Right now, the UK is in political turmoil, which makes any long-term cyber security predictions difficult. But it is possible to make statements about cybersecurity in the short term.
Let’s look at where we are. The country has just had a bitter, nasty, and brutal referendum campaign that focused on hot button issues like immigration and Britain’s sovereignty. The post referendum analysis shows the country was split young vs old, those with degrees vs. those without, London vs, the rest of England, and so on. Hate crimes are reportedly up significantly.
Things aren’t going to get better soon. The two major political parties have both had leadership struggles and Scotland may hold another independence referendum splitting the union apart.
So what are the cybersecurity implications of this turmoil? There’s a line from an old punk song that I think describes the resulting cyber security situation: ‘anger is an energy’.
In a highly charged atmosphere, the risk of cyber attacks can significantly increase. There’s a strong motivation to damage ‘the other side’ by defacing websites, hacking databases to breach data, or to bring sites down through DDoS attacks. The well-known ‘Anonymous’ hacker group is a good example of a group responding to events through direct action, though there are numerous other examples of politically motivated attacks.
The obvious targets are government, political parties, the media, and campaign groups, but here the list of possible targets is much wider. Many high-profile business people campaigned for one side or another, trade unions and business organisations made public statements, and even entertainers had their say. This is a huge range of potential targets to damage or embarrass.
To attack an opponent, it’s not just their websites that are targets. Digital services are increasingly outsourced and there’s a cyber supply chain with data passed from vendor to vendor. To embarrass or breach an opponent, you may just need to attack one of their key cyber supply chain vendors.
On the whole, the UK is in a good place with respect to cybersecurity. In a recent BitSight study, we found companies with the majority of their IP addresses in the UK tended to be quite secure; the average BitSight rating was higher for UK companies than for several other countries as I show below. But even companies with good security overall can still succumb to attacks and a weak link in the cyber supply chain can expose a company’s data.
So what actions can companies take to mitigate cyber risk? The UK government has been promoting its cyber essentials programme for a while and it contains a lot of very good guidance. Here’s a list of items I suggest you address in the wake of the Brexit vote:
Of course, this list applies all the time, but while ‘anger is an energy’, the need for security against motivated and energetic attackers increases greatly.