[BreachExchange] Two cybersecurity myths you need to forget right now, if you want to stop the hackers

[Destry Winant]

https://www.zdnet.com/article/two-cyber-security-myths-you-need-to-forget-right-now-if-you-want-to-stop-the-hackers/

Two myths stand in the way of boards understanding the threats posed
by cyberattacks and ensuring their businesses can be safe against
cyber criminals and hackers.

These misconceptions about cybersecurity were identified by Ciaran
Martin, CEO of the National Cyber Security Centre — the cyber arm of
GCHQ — who warned organisations: "There isn't much of an excuse any
longer for not knowing about security as a business risk".

First, too many organisations still believe that all cyberattacks are
targeted, meaning that unless they're specifically selected as the
objective of a hacking campaign, they won't fall victim. Second, some
board-level executives don't engage with cybersecurity because they
believe it to be too complicated — in some cases even being fearful of
the complexities they perceive as being involved.

Speaking at the European Information Security Summit in London, Martin
warned there are still businesses that believe they will not be in the
sights of cyber criminals, so aren't at risk from suffering the
negative effects of a cyberattack.

"Tell that to the Western business leaders hit by NotPetya in the
summer of 2017," he said, referring to the malware campaign launched
against Ukraine by Russia, which quickly spread around the world,
knocking businesses offline and doing vast amounts of damage.

"The Russian target here was quite obviously Ukrainian infrastructure,
but it damaged — amongst other things — British advertising and
pharmaceutical companies, as well as the shipping giant Maersk," said
Martin.

The impact of NotPetya forced Maersk to reinstall 4,000 servers and
over 45,000 PCs, with losses caused by serious business interruption
estimated to amount to over $300m, despite the shipping firm never
being the intended target of the attack.

Weeks earlier, the global WannaCry ransomware incident provided what
Martin described as "an even starker illustration" of how unsuspecting
organisations can find themselves the victims of a major cyberattack.

The UK's National Health Service found itself an unwitting victim of
the campaign spread via an aggressive worm-like virus launched by
North Korea in an effort to extort ransoms.

"That makes small, British NHS bodies a uniquely absurd target, but
they were attacked and disrupted nonetheless," said Martin.

But board members believing their organisation won't actually face the
risk of a cyberattack isn't the only myth that needs to be dispelled.
The NCSC boss described how some boards feel it to be too complex a
problem to truly understand, but pointed out how organisations deal
with complicated issues every day, and that at its core, a
cyber-managing security strategy isn't much different.

"When I view businesses in the UK and around the world, I'm often
amazed by the sheer complexity and sophistication of the businesses
and the risks that they manage," said Martin.

"A company that can extract stuff from way below the ground, a company
that can transport fragile goods to the other end of the planet in a
really short period of time, a company that can process billions of
financial transactions every hour is more than capable of managing
cybersecurity risk".

Even simple activities like ensuring systems and software are up to
date can go a long way to protecting organisations from cyberattacks.

Martin described how this approach could have helped organisations
around the world avoid becoming victims of Cloud Hopper, a
data-stealing espionage campaign, which Western authorities have
attribute to China's state-backed hacking group APT10.

Much of the campaign was based around distributing phishing emails
containing malicious Word documents, which — when opened — ran macros
that retrieve malware.

Martin explained how if the targeted organisations had applied
relevant patches, the vulnerabilities exploited by the attackers
wouldn't have been open.

"Don't blame the people who opened the files — had the organisations
been running an up-to-date Office application, it wouldn't have got
through," he said.

"The fundamental point here is that the infection was able to persist
and spread and do harm due to poor cybersecurity," Martin said. While
the APT in APT10 stands for 'Advanced Persistent Threat', the attack
wasn't that advanced.

"In this specific case the attack wasn't advanced, the group didn't
need to be persistent and there was nothing really threatening about
it — that's not good enough and that's what we need to address," he
said.

The NCSC has previously issued advice to senior executives on the five
cybersecurity questions they should be able to answer in order to
ensure their company isn't at risk from hacking threats.