Hackers 'are no longer winning', says KPMG cyber chief

Hacker in the shadows

Hackers are 'no longer winning the cyber crime war' following years of public and private investment and cross-industry collaboration, according to KPMG's global head of cyber futures David Ferbrache.

The nation's cyber resilience against hackers has improved over the past two years, with joint operations between law enforcement and the private sector frustrating opportunities for criminals to profit from cyber crime.

Speaking at a London technology forum on Thursday, Ferbrache said: "I'm not sure they quite are [winning the war], curiously... I would have given you a different answer two years ago."

"The takedown operations by law enforcement in conjunction with tech firms, telecoms, financial services are getting better, faster and more disruptive in terms of some of the things that the dark web sites use for trading information," he said.

He also said that active defence measures taken by the National Cyber Security Centre, that are being used to protect the wider population who cannot be expected to implement advanced cyber security protocols, are also very effective at keeping the bad guys at bay.

It's also becoming increasingly difficult to hack modern systems, something he observed during his time as red team exercise leader at the professional services firm, he explained.

"It's actually getting harder to break into well-configured systems than it used to be. I used to run the red team penetration testing for KPMG as well and our job was getting harder."

He added it's the systems that aren't well-configured that worry him the most, such as easily discoverable routers left with their default passwords unchanged.

Echoing the tone of the Westminster eForum discussion around the UK's cyber security capabilities, Fiona Boyd, head of cyber security operations at Fujitsu EMEIA, described the fight against hackers as "a constant war of attrition".

Boyd cited figures from the Student Loans Company, which in 2015 reported three cyber attacks on the business. A year later, that rose to 95, and in the fiscal year 17/18 that rose to 965,000.

Although Ferbrache said things are getting better, there was agreement on the panel that pervasive threats still threaten the cyber security of both the public and private sectors in the UK.

Smart malware

Jeremy Watson, professor of engineering systems at University College London (UCL), said that he was "excited" at the prospect of smarter, AI-powered cyber defence tools becoming available, but added AI-driven malware is already a threat.

"At UCL we've been looking at how AI can shape an attack system for industrial control systems and been able to show that it is possible to do that as well as to defend," said Watson. "So, if we can do that from an academic point of view then clearly people with malintent and the resources can do it in other ways."

Speakers added that 'secure by design' protocols should be implemented as soon as possible to help secure the growing internet of things (IoT) industry, which is set to explode as manufacturers capitalise on the demand for smarter devices.

This would include the creation of new business models to make securing IoT devices more attractive for manufacturers, according to Watson.

However, the panel warned that without legislation compelling manufacturers to bake security measures into the device as standard, it becomes a difficult task.

"If you look at the darker side of some security, it's like selling the absence of the negative - it isn't necessarily an easy sell," said Watson.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.