat trend appears on the digital horizon. Because it’s already on its way.