Cyber_Bytes - Issue 49

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

ICO confirms focus on prevention rather than punishment

John Edwards, head of the ICO, recently spoke at fireside conference held at CMS' London office, convened by RPC's Data partner, Jon Bartley.

During the conversation, Edwards said he will not seek to match EU regulators in racking up a “stack of fines” as he advocated for taking a “bold” approach to regulation. The ICO's focus will be to make UK privacy laws clearer and prevent data breaches from happening in the first place.

He warned that focusing on punishing breaches rather than preventing them from happening is a “really inefficient way of regulating.” Edwards promised to "work alongside organisations to assist them achieve their objectives" in laying out a new regulatory framework. He also reassured that there is no need for concerns around a radical shake-up of data privacy rules, adding that he is "not here to be the architect of the deconstruction of the data protection framework.”

Click here to read the City AM article.

UK schools are well built for cyber resilience

New research by London Grid for Learning, in collaboration with the NCSC, surveyed over 800 schools across the UK and showed that over half the schools in the research (53%) felt prepared for a cyber-attack.

All schools surveyed now use firewall protection, two thirds use two step verification for important accounts, and over half of the school leaders and governors felt more informed about the cyber security issues within their schools. The NCSC's 'cyber security for schools' website contains free cyber security training for school staff, and almost half of the surveyed schools were aware of this service. The pandemic and widespread adoption of home schooling has meant schools are more reliant on IT-related services for both administrative and learning functions.

Almost 78% of schools surveyed had experienced at least one type of cyber security incident, confirming that the threat is still out there, with ransomware attacks in particular increasing across the sector. The NCSC, working alongside the education sector has plans to design accessible, practical guidance for schools wanting to build their cyber security resilience.

Click here to read the NCSC blog post.

Companies warned to step up cyber security to become insurable

The World Economic Forum (WEF) published its Global risk report 2023, and identified cyber insecurity as one of the top 10 risks facing governments and organisations over the next 10 years. The report rates cyberwarfare as a more serious threat to stability than risks of military confrontation. The reason is that cyber-attacks can dramatically destabilise critical infrastructure, such as healthcare and public institutions. Greater numbers of employees working from home and the increased use of digital technologies have opened-up new paths for malicious actors to break into computer systems.

Businesses are at risk of finding they are unable to secure cyber insurance cover as the volume of cyber-attacks reaches new levels. High levels of cyber protection are increasingly becoming a prerequisite for cyber insurance. The cost of cyber risks insurance continues to rise as demand for cover outstrips supply.

Carolina Klint, European Risk management leader for insurance broker Marsh, and one of the contributors to the report, said that some insurance companies are now saying that “cyber risk is systemic and uninsurable”. It’s up to the insurance industry and to capital markets to decide whether or not they find the risk palatable. Businesses are currently tackling multiple risks at once. Spending more on cyber security will give organisations greater resilience to survive other shocks, such as failures in the supply chain. Klint confirms that “cyber resilience and supply chain resilience are really closely interlinked, meaning investment in resilience will have a positive impact on more than one risk."

Organisations will need to look at the effectiveness of their current risk mitigation and risk management strategies and invest up-front in cyber security to be insurable, said Klint. John Scott, head of sustainability risk at Zurich Insurance Group, comments that its “astonishing”, that many companies have not put basic IT security protection in place, such as ensuring software is regularly patched and using two-factor authentication. He pointed out that organisations should also be working with their suppliers and datacentres to make sure that their supply chains are protected from cyber-attacks.

Click here to read the Computer Weekly article.

Royal mail restarts limited overseas post after cyber- attack

Royal mail has started clearing its backlog of overseas post and has started receiving new international letters, following ransomware attack earlier this month. In a bid to mitigate impacts of the attack, Royal mail continues to work with authorities and is trying 'operational workarounds.' Royal Mail, as a private company, is required to keep authorities and regulators informed, however it has said little to the public.

