Cyber software in the news
This month the world found out what happens when major enterprise-level cyber security software falls over, and it’s fair to say it was catastrophic.
In the early hours of Friday 19 July, a configuration update was rolled out to Windows users of CrowdStrike Falcon, software which is used by many large organisations around the world to provide protection against cyber attacks. Such updates are normally routine and pushed to PCs daily or even multiple times a day. Unfortunately, the update had a small but significant bug in its code, which resulted in fatal system errors and the infamous ‘blue screen of death’. There are numerous helpful explainers including a BBC article and this more technical examination.
While a fix was released by CrowdStrike within hours, the impact of the bug was substantial, taking a huge range of services offline and impacting airlines, banks, hospitals and many high-profile businesses, including the Mercedes F1 team. The simple issue was that, to apply the fix, every impacted PC needed to be individually rebooted following a specific set of steps, which has been a time-consuming exercise for IT professionals globally. Microsoft estimated around 8.5 million machines were affected, meaning it was most likely the worst IT outage of all time – although worth noting this is still less than 1% of all Windows machines, and that Linux and macOS were unaffected.
In our recent Insights article we’ve covered some of the learnings relating to this incident, many of which relate to supply chain risk and resilience. CrowdStrike, Microsoft and others have been at pains to emphasise it was not a cyber attack and the former has already committed to steps to avoid a repeat including more robust testing of these types of updates, and a more staggered deployment. However, criminals rarely miss a trick, and the National Cyber Security Centre (NCSC) has issued a warning that the incident is likely to result in an increased risk of cyber attacks through bogus technical support and fake software updates.
It’s important to emphasise that if your machines were not impacted, you are not at risk at all. If you are still impacted then the steps outlined by CrowdStrike and Microsoft are relatively easy to follow providing you have physical access to the affected machines, and a recovery tool has been issued for more complex setups.
King’s Speech proposes new cyber laws
Among the substantial number of new laws proposed by the new UK government in this month’s King’s Speech, the Cyber Security and Resilience Bill looks set to establish improved regulation, building on the Network and Information Systems Regulations which were inherited from the EU. These regulations have since been updated by the EU, leading to a risk that UK regulation in this space is currently falling short.
The intention is that the new regulation will help provide greater protection to critical public services and their supply chains, and would give regulators more resources and powers to investigate vulnerabilities and enforce necessary cyber security measures in the organisations that need them most. The bill also proposes that organisations will be required to increase the level of reporting of cyber incidents, particularly in relation to ransomware attacks, to give bodies such as the NCSC greater visibility of the threats faced by UK businesses and public sector organisations.
Another proposed bill, the Digital Information and Smart Data Bill, will also have implications from a cyber perspective, as it seeks to give the Information Commissioner’s Office greater powers, and make it easier for organisations to share smaller actionable data upon request – so-called ‘Smart Data’ schemes. This will require both individuals and businesses to be more alert to cyber risks, potential data breaches and the acceptance of terms permitting the sharing of personal and business data.
New route to Cyber Essentials
Cyber Essentials (CE) – the UK scheme for businesses to support and demonstrate a minimum level of cyber security protection – was launched 10 years ago at Chartered Accountants’ Hall. It has since undergone several changes to ensure it remains relevant and the latest changes open up more routes for organisations – particularly larger ones – to achieve certification.
The CE Pathways route, now launching as a proof-of-concept phase, moves away from a prescribed set of controls towards an ‘outcomes-based’ approach. This allows organisations that may have legitimate reasons for being unable to implement the standard CE controls a different way of demonstrating compliance, providing the same ultimate risks are addressed through technical and testable controls.
NCSC is currently seeking organisations to take part in the proof of concept and has provided more details on its website.
Don’t be scammed, remember SCAM
According to a 2024 UK Finance report, scammers stole more than £1bn through payment fraud. Fears relating to fraud are a significant source of worry for many finance professionals – we are, after all, supposed to be the ones who are good at looking after money – so mental health charity caba has developed the SCAM acronym to help you determine if requests are genuine or not.
Is the Sender who they say they are? Are they Chasing you? Are they wanting you to take an unusual Action? Does their communication have any Mistakes? These are the key questions to ask yourself when receiving a call, text or email out of the blue pertaining to be an individual or organisation you know. As seen from the recent incident at Arup, even communications that appear to be from within your organisation should be validated. Simple efforts to cross-reference and ‘test’ the individual making the request can be enough to identify the fraud before any information or money is provided.
Of course, it isn’t just scams that can cause issues for small businesses. Increasingly, the Chinese state-sponsored threat group APT40 is exploiting the trend for more hybrid and home working by attacking small-office and home-office (SoHo) devices. An advisory issued by the Australian Cyber Security Centre, in conjunction with NCSC and other bodies from US, Canada, New Zealand, Germany and Japan, notes how APT40 is exploiting known vulnerabilities in widely used software to compromise unpatched or end-of-life SoHo devices and use these to launch other attacks masquerading as legitimate home user traffic.
The critical message here is to ensure that all devices you use, both at home and at work, are maintained with the latest updates and when connecting into office systems from a home network, ensuring that VPNs or other encryption tools are deployed so that the exchange of information over the public internet is kept secure. At home, make sure that your internet router’s firewall is enabled and configured to protect your home devices effectively.
And as ever, the NCSC’s 10 steps to cyber security also helps organisations adopt important security measures to prevent and minimise the impact of cyber-attacks.
Want to learn more about cyber security?
Visit the ICAEW cyber security webpages.
Got an interesting cyber story for us? Email techfac@icaew.com