Interview

New horizons in cybersecurity: An interview with Gareth Williams, VP, Secure Communications and Information Systems UK at Thales

Fraudulent websites advertising PPE and antiviral equipment. Fake Microsoft Teams and Skype notifications. Scam emails mimicking reputable sources like Johns Hopkins Corona Virus Resource Centre or the World Health Organisation (WHO).

These are just a few examples of the phishing and malware attacks that cyber criminals and hacking groups are employing to capitalise on the disruption caused by the outbreak of coronavirus and the increase in online activity and home-working.

The National Cyber Security Centre, a branch of the intelligence agency GCHQ, reported it took down roughly 2,000 COVID-19 online scams over the month of April, including more than 470 stores selling fake coronavirus-related items, more than 550 malware distribution sites, and 200 phishing sites designed to harvest user data.

Despite increased risks, the methods employed by hackers are not particularly new, says Gareth Williams, VP, Secure Communications and Information Systems UK at Thales, a European leader in cyber security and information assurance with a strong presence in both France and the UK. 

‘The techniques for cyberattacks have not changed and are not more sophisticated than they have been in the past,’ he says. ‘What has changed is people’s behaviour, and the preponderance to click on content related to COVID-19.’

Advice for organisations

According to Williams, secure systems including those for remote working are vital, but organisations still need a degree of flexibility in their operations and communications. ‘The idea of a simple fence around the garden is not what we recommend anymore.’

He says that education of staff and other stakeholders using your IT systems is crucial, including the ability to spot attacks or suspicious behaviour before it has unwanted consequences. He recommends that businesses and organisations carry out regular phishing tests to help staff build their resilience to attacks.

‘The key is not to view the exercise as a punitive activity,’ says Williams. ‘It should be a learning opportunity for everyone, and a process which is implemented with the buy-in of staff.’

He also recommends that business to engage with the National Cyber Security Centre(NCSC), which issues best practice around test phishing attacks. They also offer a range of toolkits for businesses of all sizes to help in their approach to cybersecurity.

New threats

While phishing emails and malware are hallmarks of IT-related cyberattacks, Williams notes new threats in the rapidly growing area of OT, referring to operational technology, computer and technological tools used to control complex systems like energy grids and traffic signalling. 

‘IT professionals have been doing cybersecurity for years. But they are only just waking up to it in OT, and it is truly the next horizon for cyber criminals,’ he says. Thales works with both IT systems and OT infrastructure systems for aerospace and transportation sectors, including rail signalling for the London underground. 

As rapid digital transformation continues in organisations in both the public and private sector, there are concerns that cybersecurity strategies developed for data-centric IT systems are not best-suited for protecting operational technology, and often were lives are at stake.

‘These systems are safety and resilience critical,’ says Williams. ‘Attacks on these systems are not just about ransom wear – protecting these systems means keeping people alive.’

The convergence of systems is also an area of concern for Williams and his team, who work with organisations and public bodies on integrating their IT and OT systems. He also notes another area of risk for companies who have made an acquisition of other companies, and who systems may not be immediately compatible, leaving room for hackers to exploit weaknesses in their security.

As the joining up of IT and OT grows as a business imperative, alongside an increase in cybersecurity breaches, it is clear that the protection of information and systems is a crucial battleground for organisations of all types.