‘ATTACKERS are going to get nastier and nastier. They have no morals whatsoever.’
It’s a stark warning that warrants attention, not least because of its source.
Tony Cleal is former British Intelligence and now runs a cyber security firm based in Guernsey.
‘In the olden days, if you wanted to rob a bank you walked into a bank with a gun,’ continues Tony, senior cyber and information security consultant at Guernsey-based Black Arrow Cyber Consulting.
‘There was risk of physical harm to yourself. You had to actually face the person you were robbing.
‘Now, the attackers are anonymous and they’re never going to see you. There’s no physical risk to them, which is why it’s attracting more and more people. The big players in ransomware are outsourcing the labour to smaller players. It has become commoditised with an entire service industry, with call centres and helplines where people sit and work in plush offices.
‘It is an industry worth billions of dollars. The people that are doing the work on behalf of others move up the food chain and then they start to outsource the work themselves. It’s growing and growing.’
He explains that online criminals have evolved their attacks from ransomware, which involves ‘kidnapping’ data by encrypting it until you pay up, to actually stealing the data and sending it outside its original source.
And while Guernsey may be seen as a safe place to live and work, Tony’s fellow director and technology lead James Martel notes that there is a risk as soon as you log onto to the internet.
‘We have low physical crime, and you might leave your door unlocked or your keys in your car for example because you feel safe,’ said the senior cyber and information security consultant.
‘But as soon as you connect to the internet, you’re connecting to everywhere else in the world, with all of the low moral standards, crime and risks that go along with that.’
The point is reinforced by their colleague Bruce McDougall, also a director and senior cyber and information security consultant.
‘Because people in Guernsey feel safe, a lot of them don’t protect themselves as well as they should, but the amount of effort it takes for a cyber criminal to attack somebody in Guernsey is now so low that it is becoming more commercially attractive.’
With millions of online attacks around the world, Tony offers another analogy of living in a street where houses around you are regularly broken into.
‘You’re in a soundproof basement, so you think you live in a nice quiet, cosy neighbourhood. But actually if you knew that somebody was trying to force your window open 20, 30 times a day, you can guarantee you’d upgrade the bolts on your doors and windows.
‘People don’t see it because it’s invisible, but it doesn’t mean it’s not happening.’
It’s not just computers that are in the sights of criminals, it’s all devices that connect to the so-called internet of things. That means your mobile phone, router and even your car. That’s how serious the risk is, according to the Black Arrow team. IT is part of your defences, notes Tony, but it’s not the only thing to consider when considering cybersecurity and risks.
He also highlighted incoming new regulations for regulated financial firms in Guernsey in relation to cybersecurity.
These are expected to come in during quarter one of 2021, he said, and are built around the NIST international standard. This includes monitoring and detection – where ‘most firms are gapped on’.
‘If firms could see the extent of things going on, they’d realise they need to do more to defend against it. If you don’t have that visibility, it doesn’t mean attacks are not happening. And of course you must have the ability to recover when something bad happens,’ says Tony.
Bruce, whose previous roles include a global cybersecurity governance role at HSBC, adds: ‘That detection part is really, really important. Many people think that if something happens they will know about it, but a pickpocket doesn’t tell you they’ve just pickpocketed you. You find out later when you look for your wallet and it’s gone – and by then it’s too late.
‘But then other times it’s even worse because they’ve still left your wallet in your pocket and have taken a clone of your credit card and you don’t even know. It’s around making sure you have appropriate detection to know whether or not somebody has tried to attack you both, A, so you know and, B, so you can then stop it. And then recover as quickly as you can.’
It’s all food for thought and reinforces the need for businesses as well as individuals to consider cybersecurity and how to protect and defend against risks.