Staff Writer
Organised syndicates of cyber criminals are emerging as a significant risk for large and small businesses worldwide. That is the takeout from a presentation by Professor Ciaran Martin at the AusCERT 2021 Cyber Security Conference on the Gold Coast on Thursday.
Cataloguing the various players in the cybercrime business, the founding CEO of the National Cyber Security Centre and now Professor at the University of Oxford’s Blavatnik School of Government said organised cybercrime was a security threat that all businesses needed to learn to counter. He says most cybercriminals are not very sophisticated technically, but they’re tenacious and well organized.
”Any organization, however big or small, whatever it does, has got a bunch of risks that it needs to manage,” Professor Martin said. “We need to demystify cybersecurity. We have to treat it as an ordinary business risk.”
Citing the recent Colonial Pipelines ransomware attack in the United States, Professor Martin said a “bunch of hackers” out of Russia exploited basic weaknesses in corporate security to make some money. Professor Martin said the way many businesses failed to protect themselves against profit-orientated cyberattacks is a serious structural flaw with potentially widespread social and economic ramifications.
“The good news is when we look at the details of this and other cases, there are things we can do about it.”
Professor Martin told the AusCERT Conference many businesses still needed to learn about cybersecurity and have an informed discussion about it. Senior management up to the boardroom level needed to increase their awareness and knowledge of cyber risks.
“We wouldn’t have a board member sitting out a discussion on pension liability saying, ‘Well I don’t really understand that.’ The same has to be true for cybersecurity.
“You don’t need nation-state nation state defences. No one is asking small organizations, universities, local government… no one’s asking them to be able to take on a hostile nation-state on their own,” says Professor Martin.
But the man who now advises NATO on cybersecurity said many business and business leaders have to get smarter regarding cyber risks and cyber-attacks. At the outset, that includes asking some searching business-wide questions. How does the business propose to defend itself against any cyber-attacks? How does the business control use of privileged IT accounts? How does the business ensure software and hardware is up to date? How does the business ensure partners and suppliers protect any information the business provides to them? What authentication methods does the business use to control systems and data.
Professor Martin argues these are simple questions any business should be asking itself if it is serious about protecting itself against cyberattacks.
According to Professor Martin, cyberattacks, especially from organised criminals, are a growing but manageable threat. He argues cyber risks are rarely catastrophic. Instead, most cyber threats are the aggregation of small harms.
“Hype, fear, and uncertainty – that is our enemy,” Professor Martin said on Thursday. But he also says the publicity surrounding recent cyberattacks is drawing more attention to the threat. If the publicity gets more businesses to pay attention to their own cyber vulnerabilities, Professor Martin contends that is a significant positive outcome.
