Charlie McMurdie, who spent 32 years in the Metropolitan Police, is senior cybercrime adviser at PwC consulting with clients on a range of global strategic and operational cybersecurity programmes.
She talks to us about how universities tick all the boxes for cybercrime risk factors – and how people, more than technology, are both the problem and the solution.
What are the latest trends in cybercrime?
"To put the latest cybercrime trends in context, technology is now integral to virtually everything we do. New technology and new features are constantly coming out, from the Internet of Things1 to biometrics2. The more accelerated the pace of change we go through, and the greater the demands from customers and companies to roll out technology quickly, the more opportunities there are for cybercriminals.
In terms of trends, there’s been an increase in denial of service (DDoS) attacks on companies, knocking them over, and also rogue emails – there’s been a 37% increase in phishing emails, with criminals using them as a point of access and compromise into organisations.
2016 has been called the year of ransomware, with an increase in the use of malware infections to lock down an individual’s or organisation’s data followed by demands for money, normally through the cryptocurrency Bitcoin, which in itself presents a challenge for law enforcement to try to track and trace for legal recovery.
One of the biggest features we see every time is the part that insiders seem to play in most of the breaches that take place. That’s insiders either deliberately engineering themselves into an organisation to gain a position of access, or gaining entry into premises through fake IDs. Or, often, employees just not following policy and process, perhaps through a lack of awareness, training or understanding, and doing something that results in allowing an infiltration or a breach to occur."
So, cybersecurity is less a technology problem than a people and process problem?
"Yes. There’s certainly fantastic technology and automated processes being rolled out but, at the end of the day, it’s always individuals making the decisions around how that technology should be used and checking it is safe and secure before it’s actually deployed.
Time and time again, when you look at most of the breaches, it is down to companies not checking who’s got access to their network and who should have various permissions within that network. If you give a member of staff permissions across the HR database, the finance database and more, you actually make that individual quite a nice target for cybercriminals.
If the criminals can compromise that person then they’ve got lots of access and permissions that they can then use for criminal purposes. It’s a very complex picture for those that need to defend and implement security."
What threats do education and research, in particular, need to be aware of?
"Universities are one of the top targets for cybercriminals and that's a top concern raised by most security services. One of the reasons is that universities aren’t just a place of education. They are where most of our cutting edge research happens and where a lot of our new technologies are up and running as businesses because that’s where they have been commissioned and developed.
But look also at how universities are set up: they’ve got a massive population coming and going all the time and that’s a huge group of users who want access to technology 24/7 and who want to have it all on the move. So you’ve got a large population that’s constantly changing and lots of end points that could present opportunities to cybercriminals and you’ve got some of the crown jewels of the latest R&D taking place.
On top of that, you've got a nice big population of students who have previously been targeted in scams – the student loans scam was a fairly high profile one - by criminals seeking to defraud them or use them for money muling purposes."
The recent PwC report Cybersecurity and Privacy Hot Topics said that one of the key points of an organisation's strategic approach to cybersecurity is to 'understand your adversaries'. In the case of education and research, do we have an understanding of who those adversaries might be?
"First of all, you’ve got different types of crime under the cyber banner. There are organised crime groups around the world that will look to capitalise on stealing data and turning it into monetary assets, perhaps by compromising financial credentials or taking over bank account details. Then there are the hacktivists, the likes of Anonymous. We’ve seen relatively young individuals attacking companies because they disagree with what they’re doing or how they’re doing it, whether it’s animal research or stem cell development – that might apply to universities.
Then there are the cyberterrorists using cybercrime for funding or market manipulation. The big concern here is the potential for blended attacks - using technology to bring down or take control of our utilities and perhaps blending that with a physical attack at the same time. And then you’ve got the 'state sponsored' attacks, attributed back to various nation states who might be attacking infrastructure or infiltrating and taking sensitive data for espionage purposes.
When you look at those different types of attacks, and different types of cybercrime, universities are clearly going to be a particular target because of the nature of what they do and the way that they are set up and the high value of the population on the networks."
So it sounds like universities tick all the boxes in terms of risk?
