Addressing the growing complexity of cyber-security

Rik Ferguson at Forescout argues that understanding the increasing complexity of cyber-security is more important than ever

 

Let’s play a game of what if.

 

The UK government offers citizens ‘Foreign Travel Advice’ to keep them safe when they travel abroad. Countries are flagged with warnings about pickpocketing, terrorism, and political unrest. Sometimes, travel is advised against entirely.

 

But what if the government did the same for the digital world? 

 

The online safety bulletin would be bleak, surely carrying a permanent red warning.

 

“Over two billion identities stolen or leaked in 2024. Hostage situations unfold every minute. Billions stolen every year. Trust no one. Trust nothing……. Avoid, avoid, avoid.”

 

But, unlike a high-risk destination, we can’t avoid the internet. 

 

This is why knowing how to stay safe and navigating this complexity with clarity is more important than ever.

 

When digital met physical

Cyber-security has undergone a seismic shift in recent years. 

 

Geopolitical tensions are no longer confined to diplomatic channels or battlefields; they are increasingly linked to cyber, resulting in digital attacks breaking through their virtual boundaries to inflict real-world damage on society. 

 

It’s no longer just script kiddies with nefarious computer skills. Today we are facing well-funded threat actors, often working on behalf of governments, who are motivated to cause lasting harm not just to systems, but to citizens. 

 

This is something that had been predicted for many years, but today we are seeing cyber-attacks and physical assaults happen daily, and at scale. 

 

In the past year alone, as only a small example of a wave of malicious activity, the world witnessed two huge cyber-attacks impacting the UK and US healthcare systems, which were executed by groups operating from Russia. 

 

The ransomware attacks disrupted the services of two prominent players in healthcare, with each incident causing monumental and lasting damage.

 

In February 2024, Change Healthcare—a critical link in the US healthcare supply chain—suffered a ransomware attack at the hands of ALPHV (a.k.a. BlackCat), an infamous Russian ransomware group. The attackers encrypted key systems and demanded a $22 million ransom to restore access.

 

Change Healthcare paid.

 

But in a dramatic twist, the ALPHV operators vanished, leaving the affiliate who had carried out the breach empty-handed. Furious, the affiliate defected to a rival ransomware group, RansomHub and extorted Change Healthcare a second time, threatening again to leak the stolen data. 

 

This incident didn’t just highlight the ruthlessness of cyber-criminals, it exposed the chaotic, treacherous nature of the ransomware ecosystem itself. One of the most critical players in U.S. healthcare found itself not just attacked, but re-victimised, by competing criminal networks vying for ransom money — all while patients and providers were left in limbo.

 

The fallout was staggering; half of Americans were affected. Hospitals, doctors and pharmacies were unable to process insurance claims, leaving patients without access to care. The total financial impact? An estimated $3 billion, making it the most costly and dramatic cyber-incident in history.

 

In June 2024, Synnovis, a provider of pathology services to London hospitals was hit by a ransomware attack executed by the Russian cyber-crime group Qilin. This breach severely disrupted operations at several NHS hospitals across London, forcing the postponement of thousands of medical appointments and surgeries.

 

One of the most critical impacts was on blood transfusion services. As affected hospitals were unable to safely match blood types they had to rely exclusively on universal O-Negative – the universal donor. This contributed to a national shortage of O-type blood supplies, prompting the NHS to issue an ’Amber Alert’ and an urgent appeal for public donations. 

 

These incidents underscore that cyber-attacks are having physical consequences and, armed with nothing more than a keyboard, hostile nations have the power to inflict serious harm on their enemies. 

 

It’s also not just Western countries under attack. 

 

Cyber has also played a key role in Russia’s invasion of Ukraine and in the ongoing conflict in the Middle East. These digital assaults often coincide with physical campaigns, often targeting government, utilities, financial organisations, and the information space itself through fake news and propaganda.  

 

Complex supply chains exacerbating risks

One of the biggest challenges organisations face today is the sheer complexity of their digital environments. It’s no longer about protecting what you own. Modern networks are deeply entwined with third-parties, suppliers, service providers, cloud platforms and software vendors, all of which greatly expand the attack surface.

 

And attackers know it. 

 

As the Synnovis attack showed, Qilin didn’t need to target the NHS directly to cause national disruption. By targeting a third party they were able to cripple hospital services, delay surgeries, and trigger a public health alert.

 

In this interconnected world, digital resilience isn’t optional — it’s essential.

 

So, in a landscape where the odds seem stacked against defenders, what can organisations actually do to stay safe?

 

The five ‘Knows’ for staying safe:

1. Know your threat model: Understand what you have and what needs protecting. This means understanding how your organisation operates, who you do business with, and how those relationships could be exploited. A comprehensive threat model should be tailored to your organisation, identifying for potential attack vectors, vulnerabilities and exploitable processes.
2. Know your enemy: Know who might target you — and why. Understanding the threat actors most likely to go after your sector, along with their motives, tools, and techniques, is key to building a relevant and proactive defence strategy.
3. Know your risk appetite: How much risk can your organisation tolerate — and where are the red lines? Clarifying your risk appetite helps you prioritise security efforts and make informed decisions about trade-offs between convenience, cost, and control.
4. Know your security posture: Continuously assess your security posture against your risk appetite and compliance requirements. By regularly assessing your security posture and understanding the technical measures you have adopted to protect your assets, you can understand your level of cyber-resilience, spot gaps, and take action before attackers do. 
5. Know your limits: Unfortunately, no organisation is limitless. Whether it’s budget, people or technical capability, knowing your constraints allows you to plan more effectively, focus resources where they matter most, and seek support where needed. 

We can’t avoid the digital world; and yes, it can feel like hostile territory. But by understanding the risks and knowing where we stand, we can navigate it with greater safety, confidence, and control. 

 

---

 

Rik Ferguson is Vice President of Security Intelligence at Forescout.

 

At this year’s DTX Manchester, Rik will be presenting on how to address the growing complexity of cyber-crime. During his session, he will discuss how geopolitical uncertainty is influencing cyber-security strategies and provide advice on how organisations can stay safe in today’s increasingly complex and hostile digital world. Join him on the Cyber Hack stage on Wednesday 2nd April from 2:05PM to 2:30PM

 

Main image courtesy of iStockPhoto.com and cokada