Lisa Fröhlich and Charlotte Hill discuss the state of security in the digital world in interview
“Educating the entire workforce about how cyberattacks can infiltrate systems”
Interview with Lisa Fröhlich (Spokesperson, Link11) and Charlotte Hill (Partner, Penningtons Manches Cooper) about the state of security in the digital world
Cyber and DDoS attacks have not just been on the rise since the war in Ukraine. How do you assess the current situation in the UK?
Lisa Fröhlich(Spokesperson, Link11): What we are identifyingworldwide is an enormous professionalisation of cybercriminals and especially DDoS attackers. The times of spontaneous individual perpetrators are long gone. Cybercriminals of today aren´t anymore single hackers pursue the aim of financial profits due to digital attacks. Instead of that, cybercriminals pursue the goal of attacking the critical infrastructures in mostly western countries to destabilize societies.
Furthermore DDoS attacks reach their critical volume already after an average of 60 seconds in the first half of 2023. Last year it took 93 seconds, which makes them harder to neutralise nowadays.
Charlotte Hill (Partner, Penningtons Manches Cooper):Cyber and DDoS attacks remain rife – just this year we have seen large corporates suffering various attacks including British Airways, the British Broadcasting Corporation (BBC) and Boots from the MOVEit software hack, along with various institutions such as universities being targeted.
This supports what Link11 is seeing, with critical infrastructure being targeted – a clear move away from just seeking financial profit – not just in the UK, but in the West more generally.
The UK Cyber Security Breaches Survey 2023 estimated that across all business, there were approximtely 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the past year. Yet we know that many attacks are not reported, and so we estimate that the attack rates are actually much higher.
Are there regional differences? Is Germany, as a memberof the EU, less threatened by cyberattacks than the UK?
Fröhlich: Individual laws of the European Union, such as the NIS2 Directive, can certainly create a type of standardisation between the member-states. However, this does not automatically mean that companies, public institutions or platforms in the EU are automatically better protected than for example in the UK.
Hill: While the UK’s laws in this area are not consolidated in one place, but instead feature across a number of pieces of legislation, we are well placed to deal with these issues. The NIS Regulations have already transposed the requirements of the Cybersecurity Directive into UK law, with the government proposing further changes following it´s post-implementation review to enhance the protections afforded by the Directive.
The NIS2 Directive will have an extraterritorial reach, applying to non-European Economic Area “digital service providers” who offer services in the EEA and so I expect the UK to provide similar protections to those being afford to the EU when the NIS2 Directive is implemented in October 2024.
When it comes to the cyber threats, what common mistakes are companies making?
Fröhlich: In my opinion and unfortunately, the danger of DDoS attacks is too often underestimated. In fact, DDoSattacks have the potential to take down entire company networks by controlled requests. Economic and reputational damages can harm affected organisations therefore in a very crucial way. In the worst case, the system failure of entire systems can lead to insolvency for the affected companies
To prevent this, DDoS-protection has to be on the latest level, being capable to neutralise attacks within the shortest possible time-to-mitigate.
Hill: In my experience, many companies believe that this is a remote risk and they therefore choose to delegate the consideration of these issues to their IT teams.
While of course IT teams are instrumental in the defence of cyberattacks, it is a wholesale issue that needs addressing from board level down – once companies properly understand the risks that they are exposed to from cyberattacks, they commonly strive to apply high standards to their cyber security protocols to mitigate such risks.
It is important for directors (at least under UK law) to remember that they have a duty to act in the company’s best interests and so they could be liable if they choose to ignore these ever increasing cyber risks.
In the context of critical infrastructure, what role does incident response play, and what steps would you take to manage a cybersecurity incident effectively?
Fröhlich: Firstly, the attacked companies should register such an attack. The fact that cyber and DDoS attacks are still being kept secret in too many cases is a huge risk becauseonly cybercriminals benefit from this circumstance, while the targets only suffer an additional damage.
Hill: I agree that attacks should be registered – greater transparency will assist with the future defence of these attacks.
Best practice would dictate that all companies, particularly critical infrastructure, should rehearse how to deal with an incident – it is hard to understand how your team will act under immense pressure until they are placed in such a position.
A company should have a clear policy in place as to who will be responsible for what – from bringing in an incident response team to deal with the actual attack and mitigating the damage to the systems, to seeking immediate legal counsel to assist with any reporting issues, dealing with insurers, negotiating with the attackers etc., to deciding who within the business will report to key stakeholders and what messages should be communicated to employees.
There is a lot to be done in a very short space of time under intense pressure, and so having a clear plan in place which has been practiced has in my experience made a real difference when a company is subject to a real attack.
What proactive measures can be taken to mitigate the risks of DDoS attacks on critical infrastructure? How does traffic scrubbing work, and why is it important?
Fröhlich: In addition to the installation of a modern DDoS-protection it is also crucial to ensure the necessary awareness of digital attacks among employees. Even in particularly well-protected companies, a combination of inadequate protection mechanisms and insufficient awareness could lead to a DDoSattack with serious consequences that paralyses the energy supply. Mostly cloud-based and automated DDoS-protection solutions can ensure an organisations sufficient security.
Hill: I agree that education is fundamental when seeking to mitigate such a risk – a company is only as strong as its weakest link and so educating the entire workforce about how cyberattacks can infiltrate systems is key, as well as basic steps that can be taken by each individual to hightenawareness.