The report on the current state of the cyber security industry from the NCA and NCSC explores numerous avenues of the UK cyber security industry, noting that ransomware is a “significant and growing” risk.
It also states that connected devices and wearables are at risk and are going to be targeted more in future.
Hackers, the report warned, will target smartphones, watches, smart TVs and fitness trackers to hold people to ransom over their personal data.
Ransomware is a type of malware that locks a user out of their data, which will only be released once payment has been made (although it is far from guaranteed).
The report highlights the increasing use of ransomware, as the use of the virus has surged over the last year. It has become increasingly prevalent and cyber attacks in general are becoming more aggressive.
The reason devices like these are increasingly susceptible to attacks like these is because the built in security is limited and often looked over by manufacturers.
>See also: The UK’s new National Cyber Security Centre
David Mount, director, security solutions consulting EMEA at Micro Focus did argue that it is a positive that this discussion has become part of the national conversation, but agreed that there is an inherent problem, “we still have a long way to go to encourage connected tech companies to build security into IoT products from the start. All too often device vendors prioritise usability and customer experience over security, and that is putting consumers and businesses at risk. Quite simply, IoT security can no longer be treated as an afterthought.”
“In line with other industries, we’re probably going to need government intervention around legislation and safety standards to protect internet connected devices. Exposure of consumer data is a serious and present risk, but with the number of IoT devices set to grow exponentially, a well-coordinated IoT attack could be used to pose a very real threat to our national critical infrastructure – not to mention online banking, emergency services, and commerce in general.”
The risk to business is “significant and growing”, the National Crime Agency and National Cyber Security Centre said in the report.
In their report, aimed at businesses, the agencies say: “This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it.”
“Ransomware on connected watches, fitness trackers and TVs will present a challenge to manufacturers, and it is not yet known whether customer support will extend to assisting with unlocking devices and providing advice on whether to pay a ransom.”
The rise of cyber-orientated criminal gangs was also highlighted by the report and identified as a cause for concern. It suggested these groups use the same high-tech tools as governments to target financial institutions, while others can download more basic malicious software to target smaller businesses and the general public.
“Cybercrime has evolved into a dark global industry that’s growing in size and significance,” suggested Justin Coker vice president, EMEA, Skybox Security.
“While security professionals have observed this gradual “corporatization” of cybercrime, 2017 will be the year non-security folks begin to recognize this fact as well and this report helps clarify things greatly.”
“Criminal “companies” now operate together, employing similar tactics as legitimate industries: selling packaged tools and platforms to their customers; providing malware-as-a-service; demonstrating innovation, usability and professional excellence; and offering outsourced capabilities with training and technical support.”
“For any legitimate businesses still thinking cybercrime doesn’t have industrial strength behind it, they will likely find themselves the next target. Which make this assessment more than just a wake up call.”
Gartner predicts that by 2020 around 20.4 billion devices will be connected. The security threat will therefore grow.
Donald Toon, director for economic and cyber crime at the NCA, told the BBC devices that devices used by businesses to control operations automatically have an online capability within them.
“They’re mass-produced and the security may not be particularly good,” he said.
“Businesses often don’t change the basic security software that’s in there, or change the passwords.”
The true scale of cyber attacks is hard to measure, although according to the NCSC, since its formation three months ago, there have been 188 “high-level” attacks as well as “countless” lower-level incidents.
Ultimately, reports like this are fundamental in addressing the growing cyber security issue, highlighting what exactly is the danger and how to fight against it.
Awareness and knowledge sharing are a huge portion of the battle, as Joep Gommers, CEO, EclecticIQ concludes: “Today’s report from the NCA and NCSC is a welcome initiative in making the UK a world leader in cyber security.”
“The report stresses the importance of collaboration and the sharing of knowledge if we are to fight against the evolving threat landscape. Thankfully, the way we share information is already starting to change. Standards are maturing, technology is maturing, and there is a big push from government to set up collaborative initiatives to ensure the public and private sectors are sharing insight on threats.”