April and May saw a series of attacks against UK retailers: from the Co-op, to Marks & Spencer, to Harrods. These attackers now appear to be targeting businesses beyond the UK, including the US, and haven’t been shy about their actions. Whilst the story still developing, on one level, that attackers have had to deploy this kind of individual, personalised approach is a sign that technical controls were working effectively. There’s a cost and complexity to each breach that limits the number of attacks that can actually be launched. So although not great, cybercriminals have been forced to work harder to be successful.
When we look across of the last few years, it’s terrible that these things are happening. But this spate of attacks lays out steps we can take to protect ourselves more effectively. The single one that makes the biggest difference is to roll out MFA. It’s possible for the most sophisticated attackers to defeat, but the vast majority of attacks can be halted by deploying that control. MFA can be disruptive. It comes at a cost. But the benefit of deploying so far outweighs those, it’s a little like having to wear our safety belt when driving: the new norm that we do all the time if we want to be safe.
It’s also important to remember that these patterns in breaches do occur: more to do with attacker behaviour than necessarily a particular weakness in any sector. I don’t think there’s any one industry that’s more or less vulnerable: cybercriminals can target absolutely anyone. But from an impact perspective, what’s most notable about these attacks is the degree of sympathy for the victims. While we’re seeing advice for how organisations and individuals can better protect themselves, there isn’t the same degree of finger pointing and attempts to assign blame. This is a welcome development as it allows the ICO and other investigators to focus on their work, but I think there are some conclusions we can draw.
First, the three notable UK victims are each brands that inspire loyalty in their customers: Harrods with its select clientele, the Co-op as a mainstay of communities offering much more than just stores, and Marks and Spencer as one of the great fixtures of the UK high street. Admittedly I have some personal bias having worked at M&S for many years, but the outpouring of support has been most welcome to see. I have had so many conversations about the M&S attack particularly with non-cyber people. The effects have been extremely visual and it has brought home to a much wider audience how attacks can impact their day to day lives.
Second, it’s clear that no part of the security profession is an island. Every individual in every organisation is interconnected, . This also includes commercial partners and those working within the supply chain – a subject that we have spent many an hour trying to address. it’s only together that we can defend against attackers. From those just beginning their cybersecurity career, to the most experienced CISOs, to the educators and institutions that develop our skills before and during our careers, and even the journalists who share insights and information, everyone has a role to play.
This is why bodies such as CIISec are so crucial to the fight against cybercrime, providing a forum where professionals can share expertise and pool knowledge and intelligence so that the whole profession has access to the best advice and development resources possible.
There is a lot that we can learn from this recent spate of incidents.
