ISPs: the first line of defence against cyber-crime

Richard Hollis at Risk Crew argues that Internet Service Providers must work far harder to counter cyber-crime: and their business clients must demand that they do so.

 

In 2016, the internet was brought to a standstill after criminals launched a devastating DDoS attack on the Domain Name Service (DNS) provider Dyn.

 

Using the colossal Mirai botnet, which consisted of thousands of compromised IoT devices that had been infected with the Mirai malware, criminals flooded Dyn’s network with traffic, knocking it offline, while taking down 175,000 of its customers in the process.

 

The incident took down large swathes of the internet, including Netflix, the Guardian, Amazon, PayPal and Twitter. It was the biggest cyber-attack of its time, demonstrating to businesses and consumers just how destructive a force cyber-crime had become.

 

The attack also raised the vital question around whether Internet Service Providers (ISPs) should be doing more to curb cyber-attacks that result in costly downtime for businesses.

 

Yet, almost seven years later, while cyber-crime has surged to unprecedented levels, ISPs are still doing little to contain the threat. In the years since the attack on Dyn, cyber-crime has skyrocketed: data now shows fourteen million online files are stolen every day, and cyber-crime has affected almost every citizen and business on the planet.

 

So, if things are not getting any better on the cyber-security front, is it time for businesses to demand ISPs tighten the rules on who they let through their digital doors?

 

The power of ISPs

ISPs are undoubtedly the gate keepers to the internet. They service their customers with internet, while controlling, monitoring and facilitating traffic. But the club that they guard is getting rougher by the minute. There are no minimum entry requirements and, once inside, there are no rules, no laws or policing. The internet has turned into a digital wild west.

 

This means every time businesses or citizens log on to the internet, they are faced with a flood of dangers. But is this fair? Given that they pay ISPs for a service, shouldn’t the service they receive be safe and not put their data, finances and lives at risk?

 

The reality is there is a lot more ISPs could do to curb cyber-crime. But while they provide the pipelines, they take little responsibility for the raw sewage these pipes deliver into homes and businesses.

 

This is something the World Economic Forum has recently released guidance on. The organisation joined forces with a group of ISPs and released four preventative principals that ISPs can adhere to in order to reduce attacks on their customers.

 

The recommendations ranged from stopping known threats from reaching customers, raising awareness among peers and customers on cyber-threats, vetting supply chain security, as well as implementing machine learning and threat detection software to detect attacks.

 

These recommendations are all critical today. But the key problem is that  not all ISPs abide by them. Instead, many of the largest ISPs are motivated by bandwidth. If customers are using their networks, they are making money. What the bandwidth is being used for, doesn’t concern them.

 

However, given that it is paying customers that suffer the consequences of this, is it now time for businesses exercise their rights as consumers and demand more from their ISPs?

 

When it comes to cyber-risk today organisations have a lot to lose. Not only do insecure networks affect their data, but they also put their customers at risk, expose them to regulatory fines and successful attacks can erode customer trust and share prices in seconds.

 

Surely more needs to be done.

 

Current legislation

Within the UK, legislation was introduced in November 2021 called the Telecommunications Security Act, but this more specifically addresses the security requirements of ISPs themselves, rather than monitoring and mitigating threats and malicious activity taking place on their networks.

 

The Act focuses on the need for ISPs to patch vulnerabilities, monitor their supply chain and ensure their services are constantly available for their customers, but there is little focus around the visibility ISPs hold into threat activity and the power they hold to curtail it.

 

Given this lack on legislation, could businesses use their power as paying customers to demand more?

 

Time to ask for more

With cyber-crime now being a critical threat to all organisations today, it is time for businesses to start asking for more from their ISPs to help them counter the threat. Otherwise, they are paying for a sub-standard service that seriously jeopardises their livelihoods.

 

As a result, before organisations sign up to an ISP, it is worthwhile asking to see what controls they have in place to keep their networks secure, up to date and available, but also asking what they are doing to monitor and reduce threat activity occurring on their networks that could impact their operations.

 

ISPs can see where traffic is coming from, they can see when traffic activity surges towards a specific site, they have the ability to block specific users and sites, so why are they not using this power to curtail cyber-crime?

 

If there is any one single component the digital world needs that could make the internet considerably more secure instantly – it falls into the hands of ISPs. They are in a unique position to be able to implement minor changes that would bring major benefits.

 

By simply installing basic filters in their pipes, ISPs could dramatically clean the sewage businesses and citizens receive every time they log on to the internet. It’s time for them to start putting this into practice.

 

Cyber-crime is undoubtedly today’s biggest risk today, and while ISPs are the gatekeepers to the internet, they are doing little to curb the threat.

 

More accountability is something every business should be asking before they sign a contract with an ISP. If they are paying for an ISP’s services, they have a right to use them safely.

 

It’s time for businesses to expect more and demand more, and hopefully then ISPs will use their unique position as gate keepers to the internet to make the online world a safer place for everyone.

 

---

Richard Hollis is CEO of Risk Crew

 

Main image courtesy of iStockPhoto.com