How a cyber-Richter scale could benefit CISOs
Posted: March 20, 2025 Filed under: cybersecurity | Tags: CISO, cyber monitoring centre, cyber security, cybersecurity, incident response, richter scale, security, technology Leave a comment
The phrase “world leading” is almost comically overused. The British government misapplied it with a frequency that bordered on the absurd in its post-Brexit press statements, for example. Many corporate minnows have done the same in a bid to punch above their weight in global markets. But a new British non-profit initiative could genuinely lay claim to such a title.
The Cyber Monitoring Centre (CMC) aims to do what has never been done before: to classify cyber events impacting UK organisations on a simple 1-5 scale. The hope is that, in so doing, it could help insurers price coverage more accurately and CISOs to improve cyber resilience and incident response plans.
Why we need one
Like their global peers, UK firms are increasingly reliant on IT and OT systems to function. Yet this also exposes them to a growing risk of digital extortion, service disruption and data theft. Such events can cause severe financial and reputational damage, as well as impacting customers and citizens. Over the past year alone, UK organisations and end users have suffered significantly from the global CrowdStrike outage and a ransomware attack on NHS supplier Synnovis.
Yet up to now, there has been no standardised way to categorise such events.
“Up until now The National Cyber Security Centre’s (NCSC) incident management (IM) team, which is responsible for triaging and categorising incidents, has been where people have traditionally turned to gauge the impact of an attack,” explains Trend Micro UK cybersecurity director, Jonathan Lee. “Its system works by considering the severity of the incident and its potential impact on the UK which then informed its response. However, this approach is based around directing the NCSC’s own resources towards managing the most significant UK cyber incidents.”
There are several reasons why measuring cyber incident severity is a challenge, argues CyXcel CEO, Edward Lewis, who helped to lead the CMC as a director during its incubation year.
“Unlike physical disasters – where financial loss, casualties, and recovery times are well understood – cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another,” he tells me.
“Additionally, many incidents never get disclosed – whether due to legal concerns, regulatory pressure, or reputational risk. Even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.”
Lewis adds that traditional approaches have focused too much on direct costs rather than the wider consequences of a cyber incident.
“A cyber attack doesn’t just stop at the victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure,” he says.
“The CMC cuts through this by establishing a common framework for measuring severity, aggregating data across sectors, and giving CISOs and policymakers a clearer, quantified picture of cyber risk.”
What the CMC will do
The CMC’s inspiration is the Saffir-Simpson hurricane wind scale, which was designed by a wind engineer (Herbert Saffir) and a meteorologist (Bob Simpson) as a simple way to describe the potential impact of hurricanes. The CMC calculates a score from 1-5 for each qualifying cyber event, based on its financial impact to the populace and the percentage of UK businesses affected to the tune of over £1,000.
The CMC says that losses due to business interruption, data restoration, incident response, extortion, and transfer of funds as well as “downstream impacts of a cyber event” will be included. However, costs due to “liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals” will not be considered in the calculations as these aren’t often available in the immediate aftermath of an event. In any cases, these costs are often “a transfer of costs, rather than the true financial cost of an event”, it argues.
Although its still early days, the CMC has been operating in stealth mode for a year, honing and testing its methodology, and expanding the public and private data sources with which its Technical Committee makes its all-important final assessments.
These data sources include public data from the NHS and media reports, as well as impacted organisations, and partners across incident response, breach lawyers, cybersecurity vendors, insurance claims handlers, and industry associations. It also includes event polling and industry-specific panels from the British Chambers of Commerce, and ONS Business Insights Data & Analytics and Conditions Survey (BICS) respondents. Parametrix helps with cloud monitoring and outage data, while Cirium offers insight into the impact of an event on the UK aviation industry.
The CMC is also developing database of historical events and their impact, which will help with benchmarking, stress testing and to calibrate models going forward.
“When an event occurs, we analyse the event and group the impacted organisations into those that can be modelled in a similar manner (“Archetypes”). We then collect available event data and model the financial impact to each Archetype,” the CMC says. “Through 2024 we developed models for aviation, healthcare (Synnovis event), and for widespread events (CrowdStrike event).”
Better for insurers
Given its origins as proposal by global insurer CFC, it’s perhaps unsurprising that the centre’s output could be a major boost for the sector. It has been argued that the CMC’s cyber-event ranking system could help the industry price its policies more accurately, and improve how insurers cover “systemic incidents” which impact large numbers of businesses simultaneously. It may, for example, lead to simpler language in policies.
Assured director, Ed Ventham, is concerned the move could lead to more exclusions based on the CMC Scale, although he admits this could be better than vaguer scenario-specific exclusions which are more common today.
“We’re obsessed as an industry with systemic risk, and it feels like the sector has had a couple of lucky escapes of late,” he tells me. “But we’re generally supportive of better data being collected. I’m excited by the prospect of what the CMC will bring to the industry. There’s a good team and a lot of experienced people behind it.”
Driving black box thinking
Trend Micro’s Lee is enthused by the potential benefits for CISOs.
“It boasts all the hallmarks of the concept of ‘black box thinking’, something which has really benefited the airline industry and it is a very welcome development.Every breach should be seen as an opportunity to learn to be more resilient in the future,” he tells me.
