The UK needs a better approach to active cyber defense to detect those responsible, and create a better partnership between industry and government.
David Ferbrache, KPMG technical director and former head of Cyber & Space at the Ministry of Defence, said that there is a lot of language around “active cyber defense” and while Governments do the botnet takedowns, there are a whole series of measures that they may need to put in place to block and disrupt those methods.
He said: “It signals a very different relationship between government and law enforcement; where law enforcement is not purely about feeling the collar of the cyber-criminal, although they would still like to do that, it is also about help business deal with the threat and make sure actionable cyber-criminals are not in a position to cash out.
“A lot of the NCA’s focus is on the back-end of cashing-out and money laundering, but speaking to government, a lot of their focus is on how to disrupt activity and help businesses to spot attacks in an early stage and block and disrupt. That’s a very different style of working.”
According to a report jointly authored by BT and KPMG “Taking the Offensive – Working together to disrupt digital crime”, a fifth of IT decision makers in large multinational corporations are confident that their organization is fully prepared against the threat of cyber-criminals, and 47% admit that they don’t have a strategy in place to prevent it.
Speaking at the launch of the report, Mark Hughes, CEO Security at BT, said that we are often too focused on a technical solution to the problem and often that is not the case, as you need to understand how you are being attacked and how it is being monetized.
“It is about taking notice of what you are up against, and making that subtle shift to honing down to what it actually does and responding to it, and from that instead of asking the cybersecurity team to ask if they have the right controls in place, now demand evidence that you are working in partnership and have exercised these options,” he said.
“That presents a real opportunity for organizations as they are often concerned that this is a technical issue, but it gives them an opportunity to talk in a language that they understand and shows that they can do this and have a license to work in a multi-stakeholder way.”
Hughes said that a different approach is needed to cyber-crime, the criminal element of it and the psychology of cyber-crime, and if you think of it in that way, “then organizations can equip themselves much better to defend against criminality and help themselves to not be victims of that crime”.
Asked about taking a more offensive approach to cyber-crime, Ferbrache said that once you have detected and blocked an attack, you can learn more about it, but that takes time and while a business does have more context and information, it may not have the pattern of attempted frauds of the banks or access to their information, but it is all part of the picture.
“So they will have information to share and it is about getting companies to realize that it is in their best interest to share across governments and make it easy for law enforcement,” he said.