Cyber-attacks are in the news again. First seen in 1972 when a researcher working in the US on Arpanet, a precursor to the internet, created a computer program called Creeper that could move across Arpanet’s network, it left a breadcrumb trail wherever it went which read: ‘I’m the creeper, catch me if you can’.
But now the intrusions are more insidious. In May, Colonial Pipeline – which operates a pipeline that carries around 3 million barrels of fuel a day between Texas and New York – was the subject of a ransomware cyberattack that shut its systems down for five days leaving the East Coast short of fuel. A few days later, at the start of June, the world’s largest meat processor, JBS, was also attacked by ransomware and its operations in Australia, Canada and the US were halted.
While big corporations garner the most column inches, no business or organisation should think itself immune. And for the world of print, there was the attack in March of this year on the MBA Group. The company reported that it had been “impacted by a cyberattack, which caused some operational disruption to our systems and a small proportion of our client work”. The firm’s operations were disrupted for more than a week as a result of the attack.
The problem is acute according to the Cyber Security Breaches Survey 2021 from the Department of Digital, Culture, Media & Sport. It found that 39% of businesses were subjected to a cyberattack or breach in a 12-month period and 21% lost money, data or other assets. Further, the average cost of the cyber security breaches these businesses experienced was estimated to be £8,460. For medium and large firms combined, the average cost was higher, at £13,400.
Defining a cyberattack
So, what is a cyberattack? According to Dai Davis, solicitor, chartered engineer and partner at Percy Crow Davis & Co, the Wikipedia definition, of “any attempt to expose, alter, disable, destroy, steal or gain information through unauthorized access to or make unauthorised use of an asset… that is a computer information system, computer infrastructure, computer network, or personal computer device,” is one that he agrees with.
He says that it “matches the broad definition of an offence under section 1 of the Computer Misuse Act 1990 which criminalises any action that ‘causes a computer to perform any function with intent to secure access to any program or data held in any computer where that access is unauthorised’.”
Roy Isbell, a cyber security specialist and advisor to the UK Forensic Science Regulator, agrees with Davis. He defines a cyberattack as “fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome”.
Of course, how the attack manifests itself is dependent upon the outcome that the threat actor is hoping to achieve, the level and type of access that they have been able to create, and the skills and tools available to the threat actor.
Nevertheless, he’s aware that many believe that ‘cyber’ is just an alternative word for the internet and devices that are connected to it. While this may be true, he says “that this is not the whole scope of what the cyber environment covers”.
Davis recalls an old information technology saying: “There are two types of business: those who know they have been breached, and those who don’t yet know.” But as to where the threats originate, Davis says that some are performed by ‘script kiddies’ “who try and hack into a system for fun. They are mostly out to hack well-known sites, or ones that will give them some ‘prestige’”. He adds that non-monetary sites include those that attract opposition, such as the sites of political parties.
Isbell takes a similar line but has seen “some operate in a more random fashion” as they look to prove their skills or develop tools in order to raise their profile within the hacking communities.
For the criminally minded, making money is always the goal and they attack anything where it pays them to do so. “They may,” says Davis, “adopt a scattergun approach, sending out millions of scam emails in the expectation that only a few people will fall for the scam, alternatively they may target a particular ‘rich’ target but in a more subtle, considered manner.”
Of course, at the extreme, states such as China, Russia and North Korea attack companies to steal technology.
Worryingly, as Isbell points out, Covid-19 has altered the landscape somewhat because “we now have a more distributed business model with employees working from home, often on shared networks with only limited security implemented”. He has seen a significant increase in attacks directed at organisations directly involved in dealing with the pandemic or involved in vaccine research.
Making a similar point, Davis has found that any newsworthy topic may be used to persuade a staff member or individual to click on a link that will take them to a compromised website. “In that sense, the pandemic is no different and has given malicious actors opportunity to create appealing false links, for example, with offers of having an early vaccination.”
Security is a relative term
No system is perfect. But Davis knows “that the amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place”. He cites one of the first ever recorded security breaches where a website could be hacked by clicking on a certain part of the web page in a public part of the site with the mouse. Doing so revealed other customers’ details.
Moving on, Isbell talks of a process developed by Lockheed Martin that maps the stages of a cyberattack. Called the ‘Cyber Kill Chain’, he says that the steps involve reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and ‘actions on object’. “Each step,” says Isbell, “is required for the subsequent step to have a chance of being successful. Therefore, a security breach is not a single event or tool, though it often appears this way, but a combination of knowledge, skills and intelligence used in sequence to achieve the effect or outcome the threat actor wants to achieve.”
For him, the only way to achieve 100% security is for a system to not be connected to any form of external communications. He emphasises that cyber security is about managing risk: “This requires that we spend time evaluating and understanding the cyber environment and what it is we need to protect; it is not always the data that requires protection, but the systems themselves.”
