But while we often hear about such attacks on larger organisations, it’s vital to remember the vast majority are indiscriminate – any firm that uses the internet is a potential victim.
While many of us have a picture in our heads of a cyber criminal as using sophisticated equipment, the reality is often much simpler. Common techniques used include:
- Phishing – sending e-mails asking for sensitive information or encouraging the recipient to visit fake websites.
- Water holing – setting up a fake website or compromising a legitimate one to exploit visitors.
- Scanning – searching the net for vulnerabilities to exploit.
- Ransomware– deploying malware that encrypts and deletes data and extorting a demand for its return.
While combatting all these techniques should be a part of a cyber security strategy, ransomware can be truly devastating, as we saw with SEPA. Before launching a ransomware attack, cyber criminals will often spend weeks inside the victim’s network, identifying defences and assessing the organisation’s worth to maximise the impact of the attack.
REGISTER for The Scotsman's State of the Cyber Nation Annual Debate >>Given most business’ reliance on technology, planning for a cyber attack should be considered just as – if not more – important than planning for a power failure or other disruption.
Winston Churchill famously said: “He who fails to plan is planning to fail.” US President Dwight Eisenhower qualified this by saying: “Plans are worthless, but planning is everything.”
While both leaders were referring to the chaos of war, the idea that the process of planning is potentially more important than the actual plan is equally applicable to cyber security.
Ransomware attacks typically occur through at least one of three paths: phishing e-mails, Remote Desktop Protocol and software vulnerabilities. While you won’t know the exact path a cyber criminal will take until an attack happens, the process of planning will help mitigate the fallout by forcing you to examine the thinking behind your cyber security strategy.
Understanding how an organisation will react to a cyber attack is more important than the scenario being a perfect match for the plan.
We can expect cyber criminals to improve their techniques – especially with new transformational technologies such as artificial intelligence and the Internet of Things. And remote workers will also remain an exploitation opportunity, alongside vulnerabilities in unpatched servers.
It is more important than ever to have a cyber security plan in place.
The National Cyber Security Centre (NCSC) provides advice to reduce the likelihood of attack. And Holyrood produced a set of generic incident response plans in 2019 which could be adapted by any organisation.
The Scottish Government also recently funded a programme of work to promote the NCSC’s Exercise in a Box toolkit, delivered by my organisation, the Scottish Business Resilience Centre. This free programme takes participants through common attack scenarios and works through the realities of responding to them. Running until April, it is open to the public, private, and third sectors.
The programme is a vital part of planning and will allow organisations to have a positive response should they face a cyber attack.
Jude McCorry is chief Executive of the Scottish Business Resilience Centre