We need to dispel popular myths about cybercrime, says Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre. The scenario of the college geek hacker who accidentally starts a nuclear war – popular with Hollywood film studios since the 1980s – has perpetuated “well-intentioned misinformation” and led to ongoing confusion between state-level cyber warfare and corporate-level cyber theft, blackmail and sabotage.
This is not only misleading, but is contributing to a widespread failure to tackle cybercrime in the same systematic, standardised way we assess and mitigate other significant risks. If we continue to see cyber risks in apocalyptic terms, we will carry on viewing them as unique and less manageable than other mainstream corporate threats, he will warn delegates at the Chartered IIA’s Internal Audit Conference in November.
Reality is more mundane, yet also more insidious than scriptwriters tell us. “The problems are chronic, not catastrophic,” Martin explains. “No government has attributed a single death to cybercrime, however the costs to organisations can be millions.”
The risks are well-documented – from small amounts being “skimmed” off numerous transactions to massive well-planned heists, intellectual property theft and corporate espionage, data losses and operational outages, not to mention huge regulatory fines and reputational humiliation.
“These are all getting worse and the risk that has risen most significantly over the past year is that of ransomware,” Martin says. “For example, Russian-based hackers recently prevented a school in Croydon from opening any of its automatic doors until it paid a ransom.”
Similarly, most cybercrime is not conducted by state-level evil geniuses, or by rogue teenage idealogues trying to bring down civilisation. It is conducted by criminal organisations that base themselves in states such as Russia and China because they know that the authorities will turn a blind eye to them, Martin explains. This leads to further confusion between state-sponsored and state-tolerated cybercrime, which is unhelpful because it gives cybercrime the status of a geo-political threat, rather than common theft.
Enhancing the status of cybercrime, both in terms of the kind of threat it poses and of the intelligence and connections of the criminals, increases our fear of it and prevents us from treating it as we would other risks.
“Internal auditors are part of a family of people who work to ensure that our organisations are well-governed, but misunderstandings around cybercrime mean that we have not implemented the same automatic stabilisers we use to deal with other business risks,” Martin says. “Twenty years ago, when I worked at the Treasury, I had to look at pension scheme risks, although I was not a pensions expert. Today, I could still look at documents about pension scheme risk and understand how a business is handling it. It’s far harder to understand how organisations are tackling cyber risk – we haven’t got the same standard reporting systems and structures.”
For example, insurance providers do not share a common understanding of cybercrime as they do in the case of comparable risks. “One company recently paid out money to hackers because their insurance company recommended that they should, even though they didn’t know whether any harm had been caused,” Martin says.
“In another case, the insurers refused to pay out after a breach because the hackers were Chinese and, therefore, the attack was categorised as an ‘act of war’, even though it was a normal, low-level hack.”
A perception that cybercrime operates at a higher level than other crime and is beyond the comprehension of mere business managers is dangerous because it discourages managers from engaging with the real issues. Many deflect the problem by hiring experts to understand it for them.
“The reaction has been compared to attitudes to Medieval witchcraft – don’t try to understand it, just fear it and buy an expensive magic amulet,” Martin says.
He argues that all board members should understand the critical cybercrime issues for their organisation and that a named director on the board should be explicitly responsible for cyber risk.
It’s not possible to protect an organisation from every cyber attack, but all organisations need to know which cyber risks are critical for them and ensure that their employees have the best tools to manage their technology safely. Employee behaviour is a critical part of protection, as is a well-understood and comprehensive recovery plan.
Most cyber attacks employ tactics that have been around for many years. If they still work, they don’t need to change. This means that organisations don’t necessarily need the latest tool or security package, but they do need to do the basics thoroughly and understand their own critical risks. If managers don’t understand these, they need to ask those who do.
“There is no such thing as a stupid question – the world is plagued with glitzy Powerpoint presentations about cyber that no one understands, so it’s important to ask questions until you understand the answers,” Martin says.
Fashionable initiatives such as “ethical phishing” to test who clicks on a suspect email need to be done well and can be counter-productive if they create a blame culture, he adds.
“You will never get zero clicks on a phishing email so the real issue is to work out where the clicks are coming from, how fast you detect a problem and what you do about it,” he advises. “If only 15 per cent of your staff click on a phishing email it looks good – unless they are all in your SIS admin team. Then it is serious. I’d rather see 30 per cent of staff clicking on the email, but find that none of these had access to important information. You also have to look at where hackers are getting in – are the contact details for your SIS team all over the internet?”
Internal auditors can play an important role in prompting constructive conversations about cybercrime and identifying the areas of the business where the risks are most serious. They can also help to dispel the false impression that cybercrime is too difficult to understand and monitor staff behaviour and security processes.
“Cybercrime isn’t exciting, it’s actually quite boring. It doesn’t cause wars, but it does hurt everybody in society,” Martin concludes. His message is clear: we need to stop fearing the criminals and start asking the right questions.
Ciaran Martin was the founding CEO of the National Cyber Security Centre and is now Professor of Practice, Blavatnik School of Government, University of Oxford. He will be addressing the Chartered IIA’s Internal Audit Conference on 2 November.
Booking is now open for the Chartered IIA’s Internal Audit Conference on 2-3 November 2021. This year for the first time, the conference will take place both in physical locations and online, enabling delegates from across the UK and Ireland to attend safely and conveniently.
Key themes on day one are: digital and cyber; environmental, social and governance; innovative auditing; public sector spotlight; and business resilience.
Key themes on day two are: financial services hot topics; environmental social and governance; practical auditing; skills development; and data analytics and audit technologies.
This article was first published in September 2021