“This culture of openness and a robust methodology of breach impact analysis goes some way to making it easier for CISOs to understand the practical steps that they could take. Ultimately, as is the mantra in the public sector, our nation needs to continuously measure and understand risk, and take a proactive approach to cybersecurity.”
CMC CEO, Will Mayes, agrees that the initiative will be a boon for CISOs, in helping them to think through incident response strategies more clearly.
“For example, if a category 5 event were to occur, their incident response or other providers may have limited capacity to support them individually, given the number of organisations impacted. A CISO should consider alternative response plans in these scenarios,” he tells me.
“The CMC also creates a common language for talking about cyber risks that will help everyone within the cyber ecosystem to communicate about events to non-experts. It will provide greater clarity and could be used by a CISO to talk to executives about potential events, and get buy-in for security investment.”
It may also help security leaders demonstrate compliance to regulators and benchmark risk posture more effectively, Mayes argues.
However, there are limitations. For one, it doesn’t take into account the potential human impact of cyber incidents such as the Synnovis breach, which led to at least two NHS patients suffering long-term harm, according to Trend Micro’s Lee.
“Indeed, former NCSC CEO, Ciaran Martin, who chairs the CMC Technical Committee, acknowledged this at the launch event. He said that, although the CMC model categorised the Synnovis supply chain attack as a category 2 incident, in societal and human impact terms he would describe it as one of the most impactful cyber-attacks the UK has experienced lately,” he says.
“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world.”
CyXcel’s Lewis adds that the effectiveness of the modelling will depend on the quality of data fed in.
“The CMC’s success depends on getting enough organisations to share data. If participation is patchy, or companies hold back critical details, the output could be less reliable,” he says. “Cyber threats are also shifting constantly. The CMC will need to adapt and refine its models over time.”
Leading the way
Despite these challenges, Lewis describes the CMC as “a huge leap forward in cyber resilience”. So could the UK finally have a world-leading, world-first cyber initiative?
“Its success will depend on continued collaboration between government, industry, and cybersecurity professionals – ensuring its insights stay sharp and actionable,” Lewis concludes.
However, the CMC’s Mayes is less circumspect.
“We’ve already received interest and demand to replicate this approach in other countries,” he explains. “In response to demand from partners, we are actively exploring potential expansion to the US.”
Where the UK leads, others follow.
This article first appeared on Assured Intelligence.
Why Abuse of Digital Certs and Crypto Keys is the Biggest Security Threat for 2016
Posted: December 11, 2015 Filed under: Uncategorized | Tags: 2016 predictions, CISO, cryptographic keys, cyber security, digital certificates, information security, infosecurity magazine, kaspersky lab, signing, snowden, sony pictures hack, stuxnet, venafi Leave a comment
If there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.
Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.
And of course it was a similar strategy which contributed to the success of the Stuxnet attack.
Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.
Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.
“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.
“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”
It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.
“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”
That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.
“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.
“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”
Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.
But this is already happening in the wild with real consequences for organizations and their customers around the world.
Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.
Data security incidents hit 47,000 in 2012
Posted: May 8, 2013 Filed under: Uncategorized | Tags: apac, APTs, china, CISO, cloud computing, cyber crime, data breach investigations report, DBIR, due dilligence, hong kong, informato, state sponsored espionage, targeted attacks, verizon Leave a commentLast week I popped over to the Quarry Bay HQ of Verizon Business in Hong Kong to hear more about the annual Data Breach Investigations Report.
The report’s really come on since I covered it way back in 2008, and this year pulled data from an unprecedented 19 reputable sources including Scotland Yard, the US Department of Homeland Security and many more.
The Register covered the main news from the report when it was launched the week before – that China was responsible for a whopping 96 per cent of state-affiliated attacks – so I was keen to get some other APAC-relevant insight from the team.
Unfortunately there wasn’t much to be had, in fact the report itself only mentions Asia Pacific once as a break-out region, to illustrate the top 20 threat types across the whopping 47,000 security “incidents” recorded over 2012.
What this probably tells us is that methods of collecting the data at the moment are pretty non-standardised across the globe, which makes drawing any clear comparisons difficult between regions.
Another thought that occurred: it’s fairly obvious that organisations across the globe suffer from the same kinds of information security risk – whether hacktivist, financially motivated criminal or state sponsored espionage-related.
As Verizon’s HK VP Francis Yip said: “No one is immune from cyber crime. As long as you have an IP address, you are a target, no matter how long you spend online.”
In this respect, there were no startling new trends as such to pull out of the report, aside from China’s consistent and persistent appearance as number one source of state-sponsored shenanigans.
This is probably good news for under fire CISOs, now tasked not only with deflecting financially motivated cyber crime and attempts from hacktivists to take down their sites and steal credentials, but also under-the-radar information theft from APT-style attacks.
What’s also good news, is Verizon’s assertion that the cloud is no less safe than any other form of computing system, as long as IT teams make sure they carry out due diligence on providers.
“Cloud can actually be more secure, because these providers are doing it on an industrial scale with staff who know what they are doing,” argued Verizon’s APAC head of identity and privacy services, Ian Christofis.
While all this is certainly true I definitely got the impression from the briefing that many firms are still failing on the security basics.
“Could try harder” is probably a suitable report card take-away for businesses from 2012.
phil muncaster 