Internet service providers are perfectly positioned to make a significant contribution to cyber security for everyone, BT’s Gavin Patterson believes
Internet providers must do more to work collectively with businesses and governments to protect citizens from the growing threat of cyber crime, according to Gavin Patterson, chief executive of the BT Group.
“BT focuses on cyber security in a number of critical ways,” he told the FT Cyber Security Summit Europe in London. “As both a network operator and internet service provider [ISP], we are trusted to help repel cyber threats on behalf of the UK.”
With more than 2,500 dedicated security professionals operating from 15 security operations centres around the world, BT’s “global reach and depth of expertise” provides a “unique insight” into the cyber threat landscape, he said.
Based on these insights, Patterson said the cyber threat is changing and is no longer mainly about espionage and hacktivism.
Although a growing number of countries are beginning to include cyber techniques in their modern warfare arsenal and hacktivism remains a significant risk, the threat has moved on, said Patterson. “Cyber crime is now more pervasive and insidious, with a deeper impact on businesses and society.”
At the same time, said Patterson, more people than ever are connected to the internet, while the number of connected devices is projected to grow from nearly 27 billion in 2017 to 125 billion by 2030 as the internet of things (IoT) takes off, creating more points of vulnerability for criminals to exploit.
“As our head of security put it to me recently, ‘any criminal with a brain is now a cyber criminal’,” he said. “They are after the new commodity of our age, which is data.
“Stealing our data is to steal our most valuable asset, and we are seeing this happen at a faster pace and with greater sophistication than ever before.”
According to Patterson, BT’s security team detects 100,000 unique malware samples and protect the company’s network against more than 4,000 cyber attacks every day.
The attacks fall broadly into the categories of cyber theft for financial gain, phishing attacks, business email compromise (BEC), denial of service attacks and cyber extortion, he said.
Patterson said half of all reported fraud is cyber-enabled, according to the National Fraud Intelligence Bureau, and in the past 12 months, BT has identified and closed more than 5,000 phishing sites aimed at stealing personal details to commit crimes.
“CEOs, too, are at risk with the rise of whaling [or BEC], where phishing techniques are deliberately targeted at board level to impersonate and abuse their authority,” he said.
Distributed denial of service (DDoS) attacks are a popular form of cyber vandalism where the “brute force” of thousands of computers can be used to take down websites, said Patterson.
“The financial and reputational impact of such attacks on retailers, banks, airlines and utilities can be devastating,” he said, adding that DDoS attacks are a daily occurrence for BT’s customer-facing websites, with its security team mitigating an average of about 50 serious DDoS incidents every day.
BT has seen these attacks grow in frequency and size in recent years, with attacks currently up to 650Gbps, which is an increase of more than 60 times in the past 10 years.
Cyber extortion exploits businesses’ reliance on technology and data to hold them to ransom, said Patterson. “With ransomware available for purchase on the dark web for as little as $50, criminals can enter this rapidly growing market with ease, which means more high-profile attacks are likely,” he said.
“Perhaps the most worrying aspect of the WannaCry attack is its relatively unsophisticated nature. It exploited a known vulnerability, and a patch was readily available, which is a stark reminder to all of us to get the basics right – update antivirus software, install patches, invest in cyber security training for staff, and remind them to be very wary of opening suspicious emails or links.”
“The attack on Britain’s healthcare system resulted in cancelled operations, missed appointments and delayed diagnoses. It is therefore a public policy imperative that this kind of disruption is prevented in the future.”
In terms of what can be done to improve the response to escalating cyber threats, Patterson said the problem cannot be solved just by investing in the latest technology.
“What is also needed is a truly comprehensive approach,” he said. “For businesses, cyber security must feature at the very top of the boardroom agenda. It is critical for companies to have a robust cyber security strategy and policies that are kept constantly under review and continually put to the test.”
Patterson also recommended organisations to continually educate their staff on cyber security to turn employees into the greatest asset in the fight to protect data, prepare for the unexpected by testing responses to cyber incidents, conduct penetration testing and run red teaming exercises.
Constantly evolving threat
But although all these initiatives are important, they are not enough on their own to stem the rising tide of cyber crime because criminals are constantly evolving the sophistication of their attacks, he said.
“We need all companies, and ISPs in particular, to work more closely with governments to help neutralise cyber crime,” said Patterson.
“This includes tackling how to improve sharing of information about emerging threats and how to prevent cyber criminals getting access to their victims.”
Sharing threat information enables the development of a collective capability to intercept attacks before the hit, said Patterson, adding that BT is making good progress in this regard.
“We proactively reach out to firms impacted by cyber events to offer our knowledge, expertise and support,” he said. “We also support the UK government’s Cybersecurity Information Sharing Partnership [Cisp – now under the auspices of the NCSC] and work with Interpol to exchange threat information.
“As for preventing access to victims, this is a matter of how active ISPs are intercepting malicious software and web content. As custodians of people’s data, as an industry, we are responsible for being a part of the solution.
“We cannot expect to eradicate online crime entirely, but we can step up our collective efforts to curb cyber criminals’ success rates significantly. If ISPs work together, in conjunction with government, we can take further steps to target online criminal activity at source.
“This requires careful consideration, but through collaboration and consensus, I am confident we can win the battle against the cyber crime threat, and BT stands ready to rise to that challenge.”