By John Grainger
When a large UK outsourcing company was hit by a ransomware attack last year, it did what every victim of cybercrime usually does: it kept quiet about it.
That’s because the reputational damage can be costly, and that’s on top of the immediate financial loss, which in this case was believed to be in the billions.
“I can promise you, that CEO probably wishes that he or she had had some practice with ransomware before having to face the press,” says Armor cybersecurity evangelist Miguel Clarke.
Clarke has been tackling computer crime for over two decades, making him something of a pioneer in the field. He joined the FBI in 1998 and after a couple of years “jumping out of moving vehicles and putting the bad guys in jail”, he started to focus on matters digital, moving to the National Cyber Investigative Joint Task Force and specialising in intrusions from the People’s Republic of China.
He’s now a “civilian” and a highly sought-after cyber security consultant to companies that are serious about making themselves impregnable to online attacks.
As well they might – cybercrime is currently worth over $6 trillion a year. Already the third largest GDPR in the world if it was a country, and it is forecast to grow to £10.5 trillion by 2025. It’s more profitable than the international drug trade and larger than every national economy except the United States and China. Little wonder it comes up for discussion every year at the World Economic Forum’s annual shindig in Davos.
Miguel recently came to the UK to speak about the issue at the invitation of Digital Craftsmen, one of Armor’s UK partners at a number of events in London, Leeds and Birmingham. His answer to the crime wave is, if you will, all in the mind.
“In the FBI, you are the individual – maybe the only individual – that stands between accomplishing the mission for the United States and failing,” he says. “So, you have a ‘no fail’ mentality. We don’t ever give up.
“If I were to be walking down the street and someone were to punch me, I wouldn’t consider myself to be a victim. I would consider myself to be a combatant in that fight, even if I didn’t end up winning.
“We’ve all heard those stories where somebody fought back. I think that’s an energy we can capitalise on in cybersecurity, because it’s not necessarily something that needs to be paid for. That is what I am espousing: a mindset, and it prioritises training with the idea of resilience behind it.”
But what does that mean in a business context? After all, very few targeted companies will see themselves as “combatants who didn’t win”.
“First of all, you need to prepare,” says Clarke. “You need to ask: ‘What are those elements that would create a business-ending scenario for us?’. And what decisions do I make today if I know that I’m going to have to speak to the press on Friday about the huge ransomware that’s going to hit my company on Thursday? Why wait until it happens to make these preparations? We have to think about resilience. We have to think about ‘how are we going to be OK?’, and that’s the difference really between a victim and a combatant.”
Those are questions that a lot of companies that have spent millions of dollars on cyber-security have never thought to ask. They may have cyber-security policies in place, but have never rehearsed what they would do in the event of a breach.
“They need to take half a day to game-plan the thing out,” says Clarke. “And they need to make it a challenge, because it’s better to have a friendly challenge than for these things to play out in real-time in front of the press.”
While playing “what if” may sound hypothetical, cyber-attacks are anything but, for many British companies. According to UK government figures, 39% of UK businesses experienced a cyber-attack in 2022, and of these 31% estimated they were targeted at least once a week. The cost of each attack was reckoned at £4,200 in 2021, but for medium and large businesses it was more like £19,400. For the largest businesses – like the outsourcing company – the costs often run into the millions, or more.
To spoil the criminals’ party, Clarke recommends targeted organisations never, ever to pay the ransom. Not only is it costly, but there’s also no guarantee the bad guys will keep their side of the bargain. In some cases, online extortioners have tried to monetise a breach three times: once through a payment to unlock locked data, another through a ransom under threat of making the breach public to cause reputational damage, and a third time by selling the stolen data on the Dark Web.
Clarke says: “It’s like somebody’s holding you hostage and they’re saying ‘give up your gun’ and then you’re like, ‘OK, I’m going to give up my weapon to you, and now I have no power and no choices – you dictate everything’. And companies are actually doing this.”
The answer, of course, is to pre-empt such attacks, or as Clarke puts it, “to have a post-breach conversation, pre-breach”. But while many CEOs are taking the issue seriously – 82% of UK senior managers say they see cyber-security as a high priority – others are still only paying lip-service to the dangers.
“I don’t think that everybody’s going to be able to do what we’re espousing,” says Clarke. “Some people want to be great, some people good, and others just want to be compliant. The conversation we’re having right now is for those folks that want to be great. The ones who just want to be compliant will eventually just go out of business because they manage risk poorly. The ones that want to be good will eventually figure out ‘I’m going to need to be great to stay alive, to stay in business’.”