This comes as UK firms were hit by an average of almost 120,000 cyberattacks each in Q1 2019
Cybersecurity is an increasingly important issue in the UK, amid constant news of international espionage and fear-inducing reports of frequent cyber-attacks.
UK businesses were hit by an average of almost 120,000 cyber attacks each in the first quarter of 2019, equating to one every minute, according to internet service provider Beaming. This was more than double the 54,000 over the same period last year, with the attacks coming from a range of countries, including China, Russia, Egypt, Brazil and the US.
Despite these gloomy statistics, the UK is generally considered among the countries at the forefront of combating cybersecurity, ranking first in the International Telecommunication Union’s 2018 Global Cybersecurity Index ahead of the US and France. However, a host of industry developments and upcoming technologies such as 5G and IoT are adding to the pressure to get cybersecurity right.
But before even getting onto new technologies, there are already issues with some of the basics.
One problem is that companies’ increasingly complex password requirements have sometimes had the opposite effect to their aim of providing extra security, says Kc Cico, managing director of Blackphone, a manufacturer of secure smartphones on Android based Silent OS software. This is because, he explains, people reuse passwords that they find harder to remember for their subscriptions to multiple digital services.
“Passwords used to be six digits, then eight, then 10, and
then included letters and numbers and characters,” says Cico. “The biggest mistake people make is to use the same password for everything, so it leaves them more open to breaches.” And even before this greater level of complexity, some people have made access too easy. The National Cyber Security Centre (NCSC) reports, for instance, that the most used password in the UK is ‘123456’ – a combination found 23.2 million times in various UK accounts.
Businesses are also not always careful, as illustrated by Cico: “I gave a Blackphone demo to a large firm in central London that had spent millions on its Symantec [computer software] licence and it didn’t go ahead with securing its phones even though it cost a fraction of that,” he says.
“The phone is with you all the time: it’s the biggest piece of surveillance equipment in the world.”
The Internet of Things is, meanwhile, ramping up the security threat for both consumers and businesses, with the number of IoT devices expected to increase from 23 billion worldwide now to 31 billion in 2020 and 75 billion in 2025, according to Statista.
Cybersecurity firm F-Secure reported that the number of IoT threats, which can be massive-scale, grew from 19 to 38 in 2018, while digital security company Gemalto found that just 48 per cent of businesses that used IoT devices could detect when they had suffered a security breach.
“When it comes to the consumer IoT side of things, it is a mobile problem, in that devices such as those for the smart household typically connect back to a mobile device,” says Tom Davison, EMEA director at mobile security firm Lookout.
“The other day, a friend of mine came to work waving his phone around because he had just installed smart tech at home and could watch his daughter getting ready for school,” says Brian Higgins, a security specialist at consumer website Comparitech.
“I took him aside for a chat and he disabled pretty much all of it.” Davison has observed a trend that younger people who use IoT devices can sometimes be too trusting of their mobiles, making them a ripe target for exploitation.
“Verizon’s 2019 Mobile Security Index found that 17 per cent of phishing attacks came through messaging apps like Slack and WhatsApp. Users tend to be more trusting of those apps, so IoT is an enabler for those attacks,” he says.
As the demand for IoT devices rises, there is also a concern that companies rushing to get them to market are neglecting security requirements – which can’t easily be fixed post-release.
“It’s almost impossible to implement security for most IoT devices after purchase,” says Canalys market research analyst Claudio Stahnke. “For example, a smart thermometer doesn’t have an interface to update its software; it’s just a sensor.”
The UK appears to be leading the fight to enforce standards, however, with the Department for Digital, Culture, Media and Sport last year publishing a Code of Practice for Consumer IoT Security that has been translated into seven languages. Minister for Digital Margot James is holding a consultation until June 5 that concerns new laws around the code’s first three items – no default passwords, implementation of a policy for disclosing vulnerabilities, and a pledge to keep software updated.
The code was written by David Rogers, CEO of mobile and IoT security firm Copper Horse, who believes the UK can drive initiatives in global IoT security. “The UK massively punches above its weight [in cybersecurity],” he says. We have a lot of expertise and academics, and we’ve contributed to the discipline. If you look at the respect the NCSC has and how other countries try to emulate it, that clearly shows we’re doing something right.”
