One of the UK government’s leading cybersecurity experts has warned that investors should play a greater role in forcing companies to counter cybercrime.
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), told The Times, that institutional investors should be asking questions of companies on their cybercrime policies.
His warning comes at the start of a three-day conference in Manchester—CYBERUK 2018—exploring issues in cybersecurity.
The conference launched with a joint report from the NCSC and the National Crime Agency (NCA), which said that UK companies face more online attacks from criminals than ever before.
Ciaran Martin told The Times: “People talk about whether there should be mandatory regulation in cybersecurity. I think one thing that would help enormously is if institutional investors played a stronger role in asking the tough questions across the corporate sector. There should only be government intervention where it is essential.”
The report explores the threat from ransomware (such as the now notorious WannaCry attack), data breaches and supply chain weaknesses.
Emerging threats
The report also highlights emerging threats such as theft from cloud storage and cryptojacking—the process in which computers are hijacked to create cryptocurrencies, such as bitcoin.
The report said: “Cyber attacks have resulted in financial losses to businesses of all sizes. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust.
“Attacks have also triggered declines in share prices and the sacking of senior and technical staff held to account for massive data breaches.
“The enforcement of the General Data Protection Regulation (GDPR) in May 2018 could, under certain circumstances, lead to severe fines for organisations which fail to prevent data breaches, which result in a risk to the rights and freedoms of individuals.”
The WannaCry attack in May 2017 rendered computers unusable and demanded a $300 ransom in bitcoin to unlock them. A third of NHS trusts were affected, with up to 69,000 NHS appointments cancelled, according to the report.
It is believed that the WannaCry attack originated from North Korea, from hackers known as the Lazarus Group.
The NCSC and NCA report said: “With attackers able to achieve many of their aims by using techniques that are not particularly advanced, the distinction between nation states and cyber criminals has blurred, making attribution all the more difficult.”
A survey last year by law firm Fox Rothschild found that 53% of executives believed their cybersecurity and data privacy budgets were insufficient to respond to a breach. The poll also found that a nearly a third of companies do not train all their employees on data breach prevention.
The survey also found that more than half of executives thought their companies were at “high or very high risk of data breach”.