Cyber news: cyber-attack fallout, passkeys, cyber breaches survey

The fallout from the cyber attack on outsourcing provider Capita has continued, with a number of organisations now confirming that members of their pension plans may have been impacted. M&S and Diageo have confirmed that the security of personal data may have been compromised for a significant number of scheme members.

This followed an announcement by USS, one of the UK’s largest private-sector pension plans, that the details of nearly half a million plan members may have been put at risk. Capita themselves estimate a cost of up to £20m to deal with the breach. This incident highlights the importance of understanding the security landscape for all aspects of your supply chain, including those organisations involved in handling internal HR and payroll data. It’s a message backed up by a recent study from Juniper Research suggesting that by 2026 the cost of software supply-chain cyber attacks will exceed $80.6bn globally.

Earlier this month Google announced that it will begin to roll out passkey technology to replace password logins on user accounts. Passkeys are essentially a more advanced form of multi-factor authentication where, rather than using a password to log in followed by some sort of secondary authentication (such as a code by SMS), the user is prompted to verify the login on one of their linked devices, by fingerprint, facial recognition or PIN. With Apple and Microsoft also looking to adopt similar technology, breaches due to password hacks may soon be a thing of the past.

As the UK government published its 2023 Cyber security breaches survey (you can read some of ICAEW’s observations in our Insights article), it will come as no surprise to many that recent research by Sophos suggests almost three-quarters of cyber attacks involve ransomware. While the headline figures in the survey of breaches show a decline in the number of attacks, this may hide some concerning truths, including that well over half of all medium and large businesses have been attacked, and that smaller businesses are placing less importance on cyber security.

There is an important question here: is a lower likelihood of attack driving a reduced focus, or is the reduced focus leaving fewer smaller businesses aware of when they are being attacked? Certainly smaller organisations, particularly charities and those in the public sector, can be and are regularly attacked, as demonstrated by a recent attack on Hardenhuish School in Wiltshire. Indeed, more than four in five further and higher education organisations have identified breaches in the last year, according to the survey.

Even alternative rock bands can be hacked.

Cyber developments: AI, malware and Quantum

There are yet more stories this month relating to AI and cyber security. Unsurprisingly, it was a major talking point at the annual RSA Conference at the end of last month – both the challenges that the new generation of AI tools may pose (for which the Director of Cybersecurity at the NSA encouraged people to ‘buckle up’), but also the opportunities that AI-enabled defensive tools might provide. EY’s APAC Cyber Security Consulting Leader provides a balanced view on whether generative AI is a cyber friend or foe.

Going back to Google briefly, it announced its own AI-powered privacy tools (to follow Microsoft’s AI-powered security tools that we mentioned last month). Meanwhile, data privacy and protection are among the reasons cited for some to observe that OpenAI, with its ChatGPT tool, is likely to encounter many difficult conversations with regulators in the coming months.

Agencies from the US, UK, Canada, Australia and New Zealand have issued a joint advisory about the Snake malware, currently being used by Russian cyber actors, that includes technical detail which may be of use to organisations in reducing the risk of attack.

Looking to the future, the risks that quantum computing might introduce to security and encryption are becoming increasingly real. The Financial Times has produced an excellent long read on how quantum computing could break the internet, and what we might need to do about it (although, thankfully, not quite yet).

Cyber security updates

The National Cyber Security Centre (NCSC) and the UK government have been very busy in the last month, issuing a number of key updates and messages.

The NCSC is looking for small organisations to complete a short survey to help it understand how its services and guidance can be as engaging, relevant and useful as possible. To complete the survey just go to NCSC Small Organisations – Technology & Your Organisation.

The NCSC has also released a Cyber Action Plan aimed at small businesses – a questionnaire which can be completed online in under five minutes that results in tailored advice for businesses on how to improve their cyber security.

At the end of April the updated version of Cyber Essentials went live, featuring new guidance and clarifications that should help organisations going through the certification process.

A Cyber Security Playbook has also been launched for local authorities, providing support and guidance on how to keep ‘smart cities’ safe from threats.

Concerns around the accessibility of cyber security solutions have been raised by NCSC, highlighting the importance of ensuring that policies consider accessibility at their heart.

Finally, in a recent blog post NCSC has made the case for more transparency in the world of cyber attacks – something that ICAEW would very much support. At the very least, using the NCSC Cyber Incident Signposting Service may help identify who you need to tell.

ICAEW content on demand

Catch up on our recent webinar The impact on legal practices of increased fraud and cybercrime.

We’ve also just refreshed our best practice guide for good cyber security, which includes handy checklists to help turn the theory into action.

Got an interesting cyber story for us? Email techfac@icaew.com.