Security – A Risk-Based Approach
In today's ever-changing environment, securing business assets and maintaining resilience requires adopting a risk-based approach to security.
With the devastating invasion of Ukraine by Russia showing no signs of relenting, the world isn’t only seeing horrific palpable consequences – such as a refugee crisis, energy and fuel prices skyrocketing and financial instability. In the online world, the delicate balance of interdependencies is under attack as well. Managing risk is not an easy undertaking at the best of times, but how about at the worst? Is cyber warfare on the horizon?
The scene is set and tensions are heightened. In the UK, the National Cyber Security Centre (NCSC) has urged organisations to strengthen their ‘online defences’ following Russia’s attack and considering a “historical pattern of cyber attacks on Ukraine with international consequences”.
Meanwhile, the war has been fought mostly on physical battlegrounds rather than online. It seems that the Russian cyber troops are holding back, with reports of ‘relatively basic’ distributed denial-of-service (DDoS) attacks being the bulk of Russia’s cyber warfare aimed at Ukraine.
Nevertheless, it’s important to note that DDoS attacks, however ‘basic’, are still malicious attacks with severe repercussions. A DDoS attack ‘floods systems, servers or networks with information, effectively blocking them’, which is incredibly disruptive and time-consuming to fight. A potent example is the largest DDoS attack known to date – aimed at Google in 2017.
“Exponential growth in DDoS attack volumes” was the title of the article published by Google’s Threat Analysis Group (TAG) when disclosing the attack in 2020 and explaining the extent of the threat. Damian Menscher, a Google Security Reliability Engineer, utilises this article as an opportunity to warn of an inevitable surge in DDoS attacks in the coming years due to internet bandwidth increasing.
It is likely, then, that Russia’s DDoS attacks on Ukraine being the extent of their cyber warfare so far is part of a larger trend and maybe even a misleading ‘slow start’.
As Josephine Wolff, Associate Professor of Cybersecurity Policy at Tufts University, writes for TIME: “Given Russia’s past willingness to deploy cyberattacks with far-reaching, devastating consequences, it would be a mistake to count out their cyber capabilities just because they have so far proven unimpressive. And it’s all but impossible to prove the absence of cyber weapons in a nation’s arsenal.”
Regardless of the complexity (or lack thereof) of Russia’s cyber warfare so far, it would be unwise to assume that organisations are not at increased risk of being targeted by cyber criminals, especially in a context as unstable as international conflict.
Taking advantage of ‘distracted’ populations and workforces is an infamous move on cyber criminals’ part, one we witness every year around the winter holidays. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021”, a Ransomware Awareness for Holidays and Weekends alert by the FBI and CISA warned in August 2021.
Times of instability are notorious for increasing cyber-criminal activity. The Covid-19 pandemic, for instance, reportedly led to a 50.1% increase in cyber attacks (according to The World Economic Forum) and proved to be a productive time for innovation – “prior to the pandemic, about 20% of cyberattacks used previously unseen malware or methods (…) and during the pandemic, the proportion has risen to 35%”, reported Deloitte. And post-9/11, ‘the war on terror’ warned about cyberterrorism with much greater emphasis than before – justifiably so, as “cyberterrorism is, to be sure, an attractive option for modern terrorists, who value its anonymity, its potential to inflict massive damage, its psychological impact, and its media appeal”.
All signs point to the ongoing Russia-Ukraine conflict being a worrying time for businesses everywhere in terms of risk and security – but can you do anything about this? How can organisations stay protected?
“Russia’s military offensive in Ukraine has raised the spectre of more cyber attacks, but it also presents an opportunity for investments to strengthen cyber infrastructure and prevent a spill-over economic effect” reports The National News.
This is a very pertinent point for cyber risk management in the current climate. While times are unpredictable and worrying, there is a way to look on the bright side: periods of instability often bring about change in business much faster than any data-backed strategies or long-term plans. And the current global context, the increasing threat of cyber warfare, could be what brings risk and security teams the funding they need to strengthen defences and protect organisations from ever-increasing cyber threats.
The Covid-19 pandemic is once again a good illustration of this silver lining. With home-working becoming the norm once lockdowns kicked in across the globe came the increased risks of unsecured networks, increased reliance on digital communication and remote servers, data privacy being threatened by the working environment changing from a controlled one to individual’s homes, and a plethora of other risks. To protect themselves, businesses had no choice but to make changes and strengthen their defences, which meant that risk and security climbed to the top of the priority list for most if not all organisations.
Those who didn’t take any action did not get out unscathed – “79% of organisations experienced downtime due to cybersecurity risk during peak season”. Furthermore, businesses with strong risk management and security strategies, particularly those complex organisations that already had a well-thought-out and maintained Enterprise Risk Management (ERM) program already in place, coped much better under pandemic conditions.
And it seems that confidence in risk management has been positively impacted by the Covid-19 pandemic as well. In the December 2020 – January 2021 Risk Management Response to Covid-19 Survey by the Institute of Risk Management (IRM), respondents were 96% ‘confident that the pandemic experience has strengthened the case for risk management’, as opposed to 94% in the April 2020 edition.
Many respondents considered the top learning point from the Covid-19 experience to be: “It takes a real crisis to get some people to pay more than lip service to risk management (don’t waste it)”.
If you would like any guidance on implementing a risk-based approach to cyber security in your organisation, please do not hesitate to contact us. Our thoughts are with the people of Ukraine, and all those impacted by the suffering and turmoil we are seeing.