Successful companies should expect to be hacked or suffer a cyber attack and should plan accordingly, says the UK’s former assistant chief of Defence staff.
Major-General Jonathan Shaw, the British Army’s first head of cyber security and former government assistant chief of Defence staff, says companies should expect to be hacked and attacked and should take steps to minimise their exposure.
“I’d encourage people – particularly in the SME world – don’t get spotted, be invisible,” Shaw says. “The cyberspace is an insecure medium and it’s a dodgy place to be. If you can get hacked, you will get hacked. It’s a certainty. So don’t minimise your presence on the web, minimise your exposure. Don’t go bragging about yourself unless you really must. Now, I know that works against advertising, but be aware that the more you put yourself out there in the public space, the more you’re setting yourself up as a target.
“The first top tip is to minimise your exposure and realise that when you’re on the net, you are vulnerable. Make sure you never trade your privacy for convenience, because that’s what we all tend to do!
“Second point is, prepare to be hacked because you know you’re going to be hacked. The more successful you are, the more likely you are to be hacked. So, prepare for it. There are all sorts of great systems so create resilience, create redundancy, train your people and prepare to be attacked.
“And the third thing is, it’s not just you and your organisation, it’s your supply chain. Insist on similar disciplines of your command chain, all simple stuff. So, minimise your exposure, prepare to be attacked, and make sure your supply chain also abides by good cyber hygiene.”
Shaw points to bad actors’ potential to launch major cyber attacks that are aimed at crippling national infrastructure.
“The most dramatic national cyber-attack was when Russia took offence at the Estonian government’s decision to move a statue of the Bronze Soldier from the centre of Tallinn to a graveyard. They felt that was an insult, so they basically turned off Estonia in 2007.
“They shut down their banking, they shut down their government and they shut down their media so they couldn’t even report on it. Basically, Russia sent a whole lot of botnets and DDoS attacks, which effectively shut down Estonia for weeks and months. That is why, curiously enough, Estonia is now the best practice for cybersecurity in Europe, if not the world, because they set up a cyber defence unit.
“The whole nation got involved because the whole nation realised that this is a really serious business and if you’re facing a big cyber-attack, it’s everyone’s responsibility to take part. If there’s one example that I would encourage everyone to look at, it’s Estonia’s response to the cyber-attack, because it shows not only the scale and seriousness of an attack like this, but it also shows the way that everyone is involved in this.”