Recent elections have been subject to plenty of speculation over state-led interference – but while Russian involvement in President Trump’s US triumph may be open for debate, there is no denying that the UK’s Labour party was subjected to its own mega breach earlier this month. On Tuesday, November 12, it was reported that the Corbyn led political opposition had undergone a second cyberattack only a day after facing a “sophisticated and large-scale” attempt to disrupt its digital platforms.
Speaking with Insurance Business, head of cyber risk consulting, UK & Ireland at Marsh, Jano Bermudes (pictured), outlined the details of a distributed denial of service (DDoS) attack which he said is: “is the use of a group of internet-enabled computers that have been compromised by attackers and formed into what is called a botnet (a network of compromised computers or internet-enabled devices).”
These are directed, he explained, to make legitimate functional requests to a web application with such intensity, and in such numbers, that it overwhelms the computers hosting the targeted web application. This occurs to the extent that customers or other users of the system experience service degradation or complete service disruption.
Botnets, Bermudes outlined, are commonly formed from any internet-based devices and one of the main issues with these attacks is that often users and manufacturers of the compromised devices are not aware of or impacted by the malicious use of their devices and “therefore, the situation over time is unlikely to change unless the government intervenes with regulation.”
DDoS attacks are particularly challenging, Bermudes said, as closing down access includes denying access to legitimate users and thus “perpetuating the denial of service attack that was intended.”
“There are,” he said, “now a number of providers including Akamai, Cloudflare (who I believe provide services to the Labour party website) and others, that provide a DDoS mitigation service… Any business that relies on always-on internet-based customer channels, should consider investment in DDoS mitigation services.”
Bermudes outlined how for some businesses as they move towards digital channels and revenue streams they are “taking on more and more cyber risk and sometimes doing so far too quickly.”
He said the key for brokers who are engaging with new cyber risk is not to underestimate the risks involved and to ensure they receive high-quality advice whether in-house, through investment in a CISO, or through external advisors.
“To properly manage the risk, one must fully understand your loss potential exposure and the effectiveness of any mitigations you have in place,” he said.
For organisations that have always operated in the digital domain, Bermudes said, including tech companies, online retailers and defence contractors, it is not so much a question of a growing risk but more of an evolving and changing risk.
“It is simply a critical component of doing business in the digital domain in the same way that safety is always going to be a serious issue when it comes to industries such as manufacturing, medical and upstream oil exploration,” he said. “For these businesses, there is a tax to doing business in these sectors… to avoid fatalities and the implications of loss of control.”
A fundamental issue as Bermudes sees it, is “spend on cyber that does not reduce the threat profile due to only being approved after an attack.” The Marsh survey outlined that the majority of businesses believed a cyberattack would be the biggest driver for increased spending in this area.
“This tells me that businesses have a much higher risk appetite than they might let on,” he said.
Competitive disruption is also creating cyber losses, Bermudes said, with businesses moving faster than they can manage with the adoption of new technologies such as IOT and cloud services. And, as highlighted by the recent cyberattack on the Labour party, the full implications of cyber risk are not being felt only by businesses but also by the government and the public sector, as well as by individuals.
Discussing whether cyber is developing as a threat to non-business sectors, Bermudes addressed how, considering the current geopolitical climate where war is carried out by proxy, “cyber warfare is the ultimate tool for causing disruption and for gain.”
He said: “Having heard recent updates from the NCSE and from the NSA on our national positions in regards to cyber, we will see continued significant investment in both preventative and offensive cyber weapons and tools, which will in turn force our adversaries to do the same.”
With cyber risk now firmly established as a key risk to any organisation which operates within the digital sphere, it is comforting to hear that Bermudes believes the greatest misconception around the subject of this threat is the idea that cyber risk is unmanageable. For, as he outlined above, cyber risk is controllable with the right protections established and a thorough understanding that prevention is greater than a cure.