1 Aug 2021
Cyberattacks are nothing new. However, now the intrusions are far more dangerous – and the veterinary world has proved to be far from immune from this insidious and potentially costly threat…
Adam Bernstein
Job Title
Image © stockphoto-graf / Adobe Stock
Back in November 2019, KrebsonSecurity highlighted the story of National Veterinary Associates – a US company with more than 700 locations in the United States, Canada, Australia and New Zealand – which was trying to recover from a ransomware attack in October that affected more than half of its sites. The attack affected patient records, payment systems and practice management software.
The problem is acute according to the Cyber Security Breaches Survey 2021 from the Department of Digital, Culture, Media and Sport. It found that 39% of businesses were subjected to a cyberattack or breach in a 12-month period and 21% lost money, data or other assets. Further, the average cost of the cybersecurity breaches these businesses experienced was estimated to be £8,460. For medium and large firms combined, the average cost was higher, at £13,400.
Worryingly, according to insurance brokers Lloyd and White, which sells cyber insurance for veterinary practices (other providers are available), 42% of businesses do not know about or have no intention of buying insurance protection.
So, what is a cyberattack? According to Dai Davis, solicitor and partner at Percy Crow Davis and Co, the Wikipedia definition of “any attempt to expose, alter, disable, destroy, steal or gain information through unauthorised access to or make unauthorised use of an asset… that is a computer information system, computer infrastructure, computer network, or personal computer device” is one that he agrees with.
He says that it “matches the broad definition of an offence under s1 of the Computer Misuse Act 1990, which criminalises any action that ‘causes a computer to perform any function with intent to secure access to any program or data held in any computer where that access is unauthorised’.”
Roy Isbell, a cybersecurity specialist and advisor to the UK Forensic Science Regulator, agrees. He defines a cyberattack as “fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome”.
As to where the threats originate, Dai says that some are performed by “script kiddies”, “who try to hack into a system for fun”. For the criminally minded, making money is the goal and they’ll attack anything where it pays them to do so. “They may,” says Dai, “adopt a scattergun approach, sending out millions of scam emails in the expectation that only a few people will fall for the con – alternatively they may target a particular ‘rich’ target, but in a more subtle, considered manner.”
Of course, at the extreme, states such as China, Russia and North Korea attack companies to steal technology.
Worryingly, as Roy points out, COVID has altered the landscape somewhat because “we now have a more distributed business model with workers working from home, often on shared networks with only limited security implemented”. He has seen a significant increase in attacks directed at organisations directly involved in dealing with the pandemic or involved in vaccine research.
Making a similar point, Dai has found that any newsworthy topic may be used to persuade a staff member or individual to click on a link that will take them to a compromised website.
No system is perfect. But Dai knows “that the amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place”. He cites one of the first ever recorded security breaches where a website could be hacked by clicking on a certain part of the web page in a public part of the site with the left mouse button instead of the right mouse button. Doing so revealed other customer’s details.
Moving on, Roy talks of a process developed by Lockheed Martin that maps the stages of a cyberattack. Called the Cyber Kill Chain, he says that the steps involve reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on object. “Each step,” says Roy, “is required for the subsequent step to have a chance of being successful. A security breach is not a single event or tool, but a combination of knowledge, skills and intelligence used in sequence to achieve the effect or outcome the threat actor wants to achieve.”
For him, the only way to achieve 100% security is for a system to not be connected to any form of external communications. He emphasises that cybersecurity is about managing risk – “this requires that we spend time evaluating and understanding the cyber environment, and what it is we need to protect; it is not always the data that requires protection, but the systems themselves – especially where the system is deemed critical.”
As both experts detail, no easy way to counter cyber threats exists.
Apart from an organisation’s own systems, Roy would also look at the supply chain, “especially where processes may share data between firms”. For him, “an understanding of the firm’s cyber ecosystem is essential… and not just focused on the data that resides on the various IT systems it may have”.
Dai, on the other hand, would create a budget and bring in an independent consultant. He cautions against placing too much reliance on specific security products, “many of which are good, but which solve only the security issue that the particular vendor advertises”.
Staff training is something else to consider; the more there is, the lower the probability a staff member will introduce harm to the business.
But as Dai warns, “training needs to be regular. There is little point in only training during induction week and then not following that training up with regular reminders… staff may be sent a malicious email containing a spurious link at any time”.
Roy too values training. He says that “the most efficient and well-understood security environments I have witnessed are where the company has worked to develop security as part of the culture of the organisation. A combination of carrot and stick is used to great effect without defaulting to a punitive strategy on what happens should a breach occur”.
And then there’s the option of placing a warning on every email that a staff member receives warning them if an email has come from an external source and that it may be malicious. On this, Davis thinks them unlikely to be of much assistance – “it is likely to be ignored as the staff member is anxious to read the email, not the header, let alone the repeat warning in the header”.
Crucially, Roy recommends including cybersecurity breaches as part of business continuity disaster recovery planning: “While some firms have been unable to continue after a cyberattack, those that have had a robust incident response plan have not only been able to recover, but recovered faster and, as a consequence, minimised the overall impact on the business and its operations.”
Those that do nothing, and that suffer an attack, risk legal fallout. Dai points first to the fines for poor security under the civil part of GDPR – the General Data Protection Regulation. He says that the probability of a fine is tiny, but the risk of criminal sanction under the GDPR is not: “Criminals, like regulators, have limited budgets and look for ‘low-hanging fruit’. If you can make your business more secure than that of your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target.”
Beyond that, Roy says that an organisation that does nothing should expect to suffer a security breach at some point, if it has not already. But apart from implementing security, he states that “it also requires some form of monitoring… and if no monitoring is implemented, the firm will not know it has been breached until the breach is made public”. When this happens, there comes a natural question – “who would trust an organisation that does not take security seriously?”
And then there’s the risk of corporate failure…
So, when evaluating security, firms need to consider not just their own situation, but also that of their supply chain. Hackers who gain access to systems could make far more by not revealing that a breach had occurred.
Management has been warned.
