A recent report from McAfee and the Center for Strategic and International Studies in Washington, DC estimated that globally cyber crime costs $400 billion a year. Here – ahead of his talk at Procurex Wales – Paul Clarke, Managing Director of cyber security firm Xenubis, tells BiP journalist Julie Shennan how the threat is evolving and what the supply chain can do to tackle it.
Xenubis is a global IT firm that provides intelligence and security solutions to identify cyber espionage and criminal activity across the physical, human and digital dimensions. Managing Director Paul Clarke is a passionate advocate of cyber awareness, speaking at events such as DPRTE and Procurex Wales on the topic.
Mr Clarke’s concern is well reasoned; earlier this year internet service provider (ISP) Beaming surveyed over 500 UK firms and found that one in eight had suffered malware attacks costing an average of £10,516 to manage.
Mr Clarke noted: “That is only the cost that we know of; a lot of companies don’t make their breaches or attacks public knowledge. This cost also does not count the effects on reputation and customer confidence.”
He went on to explain that globally cyber crime was outpacing traditional crime.
He said: “It is bigger than the global drugs trade. Cyber crime is more convenient to criminals than analogue crime; they don’t have to leave home or smuggle anything, so there is no way that the criminals are going to stop committing it.”
Hacktivist culture is also making cyber breaches easier to commit.
Mr Clarke warned: “Cyber attackers’ skills and tools are more advanced than ever; you can go to the Dark Net now and get a hackers kit which comes equipped with a fully managed helpdesk, allowing people with no experience to attempt a breach. So the threat is not now just from state-sponsored activists, it is also from organised criminals and collectives, such as Anonymous, who might have other motives.”
This increasing range of hacker types, Mr Clarke observed, is facilitated by the mobilisation of the Internet of Things. “The increasing connectivity of smartphones will in turn provide an increased marketplace for criminals,” he cautioned.
“So if you are thinking of making your business mobile-responsive then you need to think about cyber risk and cyber security. This threat is not going to go away; it is just going to get more advanced.”
Mr Clarke speaks from years of experience – having worked as a security advisor to government, as a private cyber security consultant and as a former Serviceman. However, he explained that the facts of the cyber threat were plain for all to see.
He said: “There is a lot of information out there on cyber breaches; TalkTalk, LinkedIn and the Panama Papers data leak all show how common cyber attacks are. Every bit of information in the news shows that the cyber threat is real and will affect most people at some point.”
SMEs, Mr Clarke added, are no exception.
He emphasised: “SMEs, especially non-finance SMEs, might be tempted to think that they are too insignificant to be targeted, but this not the case. Money is going lost in normal transactions and through breaches of customers’ emails.”
With that in mind Mr Clarke urged suppliers of all sizes to invest in good cyber security.
He said: “The threat is real; it’s a case of when not if an attacker will target your company. Companies need to approach the topic of cyber security, understand how cyber threats manifest themselves in their business and how they can protect themselves at the highest level possible.”
This means prime contractors examining their whole supply chain and identifying any soft spots that hackers could target. “Attackers will target the easiest route into this supply chain, so it is up to the prime contractors to ensure that their partners are protected,” he explained.
Mr Clarke also urged the CEOs of all companies to take ownership of their organisation’s cyber security.
He said: “CEOs must start from the top down and implement education, training and awareness to ensure that everything possible is being done to protect data, money and reputation.
“CEOs and senior executives need to understand that it is up to them to protect their own and their customers’ data by mitigating risk. Ministers are now discussing the consequences for company leaders who do not protect their data, such as fines from regulatory boards.”
While cyber security failures could be cause for punishment, cyber vigilance could equally be cause for reward, with the Government’s Cyber Essentials Scheme (CES) recognising responsible organisations.
Mr Clarke explained: “If you want to be on government supply chains you need to ensure you are signed up to the Cyber Essential programme. You must also ensure your IT team have the relevant external tools – to understand where the cyber threat come from and how to mitigate the threat – and if the IT team don’t have these tools then they must outsource them.”
Mr Clarke recognises the UK cyber skills shortage, saying not enough operational and academic training is currently on offer – to the right people – to tackle the cyber threat head-on. However, he remains optimistic that the public and private sectors can work together to make up this shortfall.
He concluded: “Government should work with the private sector to help suppliers raise awareness, increase compliance with Cyber Essentials and increase access to cyber protection tools.”
For more information come to see Mr Clarke speak at Procurex Wales Digital Procurement Zone on 6 October 2016.