Countering threats
As both Isbell and Davis detail, there is no easy way to counter cyber threats.
Apart from a company’s own systems, Isbell would also look at the supply chain, “especially where industrial processes may share data between firms”. For him, having a strategy is key, and for that to work “an understanding of the firm’s cyber ecosystem is essential... and not just focused on the data that resides on the various IT systems it may have”.
Davis, on the other hand, would create a budget and appoint someone at board level to maximise its use. He would bring in an independent consultant to consider where the budget should be spent. He also cautions against placing too much reliance on specific security products, “many of which are good, but which solve only the security issue that the particular vendor advertises”.
Staff training is something else to consider. While it’s not foolproof, the more staff training, the lower the probability that a staff member will introduce harm to the business.
But as Davis warns: “Training needs to be regular. There is little point in only training during induction week and then not following that training up with regular reminders… staff may be sent a malicious email containing a spurious link at any time.”
Isbell too values training. He says: “The most efficient and well understood security environments I have witnessed are where the company has worked to develop security as part of the culture of the organisation.
A combination of carrot and stick is used to great effect without defaulting to a punitive strategy on what happens should a breach occur.”
And then there’s the option of placing a warning on every email which a staff member receives warning them if an email has come from an external source and that it may be malicious. On this Davis thinks warnings are unlikely to be of much assistance – “it is likely to be ignored as the staff member is anxious to read the email not the header, let alone the repeat warning in the header”.
Crucially, Isbell recommends including cyber security breaches as part of business continuity disaster recovery planning: “Whilst some firms have been unable to continue after a cyberattack, those that have had a robust incident response plan have not only been able to recover but recovered faster and as a consequence, minimised the overall impact on the business and its operations.”
The risks from doing nothing
Firms that do nothing, and which suffer an attack, risk legal fallout. Davis points first to the fines for poor security under the civil part of the General Data Protection Regulations. He says that the probability of a fine is tiny, but the risk of criminal sanction under the GDPR is not: “Criminals, like regulators, have limited budgets and look for ‘low-hanging fruit’. If you can make your business more secure than your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target.”
Beyond that, Isbell says that a firm that does nothing should expect to suffer a breach at some point, if they haven’t already. But apart from implementing security, he states that “it also requires some form of monitoring… and if no monitoring is implemented, the firm will not know it has been breached until the breach is made public by the threat actor”. And when this happens, there comes a natural question: who would trust an organisation that does not take security seriously?
Further, there’s the risk of corporate failure. Canada’s Nortel Networks Corporation filed for bankruptcy in 2009, having once been valued at a third of the entire worth of the Toronto Stock Exchange. Its technology and intellectual property had been stolen by Chinese hackers who had infiltrated the entirety of the company’s systems in 2000. The breach was discovered in 2004 but not fully cured by the time of the company’s bankruptcy. Davis says that the breach is widely regarded as being one of the prime causes of the company’s failure.
And then there was the case of Code Spaces, a hosting service, which, in 2014, had no recovery plan and consequently was unable to continue in business; Stuxnet which resulted in the destruction of Iranian nuclear centrifuges; and an attack on Saudi oil company Aramco which, in 2012, resulted in the destruction of over 35,000 computers. Oil production was put at risk and the company had to resort to fax and typewriters.
The government’s role
It’s important for businesses and organisations to consider the role of government. Davis hasn’t been impressed by the UK state’s performance – and describes it as “woefully inadequate”. He says that most governments do little to help their citizens. The UK has some “high-profile vanity projects” such as the National Cyber Security Centre (NCSC). He says that “that organisation does a good job protecting national infrastructure, but it does little for smaller organisations”. By way of example, he says that in May 2017 the WannaCry ransomware cryptoworm attacked many businesses and public bodies, including hospitals. It was not the NCSC that found a solution – that came from private security researchers within a few days.
While Isbell doesn’t disagree with Davis, he too says that the government has a responsibility to put in place legislation and provide guidance on how organisations might best protect themselves. Even so, he notes that “governments cannot legislate for every possible attack or threat that may emerge, and nor can they provide the detailed measures that are appropriate for individual businesses.” In essence, he says that individuals and organisations must take their own security seriously and take appropriate measures to ensure they are able to recover should they suffer an attack.
Lastly, it bothers Isbell that cyber security is seen as a annoying expense by business owners:“It provides no business benefit and is a cost many would choose not to spend. It’s a bit like an insurance policy that is needed just in case, but what is the lowest premium that can be paid whilst still getting a payout?”
In summary
So, when evaluating security and whether their business is a target, printers need to consider not just themselves but also their clients. They ought to consider what would happen if hackers were to gain access to systems, hackers could make more by not revealing that a breach had occurred by, for example, introducing malware and seeing what was printed before it was published.
Management has been warned.