It’s obvious that 2022 has seen various cyber risks increasing, plus new opportunities for fraud as crypto and NFT investments have proved more popular. So it was good to get some insights from Daniel Carr, Head of Cyber, Ariel Re.
1. So far the war in Ukraine hasn’t led to a huge cyber attack, as predicted some weeks ago. Does that show infrastructure systems are getting better at spotting and defending against organised attacks?
The unfolding events in Ukraine are clearly a shock to the global economic and geopolitical risk landscape. Similarly, the Russian state has developed advanced offensive cyber capability over a number of years, and has demonstrated an appetite to use it in the past.
Whilst Russia maintains the ability to mount destructive cyber attacks on behalf of the State, what is not currently clear is whether that would be a wise course of action given the global geopolitical instability at present.
Contrary to traditional wisdom, neither Western nations (notably those in NATO) nor Russia will want to engage in offensive Cyber operations at this time, given the on-going conflict. Doing so risks escalating tensions significantly, and has the potential to be misconstrued, by either party, as an Act of War directly against the victim nation. For the West, this could draw them into a kinetic military conflict. For Russia, this could widen their scope of targets and significantly alter their chance of a successful military operation in Ukraine – their principal objective at this time.
Therefore, whilst Western businesses have been improving their ability to detect and defend against attacks, they still remain vulnerable to attack. The same however is true of other nations’ infrastructure. Consequently, the lack of anticipated cyber activity following the Ukrainian conflict may not necessarily be a reflection of infrastructure’s growing security, but a culmination of a number of broader and complex geopolitical risk factors.
1. Does the rise in NFTs and coins open up businesses to a new wave of cyber attacks and ransom demands, how can insurers educate their clients on this payment method?
NFTs and crypto coins, whilst both being based on blockchain technologies, are fundamentally very different assets with different objectives.
NFTs are, largely, associated with digital art and copyright. The legal framework around their use and assets ownership remains immature, especially around copyright protection laws. The market for NFTs is, currently, proving to be a very valuable and lucrative one. However, like cryptocurrencies, it is likely to continue to be volatile and uncertain. Nevertheless, any asset that has a significant market value is likely to be a target for theft (physical or otherwise). Well implemented blockchain technology has strong security characteristics, and should aid the protection of the assets using their platforms. However, vulnerabilities will always remain in any system and if the asset is valuable enough, they will be targeted.
Coins on the other hand are designed to be more exchangeable and underpin transactions. Consequently, they are the asset of choice from cyber criminals due to their ease of exchange and anonymity. As these technologies develop and potentially transition into the wider regulated economy, the risk associated with their use, whilst it does not necessarily diminish, it will likely evolve. Any business purchasing coins – e.g. as an investment asset – or processing coins as a form of payment, are recommended to use respected, regulated and well-known providers. As they would with physical currency and use of a bank, the same care and diligence should be taken with any provider storing or processing your digital assets – such as digital wallet providers.
This is challenging to do at this time, as regulation and minimum standards for these services is not as established as traditional banking and finance regulation. As a result, customers should take additional caution and seek third-party advice, where necessary, to help assess, monitor and manage this risk. This will undoubtedly mature in time, but blockchain remains an emerging technology which in and of itself, brings a number of risks – not just security but also execution.
1. Hybrid working means using mobile hotspots, public Wifi etc – what’s the latest advice on protocols and best practice that brokers and insurers can offer to clients?
The pandemic brought about a seismic shift in working patterns that was heavily dependent upon, and enabled by, the increased use of flexible technology. Connectivity is a prime example, and public networks do pose a number of digital risks, as does using personal devices for businesses purposes – where the security profile of the device cannot necessarily be managed directly by the business who bears the risk (be that for legal or practical purposes).
The above notwithstanding, individuals and businesses can do a number of simple things to help secure their connections. For public or open networks, the use of Virtual Private Networks (VPNs) provide a layer of protection from eavesdropping from other users residing on the same network. Businesses can run their own VPN – allowing secure access into file systems and company assets remotely – or if securing the use of public WiFi is the main goal, a number of service providers provide accessible VPN services through easily accessible apps.
Whilst VPN’s protect the network traffic, authenticating and establishing a connection to the a VPN remains a risk. As a result, users are recommended to make use of multi-factor authentication (MFA) to prevent attackers from obtaining user credentials and masquerading as a legitimate user. Again, there are both commercial-grade solutions for MFA and more accessible options – such as Google Authenticator.
Finally, for businesses that have the right governance and regulatory framework in place they may also wish to explore the use of Mobile Device Management (MDM) services. This allows the business to monitor and set the security profile of a mobile device before allowing it to remotely connect and interact with critical business systems.
To protect all assets connecting in and out of the network, regardless of where from, customers could explore the use of Extended Detection Response (XDR) services.
2. Is the public sector still too dependent on legacy systems and does that leave them open to major terror/cyber attacks by rogue actors or States?
The public sector – through its very scale and need to remain conscious and prudent with the use of public funds – inevitably relies upon various legacy systems. As some of the largest institutions in the world, their complexity is a significant challenge. Any technological refreshes are, inherently, costly exercise that also bring significant execution risk, budgetary constraints, and new risks to the overall ecosystem.
Whilst modern technologies are likely to be secure against established threats and techniques, that is not to suggest they are perfectly secure. Any system is a combination of multiple components and sub-systems – some old, some new. It is the combination of these elements that needs securing, alongside the processes and people interacting with their use. Technology plays a significant part in protecting systems and information, but the people and processes play an equally pivotal role, if not more so.
With respect to the residual risk that legacy systems pose to the public sector, inevitably vulnerabilities remain. However, the same would likely be true in the event legacy systems were completely replaced with new technologies, the risks would just differ. However, this is not practical to achieve at scale or inline with the pace of innovation. Ultimately, for highly motivated and capable threat actors – e.g. foreign states – that are suitably resourced, they will find ways to compromise systems if they are a valuable enough target. Legacy systems arguably makes this somewhat easier to achieve, given the world’s understanding of their vulnerability, but this isn’t necessarily going to prevent a motivated and resourced actor from mounting attacks – albeit it may lend a helping hand.
Terror groups have different motivations, resources and technical experience. Ultimately, the goal of any security organisation is not to ensure their systems are perfectly secure – this is almost impossible to achieve – but to make any potential attack challenging and expensive enough that it becomes impractical to pursue by the actors they face. This applies to legacy or modern infrastructure, and in practice, it will always be a combination of the two as innovation drives change in technology and systems evolve.