Has the Russian invasion of Ukraine led to a spike in cyber assaults against UK organisations, even critical infrastructure? What can UK businesses do to avert such attacks and the costly financial and reputational damage that inevitably follows? What are the implications for cyber insurance market?
Even before the Ukrainian invasion started, the UK’s cyber watchdog, the National Cyber Security Centre (NCSC) issued new guidance suggesting UK businesses should bolster their cyber security to stay ahead of it predicted to be an enhanced threat. As early as January, the NCSC warned that “cyber activity in and around Ukraine fits with patterns of Russian behaviour previously observed, including in the damaging NotPetya incident” – a malware attack blamed on the Russian government, which is estimated to have cost affected organisations more than $10 billion globally.
As Theresa Payton, cybersecurity expert and former White House chief information officer, puts it, “we should prepare for the worst and operate at our best”.
Many commentators are expecting a spike in cyber-attacks connected to Ukraine, with the US issuing a warning on 20th April that Russia’s invasion of Ukraine could expose organisations both within and beyond the region to increased malicious cyber activity. What new threats now lie in wait, and how likely is it that UK plc will be targeted?
Is this the calm before the storm?
Whilst cyber insurers – a bellwether for trends in cyber activity – aren’t seeing a significant uptick in attacks against UK businesses yet, most do anticipate a shift in the tactics of state-backed actors towards assaults on specific industries.
There’s growing consensus that critical national infrastructure is at heightened risk, if threat actors are encouraged to mount purely destructive attacks rather than attacks designed to enrich themselves. Port operators and other key transportation and logistics hubs, as well as the energy sector, are likely targets alongside tit-for-tat attacks on multinational companies which have publicly announced their pull-out from Russia. Russia believes the West is waging a financial war using sanctions, so financial services firms may also be specifically targeted.
What can UK organisations do to avert such attacks?
UK firms should be shoring up their cyber security defences, driven by the C-suite who must be more engaged in addressing cyber risk at Board level. Client perceptions that they won’t be attacked (“We’re too small to be a target”. “We outsource our IT, so we’re ok”) are myths that must be continuously debunked. Businesses must do more to establish sensible cyber security controls, which are now seen as an absolute requirement before cyber insurance can be provided.
Companies of all sizes can take practical steps to beef-up their cyber defences. Zain Javed, CTO at Mitigate Cyber, which acts in partnership with Partners&, urges smaller businesses to take urgent action to protect themselves from cyber-attack:
- Train staff – one of biggest risks to any business is its human error. Poor or no staff awareness training is leaving a big gap in your first line of defence. It’s estimated that 80% of cyber breaches are triggered by staff.
- Testing your infrastructure – cyber criminals will use lots of sophisticated methods to find vulnerabilities to gain access. There are over 10,000 high severity vulnerabilities found in UK businesses each year. The key to having confidence your business is secure is by having it tested regularly. Having regular ‘pen tests’ is sensible, combined with real time scanning can deliver true peace of mind that you’re doing everything possible to detect and protect your business.
- Ensure good cyber hygiene – Cyber Essentials is a government-backed certificate created for all organisations, of any size and any sector, is a good starting point. The scheme is used to demonstrate that organisations have the appropriate security and defences in place against common cyber-attacks and data breaches.
- Monitor networks – closely monitor activity across the company’s network that could indicate a threat. Software solutions are available that help a company analyze this data to identify threat patterns, and automatically respond to identified threats to remove or contain them.
What’s the outlook for cyber insurance?
The NotPetya incident has tested insurer’s ability to rely upon “war risk” exclusions within policy wordings, as it’s difficult to attribute a cyber-attack to a specific state.
Prior to the invasion of Ukraine, the insurance market was already reeling from a sustained barrage of ransomware losses and the financial impact of Covid-19. The ever-evolving threat and an upward trend in the cost of cyber-attacks have combined to drive demand for cyber insurance to new heights.
It’s critical that businesses establish sensible security controls in order to source insurance to meet contractual obligations or protect against liability, increased costs, and loss of reputation in the event of an attack.
The history of Russian cyber operations demonstrates that we should all take the threat seriously. There’s an expectation that Russia will co-opt cyber criminals to step-up attacks that punish firms which have pulled out of the territory, as well as critical infrastructure.
State-backed actors and Russian proxies are known to be active in purchasing dark web tools in order to blend in with banal activity. Therefore, ransomware and malware attacks may not easily be traced to Russia. Payment of ransoms by insurers and/or organisations will be made more complicated by sanctions, which outlaw payment to sanctioned groups or states. The ability for insurers to rely on war / state exclusions will be tested.
There has never been a time when cyber insurance has been more important to ensure the resilience of UK plc, but effort must be made to meet insurers half-way by implementing appropriate cyber security. Any business that has taken the time to consider its exposures and put intelligent risk controls in place will be best-placed to weather the coming storm – it regulators, shareholders, investors and key stakeholders will expect nothing less.
If you need any help or assistance, please contact Matthew Clark.