Crossword Cybersecurity is a software company based in Richmond upon Thames, just on the edge of London. The company was founded by Tom Ilube in early 2014 and makes products for companies to use in defence against online threats.
There are lots of cyber security companies out there, so you may ask ‘what makes Crossword special’? The twist is that we are a technology transfer company. That means our products are based on research and ideas brought about by the brightest minds in academia. We scour the research landscape across Europe, looking for the best ideas to commercialise.
When find a project we like, we acquire the intellectual property and collaborate with the researchers. Our specialist cyber security software team build the program and hosting platform as appropriate. All this allows us to bring the fruits of the research to market, so companies can use them on the frontline, in the defence against cyber criminals and hackers.
Cyber security is a hot topic at the moment, with more and more companies being attacked every year. There have been a number of high profile breaches making the front pages of national and international press, but there are also many attacks on small and medium sized companies.
At Crossword, we passionately believe that everyone should do what they can to protect themselves, but understanding this technical field is not easy for the uninitiated. We’re working to make the language and principles easier, from the boardroom of global corporations to the garage of local online retailers.
This is the first in a series of blogs, by which we aim to keep our followers updated on all things at Crossword. Please share this article freely and follow us.
“Cyber security, computer security or IT security is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection. Also, due to malpractice by operators, whether intentional or accidental, IT security is susceptible to being tricked into deviating from secure procedures through various methods.
The field is of growing importance due to the increasing reliance on computer systems and the Internet, wireless networks such as Bluetooth and Wi-Fi, the growth of “smart” devices, including smartphones, televisions and tiny devices as part of the Internet of Things.”
Ok, so here we are with the second blog in your Executive (Cyber) education. Firstly, I need to make an apology. I made some grand statements in the last blog about providing practical advice. That will come, but before we get to that, it is important to understand some basic Cybersecurity terms, as these underpin everything else. Cybersecurity practitioners are a precise bunch – who can blame them, they have to be – so although practitioners need to be able to speak the same language as the board, Executives can meet them half way by understanding some of the key concepts and terms.
People are key to protecting your organisation, and they need to have the right level of understanding for them to be effective. The next few blogs will help raise your level of understanding.
It is not just about Technology…….
We will start with some context and basic explanations on what cybersecurity really is. It is a common misconception that Cybersecurity is only about the technology that protects an organisation’s IT infrastructure, network, applications and devices (I will shorten these to IT Estate for ease) – and the data and information that they contain. Yes, that is a very important part of it. Cybersecurity, however, is a much wider concept. It is also about empowering the people who have access to an organisation’s IT Estate and data; the culture of an organisation; policies and processes/procedures; the governance of the organisation; and lastly physically protecting the organisation itself.
Let us delve a bit deeper into each one:
Cybersecurity can seem like a scary concept to non-practitioners, as it is assumed that it involves complicated technology that only expert developers and cyber professionals can understand. Whilst that is not entirely untrue, good Cybersecurity is no different to the smooth running of any other part of an organisation. There are complicated elements to it, as there are in a Finance Department, Strategy Department or on the production line of a car manufacturer, for example. However, like all parts of an organisation, there is a need for clear understanding and communications at the interface between general management and Cybersecurity practitioners, and effective governance (with underlying policies) should seek to do just this. Cybersecurity practitioners need to empower the people as well as enabling the Executive.
One of the reasons for a disconnect between the board, Executives and cybersecurity practitioners, is that practitioners can struggle to articulate cybersecurity in a language the management understands, and its applicability, i.e. in the context of the wider business. This is to be expected. Cybersecurity is a relatively new concept – the definition of cybersecurity only appeared on Wikipedia recently, and there is no seat on the board for the Chief Information Security Officer – but as it starts to establish itself even more, I would expect this to change.
To make the whole concept easier for you to understand, we have built a diagram below which shows a highly simplified example of what your organisation’s IT estate might look like, and how Cybersecurity applies to that. As we go through this blog series, this will form the basis of how we describe the different concepts. We will be using a fictional company XYZ Ltd. The larger and more diversely technical an organisation, the more complicated this diagram can become, but it forms a good building block on which to explain the key concepts.
Most people’s understanding of cybersecurity is focussed on protecting the organisation itself and its customers’ interests, and people mistakenly believe good cybersecurity defence is simply building a wall around the organisation. When you consider that the diagram above is a simplistic representation of an organisation and reality is that organisations could have over 2,000 third party suppliers and possibly 100 offices, organisations have multiple areas that hackers could target. The image above does help to give us a starting point and we will add to this as we develop your knowledge.
So now, it is hopefully clearer that Cybersecurity is a much broader topic than people realise, and you now understand a little bit more about the different areas that are part of it. Next week, we will move onto talking about the different type of attackers who could be targeting your organisation. Until next time.
Download this article in PDF
81% of large companies have reported a cyber breach at some point and the average cost of a breach is between £600k and £1.15m
‘Nearly half of UK businesses identified at least one cyber security attack in 2016, according to UK government data.’
In order to defend your organisation from cyberattacks, it is worth understanding the different profiles of attackers because some organisations will only be randomly targeted, whereas others, particularly large multi-national corporations, will be targeted specifically. In order to protect your organisation as well as possible, it is important to understand the motives of the different types of potential attackers. Each type will also likely use different methods of attacking your organisation and we will discuss different attack methods later in the series.
