It is about 5,000 miles but a short cyber hop from Miami to Solna, the headquarters of Swedish chain Coop. The grocer in 2021 had to shut most of its 800 stores after a cyber attack on Florida-based tech company Kaseya, which via a Swedish IT provider managed to knock out Coop’s tills.
That was just one example of the far-reaching and destructive consequences of a supply chain attack. Supply chain vulnerabilities have shown up much closer to home: last year’s ransomware attack on health software and services provider Advanced gummed up out-of-hours GP services and knocked out the 111 system.
One conclusion, according to cyber specialist Jamie MacColl of think-tank the Royal United Services Institute, is that “our definitions of critical national infrastructure are just not fit for purpose given the complexity of modern supply chains”.
Cabinet Office minister Oliver Dowden this week pledged to look at extending cyber resilience rules to businesses working in critical infrastructure and issued all businesses with an “unprecedented warning” that cyber attacks by Russia-affiliated groups were on the rise. “Businesses can’t afford to recklessly ignore cyber risks,” he said.
Many are ignoring them, though. The reality may be that a universal level of cyber protection mandated by regulation is needed — given the evidence that many businesses either don’t know what to do or simply aren’t doing it.
Nearly a third of UK businesses and a quarter of charities reported a breach or attack in the past year, according to a government survey published this week. But despite rising ransomware activity, the number of companies reporting the use of basic cyber defences such as password policies, network firewalls and regular software updates has fallen over the past two years.
Just three in 10 businesses properly assessed cyber risk last year, while just one in 10 reviewed risks at their immediate suppliers. Research from Aviva this year found cyber risk had been pushed down boardroom agendas by issues such as economic concerns and workforce shortages.
Of course, many attacks are small and unsophisticated. But entry-level cyber hygiene measures are the same for breaches small or large and they work: the National Cyber Security Centre, which has guidance and a certification scheme for companies, thinks 90 per cent of incidents could be prevented by following the basics.
It isn’t happening. Big companies do perform better across the board on these issues. But awareness of the NCSC’s Cyber Essentials good-practice standard is low overall; only 20 per cent of companies have controls in the five main areas (and just 5 per cent adhere to the NCSC standard itself). Cyber insurance, for which take-up is also low (and a fifth of companies in the government research weren’t even sure if they had a policy or not), has also failed to prompt wider adoption of bog-standard resilience measures.
Finding a way to mandate an acceptable minimum level for cyber security, while minimising costs, could be the next step, says MacColl, who notes that “we’ve tried so many market-based approaches now and they are not working”.
The impossibility of drawing a neat line around critical services supports the need for widespread basic rules. Others argue that tougher measures are needed for big businesses, such as a “failure to prevent”-style duty that allocates clear responsibility to keep up with an ever-evolving threat and ensures that basic cyber measures are a floor not a ceiling for corporate defences.
“What I see around me is an extraordinary lack of understanding by chief executives and boards as to exactly what these threats are,” Rupert Lee-Browne, boss of payments company Caxton, told an FT event last year. He argues that all companies need to operate as if they’re in a regulated environment when it comes to cyber risk and that “the only way to do that is by tough enforcement, otherwise it’s just another cost they don’t want”.
More stringent rules for critical national infrastructure would be welcome. But each sophisticated operator is only as secure as the mom-and-pop enterprises in its supply chain, or its suppliers’ supply chains. “Businesses large and small sit on the front line of our cyber defences,” said Dowden. Progress to date suggests it will take more than stern words to shore up that battlefront.
