Are you prepared for an attack? Boards must be alert to ransomware threats

At the Cyber 2021 Conference at Chatham House, the UK’s National Cyber Security Centre chief executive Lindy Cameron (above) said that ransomware attacks are the “most immediate threat” to all nations, with cyberattacks linked to the Covid-19 pandemic likely to persist for many years to come.

As long as companies fail to protect themselves from ransomware adequately, or pay the ransom when attacked, cybercriminals and other malicious actors continue to see ransomware as a lucrative crime.

In her speech at the cyber conference, Lindy Cameron warned that businesses and boards need to do more to protect themselves.

In the past few years, ransomware has been used as part of several high-profile cyberattacks, including the one on the NHS in 2017. Ransomware locks files and data on a user’s computer and demands payment to unlock it.

“Ransomware presents the most immediate danger to businesses and most other organisations,” said Cameron.

“Many organisations – but not enough – routinely plan and prepare for this threat and have confidence their cybersecurity and contingency planning could withstand a significant incident. But many have no incident response plans or ever test their cyber defences.

“We expect ransomware will continue to be an attractive route for criminals as long as organisations remain vulnerable and continue to pay. We have been clear that paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all.”

In addition, Cameron warned criminals and state-backed groups would continue to target information around vaccines or stoke fears to perpetuate scams relating to the pandemic.

“The coronavirus pandemic continues to cast a significant shadow on cybersecurity and is likely to do so for many years to come,” she said.

“Malicious actors continue to try and access Covid-related information, whether that is data on new variants or vaccine procurement plans.

“Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. And criminals are now regularly using Covid-themed attacks as a way of scamming the public.”

Russia and China were cited as the biggest threats to the cybersecurity of the UK – a fact not surprising to industry analysts – and Iran and North Korea were also mentioned. However, she added that the “vast majority of hostile cyber activity” would come from “criminals, not nations”.

The cybersecurity chief said the key to preventing attacks is “resilience”, which means improving security and boosting skills and knowledge of cybersecurity threats across businesses, boards, and the public.

“We need businesses and organisations to understand the threats they face,” she said.

“We need the public to have the skills to help them stay safe and technology that removes the security burden on their daily lives, making them safer by default.

“Cybersecurity is critical to delivering key Government strategies from boosting national resilience to making the UK a science and technology superpower.

“To meet the challenge of the future, we must not only build on our successes to date but take our cybersecurity to the next level of scale and automation to meet the threats we will face in the next decade.

“Improving our resilience also plays a key role in deterring cyberattacks as our adversaries will see that an attack against the UK is likely to be less effective and the perceived benefits will be reduced.”

Increasingly complex security setups and highly publicised security breaches have prompted boards to pay more attention to cybersecurity. To deal with this, many companies have formed dedicated committees that discuss cybersecurity matters, often led by board members who have security experience (such as chief information and security officers – CISOs) or third-party consultants.

A CISO must thus expect an increased level of scrutiny and expectations, along with increased support and resources. The board will also be more demanding of CISOs and will require them to improve their communication skills.

Cybersecurity experts are being added directly to boards of directors due to recent events such as data breaches and the COVID-19 pandemic.

Does your board have cybersecurity at the top of its agenda?