As an independent cyber security compliance company, we have considerable sympathy with comments recently reported by the BBC from Dr Ian Levy, of the UK’s National Cyber Security Centre, suggesting that some firms operating in the cyber security space exaggerate the skill set of hackers to scare companies into buying expensive hardware.
…He criticised cyber security companies’ marketing materials for depicting hackers as hugely skilled masterminds and for the hyperbolic language they used to describe cyberthreats.
Playing up the threats let security firms establish themselves as the only ones that could defeat hackers with hardware that he likened to a “magic amulet”.
“It’s medieval witchcraft – it’s genuinely medieval witchcraft,” said Dr Levy…
From our experience, many of the successful attacks we see are down to hackers taking advantage of weaknesses caused by a lack of basic cyber hygiene rather than any great sophistication in their approach. This is often combined with staff making errors because they are unaware of the current threats from phishing emails or ransomware.
In our opinion companies can go a long way to protect themselves just by implementing the basic controls in the government backed Cyber Essentials scheme, which is effectively good housekeeping. It is not expensive, and is suitable for all organisations.
We have also seen significant ‘scaremongering’ ourselves about the capabilities of hackers being used as a tool to sell expensive products when simply configuring existing hardware in a more robust way would often make a much more significant different.
Often we see that the basics are not addressed such as changing factory default passwords on newly installed firewalls or not configuring them effectively. Sometimes an organisation does not realise that their firewall has been left in a weak state, it may have even been left like this by their IT company…it isn’t always about upgrading hardware! The first thing that will be tried by someone trying to gain access is using the factory default settings. How does an organisation know whether the basics controls have been put in place? An independent vulnerability scan and a firewall review would help to identify these issues.
Similarly back-ups are crucial in recovering from ransomware attacks, yet sadly, these are often discovered to be out of date or inadequate once an attack has happened. Organisations need to understand the importance of having good, offline, back ups, and test them regularly to ensure that they are working properly, a simple, inexpensive tool to protect against these type of attacks.
The important starting point for companies is to identify the risks, and then to put steps in place to mitigate these. Organisations should be aware that attackers will go for the low hanging fruit first and to ensure they do not fall into this category. Over time we will see the opportunity to exploit these simple vulnerabilities reduce through better cyber hygiene and then attacks will become more sophisticated. Currently though many criminals do not have to use sophisticated attacks because many organisations have not addressed the basics yet, so that don’t.
Dr Levy also urged other businesses to take a look at what the NCSC, which was set up in October to help protect the UK from cyber attacks.
The NCSC website includes guidance on Common Cyber Attacks: Reducing the Impact which provides a useful tool for understanding the cyber environment, whilst an approach aligned to the 10 steps to cyber security provides an effective way to help protect an organisation from attacks.
The important message is to take even these unsophisticated attacks seriously: they are happening everywhere, everyday and more and more organisations are doing too little too late.