As another year comes to an end, several trends continue to have an impact on accountants and dominate the minds of cyber security practitioners. This monthly series was started this year to try to inform members of developments in cyber security. The series will continue in the new year – hopefully you have found them useful and insightful.
Critical providers and links in the supply chain
The year has seen several supply chain attacks, some of which directly impacted accounting firms.
In June, Microsoft suffered a number of Distributed Denial of Service (DDoS) attacks that affected several of its web portals, including Azure, Outlook and OneDrive. Such attacks are not easy to successfully perform on organisations of the scale of Microsoft as it requires the ability to control a significant number of computers. Any successful attack, however, would have a much greater impact.
Microsoft believes hacktivists were behind the attack. They likely had access to and utilised multiple virtual private servers (VPS), rented cloud infrastructure and had DDoS tools to perpetrate the attack.
Up to 300 independent retailers were affected by a cyber attack on IT supplier Swan Retail in July. Swan Retail is a provider of a range of business-critical software to small retail businesses. The impact of this attack was very real, leaving business owners struggling to manage stock or accept payments. This emphasises how actors target key suppliers in order to maximise their impact.
Law firm IT provider CTS’s services were disrupted earlier this month. Conveyancing practices were left unable to guarantee that completions had or would take place, with many having to return to manual processes during the disruption.
We saw providers to public services, such as Capita, MoveIT and (again) Microsoft being targeted. The MoveIT attack had impacts on some of the largest practices, while the Microsoft attack involved Chinese threat actors hacking email accounts of around 25 organisations, including government agencies based in Western Europe and the US. It is believed that China-based Storm-0558 is responsible for this attack. While providers are targeted, the true targets are likely to be firms or various public services.
Getting the basics of cyber security right and implementing the NCSC 10 steps to cyber security will put you in a good position to prevent and respond to most cyber incidents.
Vulnerable public services
The Electoral Commission published a public notification in August that it had been the subject of a cyber attack. Although some of the compromised data may already have been in the public domain, there are concerns that it can be combined with other publicly available data for activities such as profiling individuals. Some reports point to suspicion that the attack could be linked to hostile state actors, such as Russia.
Law enforcement also became the victim of data breaches, particularly in a data breach in July, in which a laptop and documents identifying more than 200 staff members of the Northern Ireland police were stolen from a private vehicle. Then in early August, the Police Service of Northern Ireland mistakenly shared a spreadsheet online in response to a Freedom of Information request, revealing the personal details of all police officers and civilian staff members in Northern Ireland.
Towards the end of the year, we saw an attack on the British Library. Employee information was sold on the dark web and services were disrupted, which the Library stated is likely to continue for months.
The government accused the Russian Federal Security Service (FSB) of a sustained hacking campaign targeting politicians, civil servants, think tanks, journalists, academics and other members of public life. It is believed that the FSB has been using a group known as Centre 18 to carry out this sort of Campaign since 2015. The government has stated that it deems the efforts so far to have been unsuccessful.
However, reports this month suggest that groups linked to China and Russia attacked the Sellafield nuclear waste and decommissioning site, a hazardous nuclear facility. It suggests that the systems could have been compromised since 2015. The Sellafield operators and government deny seeing any evidence that the site has been compromised and we will have to wait and see what this could mean.
This year has generally served as a reminder that cyber security is not limited to criminal elements but to a new realm of competition and warfare between nation states, where businesses can be caught in the crossfire.
Emerging technology – the new weaponry for the cyber arms race
ChatGPT has had a huge impact on public interest in AI in such a short space of time, with GPT4 only being released in March. Earlier this year, Microsoft announced the launch of a new AI-powered security copilot. Google also announced its own AI-powered privacy tools. These AI models are informed by internal and external data collected on threats and theoretically could supplement some of the skills gap that exists within the cyber-security profession. We will see the implications of their use throughout next year and whether they assist in mitigating the risk of breaches.
Since GPT3 was launched in Nov 2022, there has been a rise in AI-enhanced scams. It is now easier than ever to compose highly convincing phishing emails in the native language of intended victims or to assist in the building of malware. There is also now the added concern that Generative AI may equip criminals with knowledge and capabilities that extend beyond their current skills.
The UK National Cyber Security Centre (NCSC) explored the cyber risks associated with large language models in ‘ChatGPT and LLMs: what's the risk?’. In the ICAEW Generative AI Guide, we have also explored the cyber-security concerns that LLMs can present to organisations.
More resources can be found at the cyber security awareness month hub.
NCSC resources for your organisation
This year saw a number of resources published by the NCSC that you and your organisation should be aware of and are encouraged to use:
- Cyber Action Plan (aimed at small businesses) – a questionnaire that can be completed online in under five minutes and results in tailored advice for businesses on how to improve their cyber security.
- Updated version of Cyber Essentials (aimed at individuals in organisations) – a government-backed self-assessment and certification scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.
- Cyber Security Playbook (aimed at local authorities) – provides support and guidance on how to keep ‘smart cities’ safe from threats.
- 10 steps to cyber security guide (aimed at businesses developing an AI tool) – provides 10 steps that should be applied in the early and developmental stages of AI tools, systems and services to avoid situations in the future where security may need to be retrofitted.
- Email security check and Check your cyber security services (aimed at small businesses) – allow you to perform a range of simple online checks using the same publicly available information that are commonly used by cyber criminals.
- Building a security operations centre (aimed at organisations) – a resource to help organisations set up a security monitoring capability in line with their level of threat and available resources.
- Cyber Security Toolkit for Boards (aimed at board members) – a toolkit that is designed to help board members, including the CFO, govern cyber risk more effectively.
- Guidelines for providers of AI tools (aimed at AI providers) – a set of guidelines to inform decision-making during the design, development, deployment and operation of an AI model.
Finally, ICAEW’s Corporate Finance Faculty has been updating its ‘Cyber security in Corporate Finance’ guideline, which is due to be launched at a special event at Chartered Accountants’ Hall on 31 January 2024. Register to attend and hear from the NCSC about the latest common cyber attacks and how to manage those threats, and to get insights from a panel discussing the critical importance of managing cyber threats during transactions.