Rogers adds that greater security is needed as new technology emboldens cyber-criminals: “Security is a complex game of chess. If you put in place a defensive measure, it doesn’t mean the motivation of an attacker goes away.”
Hacker Steve Lord, who runs the annual IT security event 44CON, attributes the UK’s good standing to the public’s belief in its institutions: “People believe that the government exists to help us and that agencies are there to serve us, and I think that view is shared by people in the government and law enforcement – they view public service as their job.”
The debate over the use of Huawei equipment in the UK’s forthcoming 5G rollout has, however, called into question the government’s leading status on cybersecurity.
While many government figures strongly contest the vendor’s cooperation in building “non-core” telecoms infrastructure, heads of the top UK operators are in favour of its involvement. Mobile UK, the trade association for the big four operators, says that a partial to full restriction on Huawei in the telecoms supply chain could result in a delay of up to two years in the widespread availability of 5G, at a cost of up to £6.8 billion to the economy.
The conversation isn’t helped by sometimes hazy press coverage: a recent Bloomberg story claimed that Vodafone Italy had found hidden back doors in Huawei-supplied equipment that “could have given Huawei unauthorised access to the carrier’s fixedline network”.
Vodafone and Huawei both refuted the story, stating that the ‘back door’ was a normal part of the network used by many vendors. “That story was utter clickbait, because back door is a trigger term for people,” says Rogers. “It’s more about the lack of quality in the product and the requirement to keep stuff generally secure. We as ordinary people don’t know all the facts, so it’s a waste of brainpower speculating on it.”
Stahnke adds: “This story was a misrepresentation. You can find legacy security flaws from most vendors in most products that have been subsequently patched, so this shouldn’t be used as evidence that Huawei is unreliable.”
But Lord remains sceptical that it’s safe. “As long as you never power up a piece of Huawei kit and it has no power going to it, it’s perfect,” he says.
The arrival of 5G carries other security implications too, even without considering Huawei or IoT.
“The most immediate vulnerability to 5G is that to make the network faster, it needs to run off more devices: more routers, more masts, et cetera,” says Higgins. “Since every device is a point of potential attack, it’s simple maths that the threat will increase in size in tandem with the 5G network.”
Davison believes 5G’s low latency and high speeds could lead to security issues, particularly for companies whose employees are using mobile devices for business. “We’re already seeing how much time people are spending on mobile devices for work and that has been creeping up,” he says. “My expectation is that more work will be done over 5G than over WiFi, so we will see consumerisation of workplace devices. This has implications for security.”
Stahnke adds: “Cybersecurity threats on mobile devices will increase in frequency [with 5G]. If devices can download and upload much faster, it will be more complicated to monitor all the data transfers and easier for attackers to hide malware.”
Meanwhile, although Brexit may at first sight seem a concern for UK cybersecurity, it may not drastically alter the landscape. The global nature of most mobile organisations and the UK’s pre-existing commitment to the EU’s General Data Protection Regulation (GDPR), as well as its burgeoning IoT security legislation, means that exiting the EU is unlikely to change the threat level.
“On the standards side, most bodies are global. The European Telecommunications Standards Institute has nothing to do with the EU, so there’s nothing preventing UK participation in that,” says Rogers. “GDPR is already part of UK law and this is one area where the UK probably leads the way, so it’s one area we’re not that bothered about.”
Higgins agrees: “The people responsible for our national security are a grown-up bunch. I’m not losing any sleep [over Brexit] just yet.”
Stahnke agrees to an extent, but thinks that in the event of a hard Brexit, UK businesses will tighten up security to satisfy cautious European business partners: “We expect a push towards adopting more cybersecurity in the event of a hard Brexit, because European firms might be more wary of UK firms from a legal standpoint.”
Indeed, this seems to already be in motion, with more than half of UK businesses having increased cybersecurity spending since the 2016 referendum, according to data security firm Clearswift.
But the main thing is to keep informed as the telecoms landscape and threats evolve. In this way, companies and consumers certainly have the means to be protected as cybersecurity evolves in tandem – even though it’s unlikely cyber-attacks will ever be totally stamped out.