Business leaders need hands-on approach to stop cyber crime, says spy chief
Business leaders must not see cyber crime as "just a technical issue" that can be left up to IT departments, a spy chief has warned in the wake of the Royal Mail ransomware attack.
Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC) - a division of GCHQ - said company bosses could not rely on the Government alone to protect them from major cyber incidents and had to step up their measures.
Writing for The Telegraph, she implored board members to “develop a basic understanding” of cyber security, in the same way that they would be expected to have a degree of knowledge about their company’s finances.
Her remarks come after the Royal Mail was hit earlier this month by a ransomware attack which forced it to suspend international postal deliveries and left parcels and letters stuck in limbo.
More than half a million items were piled up in warehouses after a computer system used to send them abroad was paralysed.
The Telegraph revealed that a Russia-linked ransomware gang called Lockbit was behind the cyber attack.
Sources familiar with the Royal Mail investigation into the incident told the Telegraph that Lockbit's ransomware, known as Lockbit Black, had infected machines used by the postal operator to print customs labels for parcels being sent to overseas destinations.
The NCSC has been helping the company clean up and remove the malicious software, while the National Crime Agency is also investigating.
“In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public,” Ms Cameron said.
“These incidents are a stark reminder of the threats organisations across the UK face in cyberspace.”
She said the NCSC dealt with hundreds of cyber incidents each year, many of which had the potential to “significantly impact the economy and wider society”.
Threats to British businesses and critical infrastructure came in a range of forms “from low-sophistication email phishing through to the risk of potential ‘overspill’ from cyber-attacks perpetrated by Russia on Ukraine”.
Ms Cameron urged business leaders to step up their efforts in combating cyber crime by taking an active interest in the issue and educating themselves about it.
“I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health,” she said.
“Increasingly, we are seeing senior leaders at board level driving the effort to shore up their organisation’s cyber defences and practise incident responses.
“It is heartening to see more leaders gripping cyber security rather than seeing it as ‘just a technical issue’ and I would encourage others to follow their example.”
The Royal Mail said it “sincerely apologised” for the effect the cyber attack has had on post and deliveries, adding that its staff were working “around the clock” to resolve the situation.
“Following the recent cyber incident, we have been temporarily unable to despatch export mail parcels to overseas destinations,” a spokesman said.
“We have temporarily asked customers not to submit any new export parcels into the Royal Mail network until further notice.
“Our initial focus is on clearing export parcels that have already been processed and are waiting to be despatched. We continue to make good progress."
Help us fight cyber crime together
By Lindy Cameron
In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public. These incidents are a stark reminder of the threats organisations across the UK face in cyberspace.
At the National Cyber Security Centre – a part of GCHQ – we are acutely aware of these threats and our experts deal with hundreds of cyber incidents every year, many with the potential to significantly impact the economy and wider society.
Thanks to the efforts of the teams working in the NCSC as well as our partners, the cyber security resilience of the UK is improving all the time, but it is important to acknowledge the threats that remain out there.
These come in various forms, from low-sophistication email phishing through to the risk of potential "overspill" from cyber attacks perpetrated by Russia on Ukraine, which we continue to remind organisations to be ready for.
The biggest online threat to most UK organisations remains ransomware, a type of malware used by criminals which blocks access to devices and the data stored on them.
All of this can seem overwhelming, but the good news is there are steps all organisations can take. As with so many things, the key is good preparation.
Increasingly, we are seeing senior leaders at board level driving the effort to shore up their organisation’s cyber defences and practise incident responses. It is heartening to see more leaders gripping cyber security rather than seeing it as "just a technical issue" and I would encourage others to follow their example.
I am frequently asked by board members "what does good cyber security look like?" My answer is always the same – good cyber security is whatever protects the things you care about. Typically, these things include bulk personal data, intellectual property, a public-facing website, or industrial control systems.
Without good cyber security, a successful attack could impact an organisation’s ability to deliver key operations, hit finances, damage reputation, and cause considerable downtime during the recovery period.
The actions taken to boost cyber resilience levels have to work for the individual organisation. They have to be appropriate for its processes, systems, staff, culture, and the level of risk it is willing to accept.
One thing senior leaders can do immediately is to read and act on the guidance on the NCSC’s website to help organisations mitigate cyber attacks. This includes advice on defence and in-depth and practical steps you can take to prepare for a cyber incident, including backing up key data.
I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health.
The bottom line is this - having defences in place now will significantly reduce the risk of falling victim to opportunistic cyber criminals and the harms that we know all too well can follow.
While organisations all have their part to play, it is important for them to realise they are not alone. The NCSC’s incident management operators are working around the clock in collaboration with their colleagues in industry and law enforcement, as well as their international counterparts, to help tackle this serious threat.
On a national scale, the Government is committed to making the UK an extremely unattractive target for cyber attacks. The National Cyber Strategy sets out a comprehensive approach to tackling the threat posed by cyber crime.
But as I have repeatedly said, the key to cyber security is collaboration. Government alone cannot end the threat of cyber crime – organisations themselves have a vital role to play.
The rapidly evolving world of technology presents great opportunities for the country, but in order to do so securely we must be as resilient as possible. Recognising the threat and preparing for it is key to this, and I urge all organisations to help us in this fight.
Lindy Cameron is CEO of the National Cyber Security Centre