Broadly, these are the following different types of attackers:
1. Cyber criminals
2. State Sponsored
3. Industrial Competitors
We will now explore each one in more detail:
1. Cyber Criminals. This type of attacker has become far more prominent over the past 5 years since traditional criminals have realised it is easier to make money illicitly through cybercrime than traditional crime, and they are also less likely to get caught. Issues around jurisdiction also mean that it is far harder to catch and bring charges against people who are committing cybercrime. These types of hackers will generally commit fraud or make money from selling individuals’ or companies’ financial and sensitive personal data, looking to redirect funds. Ransomware is also a common methodology. Potential attackers have access to an entire ecosystem of tools which can be rented or purchased to help facilitate different types of attacks. They are based all around the world, but there is a prominence in Eastern Bloc countries where there is a high standard of computer programming and a tendency to turn a blind eye to the state.
Their characteristics are as follows:
- Very commercial. Usually part of a wider group or syndicate. They will often go for easier (cost-effective) targets.
- Technically proficient and will be able to use the latest hacking skills.
- Good resources to draw from and able to move fast.
- Their targets are usually: Financial Services, Retail, Healthcare.
- Will also target individuals performing high value transactions – e.g. someone buying a house.
2. State Sponsored. Often linked to Industrial Competitors (below) and they have overlapping goals, including spreading misinformation, facilitating economic instability, gaining economic advantage and to steal Intellectual Property. They are:
- Highly trained and well-motivated, often performing determined protracted attacks.
- Fiercely nationalistic.
- Have a huge resource pool from which to draw on and will often have the cutting-edge hacking tools. Often use special care to hide their activities and minimise traces of their activities.
- They target: Defence, Government, Energy and Utilities and also high-tech companies. We can expect that anyone with access to future technology to be focussed-on over the next few years.
- State sponsored hackers often make some of their tools available for the rest of the Hacking community to further their own ends and increase their own attack surface. It also won’t be “state attributable” so you wouldn’t really know that was happening anyway.
3. Industrial Competitors. This group are more interested in gaining economic advantage for their own company and stealing Intellectual Property. A recent study puts cost of cybercrime at $24 billion to $120 billion in the U.S. and up to $1 trillion globally.
- Often from countries with less regulation regarding Intellectual Property theft.
- Will often coerce employees to steal financial information or Intellectual Property.
- Will also employ Hackers to steal the information themselves by gaining access to companies’ systems.
- Sometimes works in collaboration with the state.
- Targets all industries.
4. Hackers. This is a wide range of individuals and they will often work for some of the other types of attackers, and also draw some of their tools from the other groups. These are often individuals who see breaking into an organisation as an intellectual challenge. Often this is just a hobby for some, but for others they want to gain notoriety and to increase their standing within the hacking community, who communicate through forums and message boards. State sponsored hackers often make some of their tools available for the rest of the Hacking community. The two different types are:
a. Hobbyist. Often known as ‘script kiddies.’
- Resourceful and skill levels can vary.
- Will often use ready-made hacking tools widely available on the dark web.
- Motivated by boredom, the intellectual challenge or a desire to prove themselves among the hacking community.
b. Professional Mercenary. Can evolve from the ‘Hobbyists’ in order to make money.
- Guns for hire and will work for any of state actors, criminal gangs or industrial competitors.
- Access to cutting edge hacking tools through the underground hacking community.
- Very proficient and difficult to catch, or even know if you have been breached.
5. ‘Hacktivists.’ These are usually Hackers who are ideologically motivated, anarchists or anti-capitalists. They usually attack companies or Governments for political or ideological reasons. They attack commercial entities for anti-capitalist reasons or if they disagree with how the corporation behaves and what they stand for. They may also be disaffected by social and economic inequality.
- De-centralised, often operating in cells in a similar way to terrorist organisations.
- Varied skill levels.
- Their goals are to disrupt companies and government entities. Think F-Society from Mr Robot.
6. Employees. These can be malicious employees acting as insiders or those making errors accidentally. We will mainly focus on malicious insiders in this instance. This is more commonly known as the ‘Insider Threat,’ encompassing all threats from employees, malicious or accidental, and is often the largest vulnerability to any organisation. This is contrasted between employees supplying information unwittingly to hackers who wish to gain access to the company’s IT estate and data; or disaffected employees who are maliciously stealing data or assisting hackers in their attempts to access the organisations IT estate and data. We will discuss this in more detail in later blogs, but organisations with strong cultures, where employees genuinely buy into company goals, are less likely to have malicious insiders, and will also be more likely to spot insiders, malicious or otherwise.
- Malicious insiders may be commercially, or ideologically motivated. Or they may be a former employee who still has access to systems, or who has stolen data.
- They are likely to know exactly where to look and will often be highly professional.
- Their goals are usually to steal intelligence (from Government organisations – think Edward Snowdon), trade secrets or Intellectual property, or to divert funds.
- A well-motivated and intelligent insider is extremely difficult to protect against, but there are a number of safeguards that organisations can put in place – developing a strong culture, only giving access to systems people need, robust internal audit, transparency in monitoring of leavers and joiner’s procedures are just some of them. It is worth pointing out that when Edward Snowdon worked for the NSA, via Booz Allen (a Consultancy), he went through extremely stringent vetting procedures and was not deemed a threat, so sometimes it is just impossible to identify an insider.
So, that’s the end of our third blog. Next week we will be giving an overview of some of the most common attacks.
Download this article in PDF
 CESG, ‘Common Cyber Attacks: reducing the Impact.’
 City AM, ‘Access Denied: The fight against cyber criminals.’ – https://www.cityam.com/281657/access-denied-fight-against-cyber-criminals
 ‘The case for enhanced protection of trade secrets in the Trans-Pacific Partnership agreement,’ US Chamber of Commerce: