Cyber security news roundup: June

We're rounding up some of the biggest security cleared stories of the past few weeks. In June, GCHQ warned of the risk of ransomware attacks, EA became the latest major company to fall victim to data theft, and the scale of breaches at UK councils was revealed.

Cyber insurance policies 'failing to improve security measures'

The growth in popularity of cyber insurance policies to protect firms in the event of a breach is not leading to businesses putting in place stronger defences, and may even be making the problem of ransomware worse.

This is according to research from the Royal United Services Institute (RUSI) think-tank, which said these policies could incentivise hackers to target firms using ransomware, as companies may determine the best response will be to pay up and then claim on insurance.

In theory, cyber insurance policies should encourage firms to improve their defences by requiring certain standards for coverage. However, RUSI's report noted that in practice, there is currently little evidence that insurance is fulfilling its promises of boosting security. 

Ransomware 'biggest online threat to UK', GCHQ warns

The head of GCHQ's National Cyber Security Centre has identified ransomware as the biggest cyber-related threat facing the UK and warned both businesses and individuals to take this seriously.

Speaking at the RUSI Annual Security Lecture, chief executive of the organisation Lindy Cameron said for the majority of UK citizens, the biggest threats come not from state-sponsored actors, but criminal gangs. In particular, tools such as Ransomware-as-a-Service kits, which can be easily purchased and used to extort money from businesses, are a growing threat.

"While government is uniquely able to disrupt and deter our adversaries, it is network defenders in industry, and the steps that all organisations and citizens are taking that are protecting the UK from attacks, day in, day out," Ms Cameron said.
    
EA source files offered for sale following data breach

A data breach at videogame maker EA has resulted in valuable intellectual property being offered for sale on the dark web, highlighting the potential risk companies face from these types of cyber thefts.

According to reports, 780GB of data, including source code for the developer's Frostbite engine - which powers big titles such as the FIFA and Battlefield series - are being offered by the hackers, who claimed buyers would "have full capability of exploiting on all EA services".

EA confirmed it had been the victim of a data breach, stating: "We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen." It also said no player data was compromised in the incident, adding it has already made security improvements and does not expect an impact on its business.

UK councils 'report over 700 data breaches a year'

Local governments in the UK are estimated to have reported more than 700 data breaches to the Information Commissioner's Office in 2020, an analysis of data obtained via Freedom of Information request has shown.

According to Redscan, which reviewed data from 60 per cent of UK councils, ten organisations had their operations disrupted by a data breach or ransomware, while one council reported 29 separate data breaches to the ICO last year.

However, despite this, almost half of council employees received no cyber training in 2020, while 45 per cent of councils employ no staff with recognised security qualifications. Redscan's chief technology officer Mark Nicholls commented: "There is significant room for councils to improve their readiness to tackle current cyber risks, as well as those that will emerge in the future as cities become smarter and more connected."

Cyber Security Council launches first initiatives

The UK Cyber Security Council - a government-backed body with the aim of developing the cyber security profession - has introduced its first two initiatives to develop clear standards for professionals and support the growth of cyber security careers.

It is inviting members of the Cyber Security Alliance to offer input on the creation of two new committees, a Professional Standards & Ethics Committee and a Qualifications & Careers Committee, which will focus on raising standards among cyber security practitioners.

Don MacIntyre, interim chief executive of the Council, said: "We don’t have the luxury of starting with something 'easy': professional standards and qualifications and careers are the two stand-out issues facing the profession, so we’re going to hit the ground running."