“The government’s reporting on costs of a cyber-attack is off by an order of magnitude. The Government’s Cyber Breaches Survey 2023 reported that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. These costs are way off by an order of at least one or two magnitudes."
Cost of a cyber-attack
“Organisations aren’t truly counting the cost of a cyber breach. Firstly, there’s the cost of the legal and security incidence response teams, the forensic consulting, the PR and any other experts you need to bring in to handle the impact of the incident. Then, you have the loss of business due to your data and system having been destroyed. It can take two to three weeks to restore data but we have also seen situations where it has taken longer than six months after a breach before systems, devices and data is restored."
"Then there are the regulatory fines and punitive damages for data breaches. Taking all this into account, you are looking at the cost of a cyber-attack being closer to a few million pounds and this doesn’t take into consideration any ransomware demand, if you pay it, which is often in the tens of thousands of pounds alone.”
Cyber Breaches Survey
“We need stiffer penalties for phishing attacks. The Government’s Cyber Breaches Survey today revealed that phishing remains one of the top three most common threat vectors with 79% of attacks reported in 2022 to 2023."
“Until we introduce stiffer penalties for cybercriminals, phishing will always remain a popular type of attack. It’s not only a key entry point into breaching a victim but it’s easier than ever with the advent of AI such as ChatGPT making it possible to create phishing emails on an even bigger scale than ever before. We need to be punishing cybercriminals the same way we do burglars or bank robbers but instead many walk free months afterwards, free and undeterred to commit another crime. Currently the rewards far outweighs the risks for cybercriminals."
“Furthermore, Microsoft and other email providers like Google need to be sandboxing phishing emails. This is an isolated test environment where files can be safely opened, helping to identify and block these news threats. This would essentially kill off a large part of the phishing community."
ISO/IEC 27001 certification
Most industries tend to do a terrible job of managing the security of their supply chain"
“Most industries tend to do a terrible job of managing the security of its supply chain. According to the Government’s Cyber Breaches Survey, it is still rare for organisations overall to be reviewing supply chain risks. This is an accident waiting to happen."
“Most industries tend to do a terrible job of managing the security of their supply chain. Any third-party vendors, whether those supplying goods in your café or your outsourced accountant, they all need to be held to the same security standards and policies as your own organisation."
“The trouble is few enforce this within their contracts with third parties, making it a prerequisite to ensure that they have policies and procedures that meet our own standards, that they have quality assurance in place, staff training and access controls set up, that they provide ISO/IEC 27001 certification, the world's best-known standard for information security management systems (ISMS). We can’t have third-party vendors winning contracts for critical industry sectors based simply on the lowest bid."
Ransomware attacks
ICompanies also need to look at the geo-political nature of their supply chain. If you are developing hardware or software in adversarial nations such as in parts of Eastern Europe and Asia then there is a risk that a lot of these will be backdoored, used as a cyber weapon to spy on Western nations.”
Companies also need to look at the geo-political nature of their supply chain"
“We need to make it illegal to pay a ransom demand if we’re to kill off the ransomware industry. The Government’s Cyber Breaches Survey confirmed that ransomware attacks are declining but the damage one single attack causes can be astronomical. Ransomware attacks will only continue to go up in number. Demands are extremely lucrative with perpetrators only having to pay back a percentage of their ill-gotten gains to the Ransomware-as-a-Service (RaaS) developers such as with the recent attack against the Royal Mail which was a RaaS attack."
"With RaaS developers selling or leasing their ransomware variants, you don’t need a degree in computer science to run ransomware attacks, yet you can make millions. As a benchmark, in 2004 a reported ransomware demand on a Californian hospital was £14,000. Now, just this month we saw an attack demanding just shy of £100 million."
Ransomware industry
“The only way to stop this lucrative industry is if governments in every Western country impose a ban against ransomware payments being paid. Companies should have their house in order by now. Every organisation has been warned against the need to have decent backups, and cybersecurity strategies, and incidence and disaster response capabilities in place which are well practiced. And if you don’t, your company is at significant risk of going out of business. Too many amateurs are fuelling the ransomware industry and it’s too easy for perpetrators to get away with attacks, scot-free. If we make it illegal to pay criminals ransom demands, with hefty penalties including jail time if this law is broken, then it will be hard for ransomware cybercrime to survive."
“Western Government’s also need to impose severe repercussions for countries that harbour cyber criminals such as in parts of Eastern Europe and parts of Asia, especially when attacks and threats are against critical national infrastructure like the power companies or our healthcare systems.”