Wednesday 22 January 2020 4:51 am

What lessons have we learned from a decade in cyber security?

Martin Lee is manager of outreach for cyber security research firm Cisco Talos.

A colleague recently asked me what I thought had changed in cyber security over the last 10 years. We agreed that it had certainly been a time of momentous change.

In 2012, there was the Shamoon attacks in the Gulf region. In one stroke, 35,000 computers were wiped and disabled within a matter of hours.

Five years later, the “WannaCry” virus ripped through IT infrastructure like wildfire, encrypting hundreds of thousands of computers in over 150 countries. Not only was the scale of the attack deeply concerning — it also took down vital services. Travel networks were affected, and medical appointments throughout the UK were disrupted.

The second large-scale incident of 2017, NotPetya, became the most damaging cyber attack in history, causing destruction estimated to be in excess of $1bn globally. The transport industry was hit hard, with ships stuck at port and staff having to ferry around pieces of paper to keep cargo moving. 

And just last year, our Cisco Talos researchers uncovered a global attack we named “SeaTurtle”, which compromised trust in the internet by undermining the DNS system that translates domain names into machine-readable IP addresses.

The media lens

Nobody could ignore the effects of WannaCry, but during the decade the media also helped increase awareness of cyber issues. Indeed, a ransomware attack became a plot device in the TV drama Grey’s Anatomy, while entire series such as Mr Robot and CSI: Cyber were devoted to cyber security.

Lessons in behaviour

The patter of the con man is as old as humanity, and over the past decade we’ve seen these weasel words increasingly transformed into online scams.  

Awareness of scams and malicious emails has risen thanks to bodies such as and the Information Commissioner’s Office, but the risk of falling for a phishing attack or clicking the link in a malicious email is never going to go away. 

To be human is to commit human error. Indeed, despite working in cyber security, I personally fell for my own firm’s internal phishing test. At the very least, I learned that you can’t be complacent when it comes to security.

Fighting back

As cybercrime has evolved over the decade, so have our responses. The chief information security officer has emerged as the C-suite role responsible for protecting networks and systems.

The government has also stepped up. In 2010, the UK National Security Strategy rated cyber attacks as the highest level of threat. The government later published the “10 steps to cyber security”, giving practical advice on how organisations should manage and counter digital risks. In 2016, the National Cyber Security Centre was formed to provide a single point of contact for the government on cyber security matters.

And 2018 brought further legislative changes. The Network & Information Systems Regulations mandated that providers of essential services must implement security measures to prevent disruption due to cyber attacks. The EU’s General Data Protection Regulation has also promoted rights for individuals over their personal data, backed up with the possibility of heavy fines for transgressions.

It’s never over

It has been a hugely eventful decade for cyber security, and the battle against cybercrime is advancing. Eventually, our understanding will reach the point that cyber attacks will be things of the past. But the ingenuity of those who seek to cause harm by subverting technology means that, although we are progressing, there is at least another decade of battle ahead.

Sign up to City A.M.’s Midday Update newsletter, delivered to your inbox every lunchtime

Main image credit: Getty

City A.M.'s opinion pages are a place for thought-provoking views and debate. These views are not necessarily shared by City A.M.