Tuesday 5 September 2023

Cybercrime and UK businesses in 2023

In April 2023, the Department for Science, Innovation and Technology published its ‘Cyber security breaches survey 2023,’ (the “2023 Survey”) covering the various forms of cybercrime including ransomware, viruses, spyware, malware, denial of service attacks, hacking (both in terms of unauthorised access of files or data, and online takeovers of websites, social media, and email accounts), and phishing attacks.

In the 2023 Survey we learn that there were approximately 2.39 million instances of cybercrime in the last 12 months, and that 32% of businesses recorded breaches or attacks in the last 12 months.

In terms of the cost of cybercrime, the 2023 Survey estimates that the average annual cost of cybercrime is approximately £15,300 per business, with the single most disruptive breach from the last 12 months costing a business of any size an average of £1,100. For medium and large businesses, this figure goes up to £4,960.

However, the 2023 Survey provides a further breakdown of the financial cost of cybercrime when it estimates the costs organisations incurred from cybercrimes, excluding those where the only activity was phishing, and where there was no follow-on crime from the phishing email, such as a successful ransomware attack. For crimes of that nature the mean cost is estimated to be anywhere between £15,300 and £20,900.

The 10 steps to Cyber Security versus 4 responses to Cyber Security

Furthermore, the 2023 Survey informs us that 14% of businesses (32% of medium businesses and 44% of large businesses) are unaware of the ‘10 Steps to Cyber Security’ guidance.

The UK’s top computer security watchdog, the National Cyber Security Centre (“NCSC”) continually publishes its updated guidance so that businesses can stay ahead of emerging cyber threats, with the first version originally written in 2012 by the NCSC’s predecessor.

The ‘10 Steps’ are applicable to small, medium and large organisations and are as follows:

  1. Risk management – Take a risk-based approach to securing your data and systems;
  2. Engagement and training – Collaboratively build security that works for people in your organisation;
  3. Asset management – Know what data and systems you have and what business need they support;
  4. Architecture and configuration – Design, build, maintain and manage systems securely;
  5. Vulnerability management – Keep your systems protected throughout their lifecycle;
  6. Identity and access management – Control who and what can access your systems and data;
  7. Data security – Protect data where it is vulnerable;
  8. Logging and monitoring – Design your systems to be able to detect and investigate incidents;
  9. Incident management – Plan your response to cyber incidents in advance; and
  10. Supply chain security – Collaborate with your suppliers and partners.

The 2023 Survey confirmed that around 37% of businesses have taken action on 5 or more of the 10 steps; this is much more common in medium businesses (75%) and large businesses (89%), and we are told that 7% of medium businesses and 20% of large businesses have enacted all 10 Steps.

Not to be confused with the 10 Steps, there is another series of measures that is in popular usage in the world of cybersecurity. These are the ‘4 Responses:’

  1. Treat – i.e., Modify the likelihood of a cyber attack impacting the business by implementing security controls;
  2. Tolerate – Make an active decision to retain the risk (this usually involves categorising such a risk of cyber attack as falling within the established risk acceptance criteria);
  3. Terminate – Avoid the risk entirely by ending or changing the activity which causes the risk of a cyber-attack; and
  4. Transfer – This involves sharing the risk with another party, usually by outsourcing the risky activity or taking out cyber insurance.

Unlike the ‘10 Steps,’ the ‘4 Responses’ are less about breaking down the task of protecting an organisation into 10 separate components, and are instead a broader categorization of the different risk management options an organisation can choose to pursue.

Updates on cybercrime trends and examples of cyber attacks

In the year 2023, various trends have converged to worsen the cyber-threat landscape, for example, geopolitics (in particular, Russia’s invasion of Ukraine), Artificial Intelligence (“AI”) advancements, new work models, organisation supply-chains and IT staff shortages.

Geopolitics case study: Russia-linked ransomware attack on Royal Mail

In recent years, China, North Korea and Russia have been accused of committing cyber-attacks on the West. Of course, with cybercrimes that originate from these states, it can be hard to differentiate between criminality versus state-sponsored or politically motivated actions.

Nevertheless, it is hard to ignore the fact that in the year Russia invaded Ukraine, 2022, the firm Chainanalysis estimated that 74% of all money made through ransomware attacks went to Russia-linked hackers.

