Cyber security news roundup: March 2022

Published on: 1 Apr 2022

We're rounding up some of the biggest cyber security stories of the past few weeks. In March, the government's latest breaches survey revealed the state of the sector in the UK, warnings were issued to anyone using Russian-made software such as Kaspersky antivirus, and a new poll revealed the human impact of the Log4j vulnerability on security pros.

1 in 3 UK firms experience weekly cyber attacks

The government's latest annual Cyber Security Breaches Survey has been released, with the 2022 edition revealing that almost a third of firms in the UK (31 per cent) experience a cyber attack on a weekly basis.

Overall, some 39 per cent of businesses were the target of an attack in the last 12 months, with phishing, denial of service, malware, and ransomware among the tactics used. The figures, from the Department for Digital, Culture, Media and Sport, found 20 per cent of businesses experienced a direct negative impact as a result of such an attack.

The study also revealed many organisations are still ill-equipped to deal with these issues, with only 19 per cent of businesses having a formal incident response plan in place. What's more, just six per cent of firms have the Cyber Essential certification to demonstrate their readiness for an attack. 

NCSC urges caution over use of Russian tech

The UK's National Cyber Security Centre (NCSC) has warned businesses to be wary about using software from Russian technology firms in the wake of the country's invasion of Ukraine. In particular, high-profile companies and organisations providing services related to critical national infrastructure, have been urged to reassess their risk.

Ian Levy, technical director of the organisation, said that while his body has not yet seen large-scale use of cyber attacks from Russia, as some predicted, it is an area firms need to be aware of. He especially highlighted the use of technology from cyber security firm Kaspersky, which NCSC had previously urged public sector organisations dealing with national security to avoid back in 2017.

"Regardless of whether you're a likely target, ongoing global sanctions could mean that Russian technology services (and support for products) may have to be stopped at a moment’s notice," he stated. This means that AV tools like Kaspersky may not be updated to address emerging threats. 

Impact of Log4j vulnerability on cyber security pros revealed

Almost half of cyber security employees worked overtime to contain issues caused by the recently uncovered Log4j vulnerability, with a quarter of professionals believing their organisations were less secure while the bug was remedied, a new survey has revealed.

The poll, conducted by cyber training organisation (ISC)2, found 48 per cent of cyber security teams gave up holiday time and weekends to assist with fixing the bug, which was discovered in December 2021 and described by the NCSC as "potentially the most severe computer vulnerability in years". More than half (52 per cent) said it took a month or more to remedy this issue, while 23 per cent reported they are now behind on 2022 security priorities as a result of the change in focus

Chief executive of (ISC)2 Clar Rosso said: "Dedicated cyber security professionals are spread thin and need more support to effectively remediate zero-day exploits while still maintaining overall security operations." He added that businesses must address this by "expanding their recruiting efforts, providing more resources and investing in the development and retention of their existing staff".

Microsoft urges greater efforts to get women into cyber security

Microsoft has called on businesses around the world to increase their efforts to recruit women into the cyber security profession, both to address the gender gap in the sector and help alleviate a continuing skills shortage.

In 2021, women made up just a quarter of the global cyber security workforce, the firm noted. It therefore commissioned research to uncover some of the reasons behind this gap. The study found that while 83 per cent of people agree there are opportunities for women in cybersecurity, women are more likely than men to regard this as "too complex" a career for them, while also being less likely to regard themselves as qualified for job openings.

Vasu Jakkal, corporate vice-president for security, compliance, identity, and management at Microsoft Security, said: "We can and should do more to encourage more people with diverse perspectives to enter the profession ... Security threats are increasingly complex, frequent, and impactful. The landscape requires a workforce of security professionals who bring diverse expertise, backgrounds, and skills to these cybersecurity challenges."