News & Blog

Incentivised Security Companies Exaggerating Hackers’ Skills

By Francis West on 8th February 2017

The technical director of the UK's National Cyber Security Centre has said in security conference speech that computer security companies may be exaggerating the abilities of malicious hackers.

Exaggerating to Boost Security Sales.

During a speech at the Usenix Enigma security conference, Dr Ian Levy of the National Cyber Security Centre appeared to say that computer security companies who specialise in cyber security, may be simply playing up the abilities hackers' as a means to boost sales of their own security hardware and services to frightened businesses.

Like Witchcraft.

During the speech Dr Levy is reported as saying that the extent to which the hackers’ skills had been overplayed, and the way in which security companies appeared to be saying that only they could defeat them, were similar to the idea of medieval “witchcraft”. Carrying on the theme, Dr Levy is reported to have said that security companies have therefore been able to depict their hardware as being a kind of "magic amulet" that could defeat hackers.

Dr Levy reportedly drew attention to the fact that the security companies were incentivised to define, often using frightening language, a false public perception of hackers as being like highly skilled masterminds.

Not Always That Sophisticated.

One example that Dr Levy used in the speech to illustrate the point that cyber attacks are often not very sophisticated, was from last year. Dr Levy highlighted the case of a UK telecommunications company that had been attacked using a technique that was even older than the teenager who was thought to be responsible for the attack.

NCSC Already Protecting Government Departments.

One key message of the speech was that the work of the UK's National Cyber Security Centre (NCSC), which was only set up in October, has already been responsible for protecting a government department from spam, phishing and other web-borne attacks. The system used by the NCSC for that department had been so successful that it may now be rolled out to other departments.

What Does This Mean For Your Business?

Although Dr Levy made some good points, it should be viewed in the context of a speech made by someone with detailed insider knowledge, just before a Commons Public Accounts Committee issued a report that questioning the effectiveness of the UK's digital defences. For Businesses, who are not experts on cyber threats and security, and who are faced with anecdotal evidence, regular media reports, perhaps personal experience, and reports showing cyber crime levels as being high, an assumption that cyber criminals are sophisticated and skilled is a healthy one. The NCSC does offer some useful cyber security advice to and recommendations to business. It is also important for businesses to take the threat of data breaches and cyber crime seriously and to, at the very least, set up simple systems and methods to tackle the basic known threats. This could include:

  • Making sure that staff receive the relevant awareness raising messages and training to ensure compliance, best practices, and to help avoid costly human errors.
  • Making sure that default passwords aren’t used, passwords are made strong and /or are changed frequently and / or making 2 factor authentication compulsory.
  • Keeping up with patching and updates for all computers, even the old ones that don’t get used often. Make sure that third-party CMS plug-ins are patched too.
  • Helping to defend against phishing by making sure that your email filtering works well, segmenting your network, and using layered authentication rather than static passwords when moving around networks.