“That is one feature of cyber attacks – attribution is very difficult. There are justified fears about cyber warfare and attacks on critical infrastructure. The fact is that we are likely to see more like the Ukraine attacks, which are almost like an alternative to economic sanctions,” he adds.
Before the Ukraine attacks, there was a widespread assumption that not only were such attacks not possible, but also that no one would want to perpetrate them.
The WannaCry attack earlier this year, which caused severe disruption to the UK’s National Health Service, Germany’s rail network, FedEx and a host of others, attacking more than 300,000 computers in 150 countries, highlighted the number of organisations with computers that run out-of-date software or fail to fix vulnerabilities in their systems. It is not just hospitals that are vulnerable – a lot of critical infrastructure has old computer systems, because they were built to last at a time when today’s digital connectivity had not been considered. The same goes for military installations and equipment, much of which has been in service for decades.
The key to making national and private infrastructure and networks more secure is to take security concerns into account right from the start.
If security resilience is designed in from the beginning, it is much cheaper and easier – retrofitting is always more expensive and problematic.
“To a certain extent, the technology can be the easy part. We know most of the things that we need to do and putting the right measures in place can make a big difference,” Buffey says. “But maintaining it afterwards can be difficult, because cyber awareness is still not always embedded in business culture. There is a real need to change perceptions so that organisations treat it with the importance that it deserves.”
In this regard, your workforce is both your greatest asset and your biggest risk. They can highlight when something has gone wrong, but they can also introduce vulnerabilities.
While many products on the market claim to help to improve cyber security, technology on its own is not enough. “We prefer to have a long-term relationship with a client, because quick fixes don’t really achieve anything,” says Buffey.
However, for companies offering advice in this area, it can be hard to make the case for action. Buffey says, “You are telling people: ‘this is something that you’ve never had to worry about before, but now you do and you’ll never be finished.’ It is not an attractive sell.