A recent example from this year is the ransomware attack that caused severe disruption to Royal Mail, and was linked to Russian criminals. The cyber-attack was targeted toward the computer systems Royal Mail used to dispatch overseas deliveries; the ransom note read “Your data are stolen and encrypted.” As a result of the attack, Royal Mail had to advise people to not send international letters or parcels until the matter was resolved.

AI advancements case study: WormGPT and Fraud GPT

The development of AI language models, or ‘Large Language Models’ (“LLMs”), of which  ChatGPT is the most well-known example, is a reminder of how quickly the cyber landscape has changed in recent years.

LLM’s developed by high-profile tech companies (Google, Microsoft, OpenAI, etc.) have guardrails built into them which will not allow the user to write hate speech nor, particularly relevant to the topic at hand, generate malware.

But just months after OpenAI launched ChatGPT, dark-web forums and marketplaces have been selling chatbots, the two most infamous being ‘WormGPT’ and ‘FraudGPT,’ that can be used to generate phishing and scam emails.

In March 2023 the policing organisation Europol published a report entitled ‘Chat GPT – the impact of Large Language Models on Law Enforcement,’ warning about the criminal implications of chatbots and how they help remove a key line of defence against fraudulent phishing emails; namely, glaring grammatical and spelling errors.

This is doubly concerning when we consider how, according to the Office for National Statistics (“ONS”) in 2022, 50% of adults in England and Wales reported receiving a phishing email, and that, according to the 2023 Survey, phishing attacks accounted for 89% of cyber-attacks on UK businesses.

New models of working case study: the Colonial Pipeline hack

As we all know, the COVID-19 pandemic significantly accelerated the adoption of remote work. According to the ONS, around 5% of the UK workforce worked primarily from home in 2019. During the period of lockdowns and restrictions, the number increased vertiginously. According to an article entitled ‘Is hybrid working here to stay?’ published in May 2022 on the ONS website, more than 8 in 10 workers who had to work from home during the coronavirus pandemic said they planned to continue hybrid work.

In May 2021 the Colonial Pipeline operated by the Colonial Pipeline Company headquartered in Georgia, US, was hacked by a cybercriminal group called DarkSide, who used ransomware to encrypt the company’s data in exchange for the decryption key. The Company reportedly paid a $5m ransom.

Before COVID-19, the pipeline was managed on a closed system by workers onsite, but the need for social distancing led to staff using remote work arrangements that were not properly secured, which ultimately enabled the DarkSide hackers to access the Colonial Pipelines systems. In this way, the hack highlighted the broader challenges of cybersecurity in the age of working from home, and how essential it is for organisations to have watertight cybersecurity, regardless of where their employees are located.   

Supply-chain case study: the Sunburst hack of SolarWinds

In December 2020 the prominent IT software company, Solarwinds, was victim of a highly sophisticated cyber-attack, which utilised software updates on its platform. A pop-up message asked workers to download an update, which was done some 18,000 times; the workers didn’t know that this update was, in a sense, a Trojan horse. After lying dormant for some weeks, the undetected digital agent allowed hackers access to the computer networks of Solarwinds’ customers.

The notoriety of this hack, and the reason why some view it as the most consequential cybercrime in decades, is because it wasn’t just companies that utilised Solarwinds services, it was also the US Department of Homeland Security. In the words of Jackie Singh, lead cyber-security expert on Joe Biden’s presidential campaign, “Governments are unequipped to compete with Silicon Valley and develop their own complex software suites in house, thus the dependence on external supply chains are increasingly becoming a target for hackers.”

The reason why the Sunburst hack can be said to be indicative of supply-chain weaknesses is because the hackers leveraged the trust that organisations had in Solarwinds’ updates. In essence, the hackers targeted lower down the supply-chain – the digital backdoor – to reach their ultimate target.
 


Want to learn more about cybersecurity and resilience? Come along to the International Security Expo, which is taking place 26-27 September 2023 at Olympia London, where Resilience First has curated the programme for the Risk and Resilience Conference. Get your free pass here.


Sources

Authors

  • Frances Murray, Financial Crime Partner, Russell-Cooke LLP
  • Emily Russell, Financial Crime Associate, Russell-Cooke LLP
  • Edward Griffin, Financial Crime Legal Assistant, Russell-Cooke LLP