Innovation drives business. As technology improves, we reach for that smartphone or store data on the cloud and everything gets easier and more connected. Customers or clients are served faster. Offices around the globe connect more easily. The digital world has made the world flat and fast. Unfortunately, cyber security has failed to keep up with the pace.
Cyber security requires a different sort of thinking—software developers focus on creating code, but hackers and attackers focus on flaws and assumptions in that code or that thinking. Think of the automobile: when the focus was just on driving, cars were fun, but also dangerous. Now, security measures like airbags, seatbelts, and crumple zones make that vehicle much safer. It required federal regulation to make those safety features happen, and a different sort of thinking, but now such equipment is standard. The same sort of thing is happening in the cyberverse.
The UK released basic cyber security standards, the Network and Information Security Directive. Their “10 Steps to Cyber Security” should make it possible for any company to comply. The cost of failure to comply is high, with the law recently passed to make companies financially responsible for failure to protect against a cyber security attack—to the tune of up to £17 million or 4% of global turnover. That’s a hefty price, and yet researchers have found that nearly 40% of organizations within the UK have not yet complied.
Among those who have yet to comply: critical infrastructure sectors such as police, energy suppliers and the NHS. Across the pond in the United States, an Executive Order signed by Donald Trump also placed the responsibility for cyber security in each sector of government and industry. Initiatives by US-CERT (United States Cyber Emergency Response Team), combined with the FBI and Department of Homeland Security, have sought to make standards and resources more readily available.
- The “Framework for Improving Critical Infrastructure Cybersecurity” by the National Institute of Standards and Technology has been around since 2014.
- Initiatives to provide greater training, formal education and workforce development have a centralized online database.
- US-CERT has an alert page, with current and updated cyber security intelligence published for both personal and business use.
Yet despite these resources, the US has not set up a fine deterrent comparable to what the UK has passed, making compliance entirely the responsibility of each sector, business or industry. These resources are not broadly publicized to businesses and industries.
The Real Cost
The real cost of failing to implement cyber security basics occurs on an individual basis. Just to give some perspective, the recent WannaCry virus had an estimated global cost of up to $4 billion—that’s from a virus that utilized vulnerabilities that had been patched, and a simple update could have prevented.
Another example: DDoS attacks. Most companies only see distributed denial of service attacks as a nuisance, which can slow down or halt business. The high volume DDoS attacks get attention, but short and low volume attacks may account for as much as 90% of attacks. If they’re as short as 30 minutes, what’s the big deal?
Short DDoS attacks serve a completely different purpose: to map and infiltrate a network. They open the door to malware and ransomware, data theft or more serious cyber attacks later. The WannaCry and NotPetya malware attacks demonstrated that failing to comply with modern cyber security standards could create real-life disruption. Well-funded and state-sponsored actors may be intentionally aiming these surgical attacks at disruption, not theft. Businesses must protect themselves against these and other types of attacks by not skipping the basics. Consider it being intelligent about cyber intelligence.