I'm not sure companies should really care about rogue states using cyberwarfare teams. At least not specifically. Because I doubt that North Korea poses that much more a of a threat to any company that any other random group of cyber criminals out for profit. I suppose there's more risk of horrible publicity, making you look really stupid, which is something criminals may not bother to do.
But the problem is that companies seem to be spending far too little time on securing their networks and information, given how quickly the threat is evolving. And how smart some of the "ordinary" cyber criminals have shown themelves to be.
So a random company just needs to worry about being as secure as it can be, and multi-layered security, so that access to some things doesn't automatically mean getting hold of everything. Only people at specific threat would need to worry about the state-sponsored attacks, and should hopefully be able to call on resources from their governments.
The problem is that cyber attack is so much easier than cyber defence. I do worry that our intelligence agencies may have been too excited by the shinies on offer, and so committed too much of their resources to attack tools. And not enough has gone into protection of our own networks and economies. But then, maybe that should be a different arm of government? Perhaps we should look at regulation in this area. Systemically important banks now have to undergo annual stress-tests, to see how they'd respond to another 2008-style crisis. Perhaps we should be making our large corporations, relevant government departments and particularly national infrastructure companies do something similar? So GCHQ could penetration test them - and see what bits of their networks and information are easily accessible and easily disruptable. And they should be tested on how they could respond to this, along with how they could recover from attacks that were designed to cause harm, rather than just steal stuff.
I know a lot of this already goes on. But not enough, I'm sure. And I bet it's mostly the companies like BT, who've already got strong connections with government. I wonder how much banking has been tested, given the creaking state some of their IT is in?
Biting the hand that feeds IT
