More businesses are prioritising cyber security – but not enough

The National Cyber Security Centre (NCSC) published its 2024 Cyber Security Breaches Survey earlier this month. The survey found that more businesses have been putting basic security measures in place than last year. 

More large businesses and charities are training their staff and three-quarters of businesses say cyber security is a high priority for their senior management. This is lower than previous surveys from 2019 onward excluding last year. This decline seems to be primarily driven by micro-businesses and the effects of the pandemic.

Cyber insurance uptake has increased, but 19% of businesses and 18% of charities did not know if their employer has any form of cyber security insurance, despite the survey being carried out with the individual identified by the organisation as having most responsibility for cyber security.

Training and awareness sessions on cyber in medium and large organisations had continued to increase, but smaller and micro-businesses were slower in providing these sessions. There is also a declining awareness of the free resources provided by the NCSC, such as its Cyber Aware campaign and Cyber Essentials scheme. 

Boards engaging more with cyber

The Department for Science, Innovation and Technology also published its Cyber Security Longitudinal Survey in late March. It found that:

• While board engagement with cyber risks and training continues to increase in large and medium businesses, this improvement was most evident in organisations with a lower cyber resilience. 
• Organisations with a stronger cyber resilience were adhering to some standard or accreditation. At present this is only 35% of medium businesses, 47% of large businesses and 36% of high-income charities. 
• The proportion of firms conducting supplier risk assessments had also increased, in line with the trends that ICAEW has been flagging in its cyber round-ups throughout the past year as a key recommendation. 
• Investment in cyber security had remained stable or had reduced, though the survey also notes that relative resilience had increased. 

This survey and the NCSC report point to organisations continuing to invest in cyber security despite economic conditions, but that awareness of available resources is in decline. It is important that members continue to flag the importance that employee awareness will have in mitigating threats. 

Phishing emails continue to be the most common method of hacking and can only be combated with critical thinking – employees need to be given the right support to help identify potentially fraudulent emails. 

Updated Cyber Assessment Framework

The NCSC has also published its revised Cyber Assessment Framework (CAF) to improve its alignment with the Cyber Essentials scheme by mirroring some of the requirements. Some limited aspects of AI-related cyber risk are reflected in the framework sections covering automated functions and automated decision-making technologies and the NCSC is continuing to monitor the impact of AI in more detail to inform future iterations of the CAF.

A near miss?

On 29 March, a Microsoft engineer noticed that a tool for logging into remote machines was much slower than usual. He discovered that a software package called XZ Utils (a critical utility for compressing and decompressing data on Linux) had been compromised, via a backdoor being built into the software. Linux, and by extension XZ Utils, is the backbone operating system for most of the publicly accessible internet servers globally. 

XZ Utils is an open-source piece of software, meaning that its code is publicly available. Updates are made by groups of unpaid software engineers. This was a supply chain attack designed to make backdoors for unauthorised access into the guts of our networked world. The malicious contributor in question made themselves the contact for code testing and opted to remove a test that would have caught their insertions. 

However, it should be noted that XZ Utils is a large open-source project, so identification was reliant on the large community involved. Most open-source projects are much smaller, and these sorts of malicious insertions might be occurring without community members noticing. There is an incoming update for these open-source projects to see who new contributors are, and whether older contributors are performing things differently. 

A lot of modern networks are reliant on open-source software, and these are particularly susceptible to having malicious code inserted. When conducting third-party risk assessments and due diligence it is vital that these systems be identified. 

“Phishing-as-a-Service”

In mid-April the police announced that they had taken down a gang which was providing cloud-based software for scammers, a business model that has been coined as “Phishing-as-a-Service”, named LabHost. These included tools which: 

1. Let users design and launch their own scam campaigns designed to trick people into handing over sensitive information.
2. Hosting phishing pages, web pages designed to look like legitimate websites for banks, postal services, insurers and others also designed for gaining access to sensitive information. 
3. More specialised tools for adversary-in-the-middle attacks, a method to insert an attacker between the communications of two parties such that these communications go through them. 

It has been reported that LabHost had 2,000 paying customers, who used these services to defraud hundreds of thousands of victims. Investigators have seized more than 800 LabHost customer emails and arrested 37 people globally.

This ultimately shows how sophisticated and organised bad actors are becoming. Cybercrime is becoming increasingly like modern businesses, with service-driven providers like LabHost and LockBit (which was taken down earlier this year). It is also increasingly automated, as we have seen with scams involving AI-generated email text and deepfakes of senior leaders. This ecosystem is also becoming very resilient, with LockBit seemingly back in operation after only a few days of law enforcement action. 

Members will need to be ever vigilant; this is the new normal and we will need to adapt to hostile actors as they continue to adapt.