Two myths stand in the way of boards understanding the threats posed by cyberattacks and ensuring their businesses can be safe against cyber criminals and hackers.
These misconceptions about cybersecurity were identified by Ciaran Martin, CEO of the National Cyber Security Centre — the cyber arm of GCHQ — who warned organisations: "There isn't much of an excuse any longer for not knowing about security as a business risk".
First, too many organisations still believe that all cyberattacks are targeted, meaning that unless they're specifically selected as the objective of a hacking campaign, they won't fall victim. Second, some board-level executives don't engage with cybersecurity because they believe it to be too complicated — in some cases even being fearful of the complexities they perceive as being involved.
Speaking at the European Information Security Summit in London, Martin warned there are still businesses that believe they will not be in the sights of cyber criminals, so aren't at risk from suffering the negative effects of a cyberattack.
"Tell that to the Western business leaders hit by NotPetya in the summer of 2017," he said, referring to the malware campaign launched against Ukraine by Russia, which quickly spread around the world, knocking businesses offline and doing vast amounts of damage.
"The Russian target here was quite obviously Ukrainian infrastructure, but it damaged — amongst other things — British advertising and pharmaceutical companies, as well as the shipping giant Maersk," said Martin.
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
The impact of NotPetya forced Maersk to reinstall 4,000 servers and over 45,000 PCs, with losses caused by serious business interruption estimated to amount to over $300m, despite the shipping firm never being the intended target of the attack.
Weeks earlier, the global WannaCry ransomware incident provided what Martin described as "an even starker illustration" of how unsuspecting organisations can find themselves the victims of a major cyberattack.
The UK's National Health Service found itself an unwitting victim of the campaign spread via an aggressive worm-like virus launched by North Korea in an effort to extort ransoms.
"That makes small, British NHS bodies a uniquely absurd target, but they were attacked and disrupted nonetheless," said Martin.
But board members believing their organisation won't actually face the risk of a cyberattack isn't the only myth that needs to be dispelled. The NCSC boss described how some boards feel it to be too complex a problem to truly understand, but pointed out how organisations deal with complicated issues every day, and that at its core, a cyber-managing security strategy isn't much different.
"When I view businesses in the UK and around the world, I'm often amazed by the sheer complexity and sophistication of the businesses and the risks that they manage," said Martin.
"A company that can extract stuff from way below the ground, a company that can transport fragile goods to the other end of the planet in a really short period of time, a company that can process billions of financial transactions every hour is more than capable of managing cybersecurity risk".
Even simple activities like ensuring systems and software are up to date can go a long way to protecting organisations from cyberattacks.
Martin described how this approach could have helped organisations around the world avoid becoming victims of Cloud Hopper, a data-stealing espionage campaign, which Western authorities have attribute to China's state-backed hacking group APT10.
Much of the campaign was based around distributing phishing emails containing malicious Word documents, which — when opened — ran macros that retrieve malware.
Martin explained how if the targeted organisations had applied relevant patches, the vulnerabilities exploited by the attackers wouldn't have been open.
"Don't blame the people who opened the files — had the organisations been running an up-to-date Office application, it wouldn't have got through," he said.
"The fundamental point here is that the infection was able to persist and spread and do harm due to poor cybersecurity," Martin said. While the APT in APT10 stands for 'Advanced Persistent Threat', the attack wasn't that advanced.
"In this specific case the attack wasn't advanced, the group didn't need to be persistent and there was nothing really threatening about it — that's not good enough and that's what we need to address," he said.
The NCSC has previously issued advice to senior executives on the five cybersecurity questions they should be able to answer in order to ensure their company isn't at risk from hacking threats.
READ MORE ON CYBERCRIME
- Cybersecurity: Your boss doesn't care and that's not OK anymore
- US: Russia's NotPetya the most destructive cyberattack ever CNET
- Security warning: Attackers are using these five hacking tools to target you
- GCHQ: UK must fight cybersecurity as seriously as it fights terrorism TechRepublic
- Cybersecurity: This giant blind spot will cost us dear