London, Easter 2015, and a crew of ageing criminals led by ringleader Brian Reader pull off an audacious heist from a vault in Hatton Garden. Diamonds, gold, jewellery and cash amongst a haul of over £20m according to Scotland Yard. A burglary that, according to the presiding Judge, Christopher Kinch, ‘…stands in a class of its own’.
What on earth does this have to do with Cyber Crime?
Well it’s great to have a physical parallel to the ethereal world of technology, and there are many lessons to learn that apply to both.
And here at AdEPT we think it’s a risk that deserves attention. It’s estimated that, on average, a cyber incidence costs an organisation $369,0001 with the loss of critical data, intellectual property and source files that can cost a company its reputation, let alone financial loss. Research also suggests that 27.9% of organisations will have a data breach in the next two years, with 61% reporting a cyber-attack in the past year.
In any risk assessment there’s a simple equation – Risk = Likelihood x Impact. With Cyber the equation is High Likelihood x High Impact = so, High Risk, therefore High Priority!
Yet, Cyber Readiness (as measured by the insurer, Hiscox) remains low – that’s despite intense regulation (GDPR et al) and a mass of education. In the Hiscox survey only 10% reached their defined Expert threshold with 74% classed as novices. This in-depth study looked at two dimensions of readiness; technology / process on the one hand, and oversight / resourcing on the other, and is well worth a read.
Back to Hatton Garden – during the heist the alarm actually went off! A security guard was dispatched to the building to investigate. After wandering round, on a quiet weekend evening, he reported that the building appeared secure and no alarm was sounding, a false alarm was declared.
The heist continued...
Human ill-discipline, lack of attention and poor processes are incredibly common as causes for cyber-crime. For example, the most common password in 2018 was ‘123456’2, with ‘password’ a close second! It’s no wonder then that every 14 seconds a business will be attacked by Ransomware, with the frequency and type of attack rising every year. Criminals are targeting the weakest link – us humans!
So, the cheapest, but potentially the most difficult, defence against Cyber Crime is trained employees. Any Cyber defence strategy should look first at making people aware of the risks and the consequences. As data files grow exponentially, with thumb drives & memory sticks allowing information to be so easily downloaded and shared, the impact of complacency can be widespread and crippling.
It’s no wonder then that there’s been a rise in Identity and Access Management (IAM) tooling. AdEPT are increasingly delivering two factor identification solutions – demanding fingerprint / evidence of ID using a second device – to prove an individuals’ identification before they are allowed to open the ‘digital door’.
The most common form of cyber protection helps here too, Endpoint Security / Antivirus. AdEPT are deploying a range of tools from market leaders such as Sophos, Symantec and McAfee that scan incoming threats and halt them before they get to that precious data.
Physical – the morphing boundary
Our Hatton Garden master criminal, Brian, and his crew spent two years planning the robbery. They visited the vault several times and obtained blueprints of the vault. They learnt that the building had been re-designed, leaving a weak point of entry – a lift shaft that gave easier access to the building. Leading in turn to a metal doorway. The thieves abseiled down the lift shaft, prized open the metal door and entered an area covered by CCTV – more on that later – a hallway perfect to house a massive drill.
So, despite the security firm’s best endeavours the ‘edge’ of the secure area in Hatton Garden had changed. This is not unlike businesses that are constantly morphing in terms of; technology, employees, buildings and working practices.
In the world of cyber, firewalls were deployed to create a clear technical ‘edge’ defence. An insurmountable barrier, digital barbed wire patrolled by cyber guard dogs. Firewalls remain a necessary defence, AdEPT deploy this technology across thousands of schools for example, but they’re no longer a solid barrier. The ‘edge’ now changes constantly with employees bringing their own devices, using their own applications, browsing the web from work devices, sharing data using memory sticks and working from home. The digital world has created a porous barrier.
Physical – the challenge of age
In Hatton Garden the vault security was old, with out of date CCTV, poor alarm systems, and weak doors. The criminals had identified all the weakness in ageing physical infrastructure.
This is no different to the systems embedded within businesses across the UK which can at times be unloved and un-maintained. There’s a great recent case study that demonstrates the risks of lack of maintenance.
The case study relates to a virus called WannaCry, where ageing Microsoft software created a technological open door for criminals.
In May 2017, IT Directors and Security professionals went white as a sheet as they learnt of the WannaCry ransomware attack, infecting unpatched systems running Microsoft. Although the NHS was not the specific target of the attack, the impact in this world alone proved significant: 34 trusts were directly infected, 80 trusts experienced some indirect disruption, and 603 primary care organisations suffered.
6,912 patients had to cancel or re-arrange appointments (including 139 patients with an urgent cancer appointment).
As a result, the NHS increased spending towards cyber by over £150m3. Truly a case of bolting the door after the horse had bolted.
It’s clear that there is no silver bullet to this type of crime but there are some basic actions that build defences, and removing the risk by continuously updating the IT estate is a necessity – not an option. It’s like fixing a car following an MOT to ensure that its safe to drive.
Can Cloud help?
At the end of the Hatton heist the criminals grabbed the hard drive, which was stored locally near the vault, and destroyed it – along with all the CCTV footage from inside the building. Yet again a low-tech security solution was easily foiled by the criminals.
Yet the risk of loss of images could, potentially, be easily remedied with storage of CCTV in the Cloud.
The Cloud is certainly a haven with expensive defences – AWS, Azure and all those other public cloud players invest massively in Cloud security. Microsoft alone fends off 7 trillion cyberthreats per day and allocates over $1 billion each year to cybersecurity4. It’s like a massive data vault – far bigger and more secure than a Hatton Garden hard drive for sure!
“Through 2022, 95% of cloud security failures will be the customer’s fault” Gartner
Are criminals becoming more intelligent?
You can lock and bolt the front door, electrify the fences and buy in guard dogs. But, if you leave the back door open or invite the criminal fraternity into your data ‘house’, then all that security goes to waste.
The battle is constant, evolving, and with the advent of Artificial Intelligence and Robotics cyber-attacks are increasing in frequency and sophistication.
Just like ‘Basil’, supposedly the red headed, bewigged, brains of the team, the criminals are getting more and more clever.
OMG – what can be done?
Cyber security is about people, processes and technology. We can’t blame ignorance anymore – the search term Cyber Security reveals 548,000,000 Google hits. There’s a mass of information out there.
Prevention is certainly better than fixing the resultant mess.
If Hatton Garden had undergone a risk appraisal, a cyber MOT if you will, I suspect they’d have spotted the out of date kit, the old-fashioned security and the flawed processes. They’d have probably fixed it for a little less than the £20m stolen? A range of tools exist to reduce that risk & probability equation. At AdEPT we’d recommend;
• Undertaking a risk assessmente
• Continually educating employees
• Evaluating and deploying tools
• Proactively maintaining the entire IT estate
• Understanding the boundary of your organisation
• Remembering that it’s a continuous process, as the threats morph and change/VoIP
According to the Telegraph in 2015 the Hatton Garden vault saw a floor “strewn with discarded safe deposit boxes and numerous power tools, including an angle grinder, concrete drills and crowbars.” Of the £20m stolen in the Hatton Garden robbery some £9m is apparently still unaccounted for.
Cyber-crime doesn’t leave such a physical mess, but it does leave a financial, psychological, and in many cases brand, mess. So well worth checking those people, processes and technology.
1 Hiscox Cyber Readiness Report 2019
2 SplashData annual list
3 For local services, from 2018/9 to 2020/21
4 Tech Republic article – Feb 14th 2018