The ransomware used in the attack is Lockbit. Computer security firms say the software involved has been developed and used by criminal gangs with links to Russia. The ransom demand is expected to be in the millions, although sources close to the investigation say there are "workarounds" to get the systems going again. This attack is significant, as Royal Mail is deemed part of the UK's "critical national infrastructure". The back-office system that has been affected is used by Royal Mail to prepare mail for despatch abroad, and to track and trace overseas items. The threat actors are likely to be threatening Royal Mail with the prospect of having potentially sensitive data published by a certain deadline.

It is not yet clear whether Royal Mail is considering negotiating with hackers or paying a ransom. However, firms that rely on posting items overseas have seen ongoing impacts to their businesses. Royal Mail has apologised and asked companies not to send international parcels or any mail that requires a customs declaration for the time being. Domestic postal services remain unaffected.

Click here to read the full BBC article.

Cyberattacks triple in last year according to Ukraine cybersecurity agency

The UK Government's security minister Tom Tugendhat warns of a ‘persistent threat’ of Russian attacks on Ukraine's critical infrastructure. Ukraine's cybersecurity agency says Russian hacking is, at times, deployed in combination with missile strikes. Russian hackers carried out 10 attacks a day against “critical infrastructure” during November 2022, as part of the wider effort to leave millions without power amid plunging temperatures.

The Ukrainian cybersecurity agency stated that Russian cyber-attacks were also coordinated in conjunction with “information-psychological and propaganda operations" trying to “shift responsibility for the consequences [of power outages] to Ukrainian state authorities, local governments or large Ukrainian businesses”. The UK has provided a £6.35m package of support, helping Ukraine with incident response, information sharing, hardware and software.

Russia's "near abroad" have also been targeted. In late October 2022, Poland’s senate was hit by a cyber-attack, a day after the country’s upper house had unanimously adopted a resolution describing the Russian government as a terrorist regime. Poland later blamed the pro-Russian group NoName057(16) for a denial-of-service attack aimed at shutting down its website. British organisations are urged to continue to review their digital security during what the NCSC considers to be an “extended period of heightened threat”.

Click here to read the Guardian article.

The darker side of ChatGPT

Since its debut less than two months ago, ChatGPT has become well-known and is used worldwide for a wide range of jobs. For anyone working in the software industry, its amazing capabilities provide quick and understandable code samples. On the flip side ChatGPT is advanced in its capacity to construct sophisticated malware that contains dangerous code.

ChatGPT could be used to create polymorphic malware. This malware’s advanced capabilities can evade security products and make mitigation cumbersome with very little effort or investment by the adversary. Cyber Ark ran a test using ChatGPT and found that it is possible to create a polymorphic program that is highly evasive and difficult to detect. This creates significant issues for security professionals.

The concept of creating polymorphic malware using ChatGPT has been shown to be relatively straightforward. By utilizing ChatGPT’s ability to generate various persistence techniques, Anti-VM modules and other malicious payloads, the possibilities for malware development are vast. This is a field that is constantly evolving.

Click here to read the Cyber Ark article.

New program offers most vulnerable in society free cyber security support

The NCSC offer charities and legal aid firms free support to put cyber protections in place. The new government Funded Cyber Essentials Programme offers some small organisations in high-risk sectors practical support at no cost to help put baseline cyber security controls in place. The information held by these organisations can be highly sensitive – including, for example, personal data relating to vulnerable individuals. Eligible organisations will receive 20 hours of expert support to help implement the five technical measures needed to gain Cyber Essentials certification – firewalls, secure settings, access controls, malware and software updates. Cyber Essentials is a government-backed certification scheme which helps organisations of all sizes guard against online threats and demonstrate a commitment to cyber security.

The offer is currently available to micro or small businesses that offer legal aid services and micro or small charities that process personal data, for example those working in safeguarding such as domestic abuse charities or online chat support services.

Click here to read the NCSC blog post.