Decades ago, hacking was seen as the preserve of computer whizz-kid teenage boys: A furtive activity at their bedroom PCs with the relatively innocent intent to see if they could penetrate organisations’ information and communications technology (ICT) environments. Since then, hacking for the purpose of organised crime has grown and is an ever present threat. This can involve teams of professional hackers working together to gain an individual’s information, such as personal details and account details.
In early 2015, the UK and US took a clear and highly publicised step to recognise computer hacking as a weapon with which nations can attack, and be attacked with. Barack Obama and David Cameron held talks in Washington on 15th and 16th January, which included discussion on the threat of cyber attacks. As a result, the UK and US have made a joint commitment to stage cyber war games. The BBC News website reported on 16th January 2015 that the first exercise will involve the financial sector, spanning the Bank of England, commercial banks, the City of London and Wall Street.
This was followed by news on 16th January that multiple French media websites had been cyber attacked, with the intent of bringing down the websites. The head of French military cyber security identified structured Islamist hacking groups as the cause, which suggests it is related to the Charlie Hebdo attack earlier in the week.
This begs the question, “If France, the UK, and US (amongst other nations) are targets for organised cyber attacks, what happens if attacks on national infrastructure succeed?” How many people would be impacted if bank accounts and credit cards froze? Or if hospital and healthcare ICT systems crashed? Could military and national power grid ICT systems be hacked? What if your organisation was cyber attacked?
Now more than ever organisations should continue to invest in information security, to strengthen defences with skilled specialists and the right hardware and software to identify and nullify threats. However, organisations must equally prepare their business continuity response on how to deal with cyber breaches. This will not only be an ICT response. It will also involve media communications, using business continuity plans and working with stakeholders and key suppliers to reduce the impact. As an organisation, have you exercised for cyber attacks from the start point (penetration / potential penetration) through to your response to a critical breach (encompassing the business continuity response as well as the technical information security response)?
On a personal level, we as individuals can make decisions to help protect ourselves. For example, do you have the same bank as your partner? Is your credit card provided by your bank because of a preferential rate? You may consider splitting providers and spreading the risk. Similarly, if you keep very little cash and tend to focus on electronic purchasing, it may be prudent to keep a small cash reserve.
In terms of the national threat, I suggest we should applaud the UK and US announcement for cyber war games and hope that this is the beginning of many simulation exercises that will help to strengthen national cyber defences. The consequences of a critical breach at a national infrastructure level could be significant and far reaching. A sobering line in Sun Tzu’s “The Art of War” comes to mind, “the supreme art of war is to subdue the enemy without fighting.”
About the writer
David Davies is a BCM Assurance Consultant at Phoenix