"Yes, they do. Cyberterrorism is an obvious area to look at in terms of compromising individuals. With some of the extremist activity that takes place, we see the befriending and social engineering of individuals, to gain access to networks, as a key factor. We need to encourage people to think about who it is that's communicating with them online.
We already recognise that risk with child abuse grooming - kids think they’re communicating with somebody of a similar age and background and it turns out it’s not, it’s actually a paedophile. Well, the same tactics and tools and issues are there when it’s organised crime. When somebody is doing what they’re doing for criminal purposes or terrorist purposes, you don’t necessarily know who it is you’re communicating with. We do tend to trust what we see on the screen."
What areas of risk do people most misunderstand or underestimate? It sounds like that’s one of them.
"You ask people how many friends they’ve got and these days it’s not three or four friends or even half a dozen friends, but ‘I’ve got 1500 friends’, because of social media.
That means they’re giving away what they’re doing, where they’re going, what’s exciting them, in innocent conversations and postings, which is really useful data for somebody who wants to use it for unlawful purposes. That's a big, commonly underestimated, risk."
You've described DDoS attacks as a 'diversionary tactic' rather than merely a short-term annoyance or disruption. Can you say a bit about that?
"The UK suffers significantly with DDoS attacks, in fact it suffers more than a lot of other European companies – we're one of the top three most targeted countries, along with the US and Japan. These attacks can be diversionary tactics. What for? It's possible to speculate - for extortion purposes, for testing to see if they have got the capability to knock over our infrastructure as and when they wished to? Is it stock market manipulation?
However, although cybercrime statistics in the UK are particularly high, we’ve also got quite a good reporting, intelligence sharing network here so we’re getting a better intelligence picture, and that in turn obviously pumps up our statistics."
There are some issues around openness when it comes to security breaches. Obviously, there’s an incentive for organisations to try to cover up security breaches. What is the best way around that and is there also, conversely, a security risk in revealing too much information about a security breach?
"We’re going to see more breaches being reported and made public. The EU general data protection regulation is coming out soon and significant fines will be imposed if companies are found wanting by having redundant or irrelevant data or inappropriate security or encryption to protect their data.
I think the risk is in not revealing the right information in a timely fashion. When breaches occur, the outcry is often not so much about the data loss or breach but why it took so long for the breach to be reported, and how it's done.
If a significant breach is dealt with by providing the correct information in a timely fashion and all the right steps are taken, it's rarely newsworthy. But if the organisation isn't prepared, if they don’t know what to do or say, if they don’t know what their message to the market or their shareholders should be, if they’re giving incorrect information and then they have to correct the information, that's a problem."
And that’s a leadership issue not an IT issue, isn’t it?
"It is. I think the culture is changing within companies. It used to be that cyber and 'all this technology stuff' was dealt with by the IT department and it was an IT issue. Now it is a board issue. The chief executive and stakeholders want to know what’s going on and have oversight of it to make sure things are dealt with appropriately.
Some companies are now creating positions where one person has overarching security responsibility covering IT, information, physical security, and people training. You need to bring all those different aspects of the business together to make sure that you haven’t got any gaps in your cybersecurity. If that position then reports up to the board, there is genuine oversight."
There’s been quite a lot of discussion recently about whether there’s a cyber security skills gap. Is there one, where is it and, if so, how can it be filled?
"Time and time again, people talk about the skills gap. But I know that there are thousands and thousands of fantastic people out there who have technology skills. You look at any of the universities, and the students on their masters and PhDs, and they’ve got cyber skills all over the place.
The issue is aggregating and utilising the skill set that’s out there. Cyber cannot be considered in isolation, we need to bring together the different skill sets that exist in organisations and share the intelligence. Technology is moving and changing at such a pace that you will never have one single person who is aware and up to date about every different aspect of technology.
Yes, you need network investigators, who can interrogate malware etc, but you also need, more generally, to have people who are keen, passionate, enthusiastic and intelligent. So it’s not so much a skills gap as changing who you’re looking for, who you’re recruiting and taking the people with the passion who want to learn and keep up to date, and they can be given the cybersecurity brief on top of their normal skill sets.
Cybersecurity needs to be integrated into all aspects of training now. So I’m not so sure that there is this massive skills gap, it's more that we’re not really investing in the right people in the right way."