New Times,
New Thinking.

  1. Spotlight on Policy
  2. Tech and Regulation
  3. Cybersecurity
15 December 2020updated 09 Sep 2021 11:24am

On cyber security, companies need to get the basics right

As cyber attacks proliferate, the answer lies in dull detail. 

By Ed Targett

In March staff at Finastra were forced to switch off servers – temporarily freezing millions in financial transactions – after a ransomware attack on one of the world’s largest financial technology services firms. In June, Honda factory floors fell silent after network infrastructure was shut down following an attack.

In August, New Zealand’s stock exchange faced four days of interruptions to trading after a sustained Distributed Denial of Service (DDoS) attackThese are just three high-profile examples of cyber incidents in 2020. There were millions of others, from cities forced to halt vital services to casinos knocked offline.

Yet organisations remain complacent. Perhaps many see the big names targeted and think “that’s not me”; the smaller names quietly fix the problem and nobody – sometimes not even regulators, GDPR or otherwise – is any the wiser.

The truth is, however, that you don’t have to be a target to be attacked. Cyber security researchers who set up “honeypots” to track attacks say automated vulnerability probing is immediate and sustained. One security researcher, Jason Schorr, told me that a honeypot he set up for 48 hours saw 24,992 offensive probes per hour from all over the world.

Read more: How AI changed cyber security

In newsrooms, editors are beginning to be inundated with predictions pieces for 2021. On the cyber security front, many feature the alarming viability of the deep fake: synthetic media used to underpin sophisticated social engineering scams. Picture a Zoom call with a spitting image of your CEO, now AI-powered, asking for an urgent transaction to be made to a company account.

The technology is 95 per cent there and likely to become common place within the decade, if not sooner. Yet most organisations would find fretting over the less dystopian and much more mundane a better use of their time. They should be taking steps like fixing the software that has been unpatched since 2012 or killing off the credentials of that employee who left last year, but whose email still gives them access to company databases.

Give a gift subscription to the New Statesman this Christmas, or treat yourself from just £49

In a list of the top 10 most exploited software bugs, the FBI and US security agency CISA lamented in a joint post this year that one stemmed back to 2012. It has been known about, and a patch has been available, for eight years.

Read more: The role of the CISO in the Covid-19 era

“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organisations,” they noted, adding “the public and private sectors could degrade some foreign cyber threats… through an increased effort to patch their systems and implement programs to keep system patching up to date”.

Getting the basics right is hard. End-users hate multi-factor authentication and prompt patching can knock applications offline. Deep fakes sound like a big threat, but security hygiene is 99 per cent small detail.

For that, IT teams need to be resourced and security taken seriously from top to bottom of a company. It might be painful building a security culture, but not as painful as being targeted by hackers who 21st century law enforcement remains deeply ill-equipped to catch or hold to account.

Ed Targett is editor at Tech Monitor.

This article originally appeared in the Spotlight report on cyber security. Click here for the full edition.

Content from our partners
How Lancaster University is helping to kickstart economic growth
The Circular Economy: Green growth, jobs and resilience
Water security: is it a government priority?