President Joe Biden’s recent call for American businesses to strengthen their cyber defenses has drawn much attention from security experts. Their consensus is that the President’s concern over Russia’s “sophisticated cyber capability” as retaliation for its support of Ukraine is a valid one. In particular, these experts are concerned about attacks targeting critical national infrastructure (CNI) or other large businesses.

Scott Nicholson is co-CEO of Bridewell Consulting, a company that provides cybersecurity, managed security, and data privacy services as well as penetration testing across industries. Its work spans the U.K. and U.S. in sectors including CNI, finance, transport and aviation, communications, and central government.

Bridewell recently announced its expansion into the U.S. with a new office in Houston’s energy corridor. This growth comes at an opportune time for U.S. organizations, enabling them to more effectively secure the very businesses Biden addressed in his remarks. 

Mission Critical sat down with Nicholson to ask him about his thoughts on the Russian cyberthreat and what U.S. organizations need to be prioritizing. Here’s what he had to say.

Mission Critical: Before we get started, could you give our readers an overview of your professional background in cybersecurity?


Nicholson: I’ve been working in and around cybersecurity for the last 20 years. Initially, I worked as an analyst within the police service for 10 years before leaving to work for IBM on a vast number of global projects. After a few years of this, I was driving and leading cybersecurity for a number of U.K. cloud companies prior to setting up my own business. I was 12 months into operating my own company when I decided to join Bridewell as a director, merging my customer base with theirs. Over the years, I’ve delivered a vast amount of cybersecurity and data privacy programs that span most industry sectors, which is experience I brought to Bridewell when the company formed. Over the last eight years, I’ve been focussed on building Bridewell’s capabilities, working with key customers, and driving our strategy. I engage with industry bodies, heading up services with the likes of the U.K. National Cyber Security Centre (NCSC) and working with our teams, customers, and board to make Bridewell a truly global cybersecurity services company.

Mission Critical: Can you tell us more about why Bridewell is expanding into the U.S.?

Nicholson: Bridewell has had a global client base for the past eight years, predominantly delivered from the U.K. with international travel. We feel that Bridewell is in a great position to support the U.S.; especially following the executive order (EO) recently released by President Biden. We’re highly accredited and have deep technical experience with some of the world’s largest critical national infrastructure organizations in industries, such as transport, energy, and financial services, which brings real value to the U.S. market.

U.S. organizations are currently faced with a lot of challenges. Threats from nation states have been on the rise for years and innovative attack methods are significantly outpacing regulation, policy, and strategies. At the same time, U.S. companies are also under greater pressure in their digital transformation processes. With our experience across transformational consulting, ethical hacking, digital forensics, and 24x7 cyber defense, we’re excited to support organizations across the U.S. with these capabilities. We’ve been planning our expansion for the past several years and are looking forward to commencing this next part of Bridewell’s journey.


Mission Critical: You mention a growing need for cybersecurity among U.S. businesses. Is this solely in response to the war in Ukraine?

 

Nicholson: It isn’t the only reason, but that’s certainly part of it. As Biden said, Russia’s invasion of Ukraine has created a more pressing need for organizations to strengthen their cybersecurity. But his advice hasn’t come out of nowhere. It was only in mid-January when CISA — the U.S. Cybersecurity and Infrastructure Security Agency — warned critical infrastructure operators to take “urgent, near-term steps” against cyberthreats.

This earlier call to action was likely in response to Russian malware Microsoft identified in Ukraine at the start of the year. Going back a few years, we can see similar concerns in the U.S. in response to Russian malwares like NotPetya and WannaCry. These latest statements from Biden are entirely warranted, but they only highlight what has been a continued risk for U.S. businesses for several years. 

For me, there are many drivers, but I would say the key ones come down to companies wanting to use cybersecurity as a differentiator. By achieving compliance with certain frameworks, they can provide customer assurance, digital transformation, and cloud adoption, and mitigate the increased threat from nation states.

Mission Critical: So, this is part of an ongoing trend?

Nicholson: Definitely. Russia has a long history of targeting critical infrastructure and has been identified numerous times by different bodies. I think it would be mistaken to solely isolate this to Russian nation state activity, however. Ransomware attacks have been on the rise for years and these aren’t always from nation states. Often these attacks come from unaffiliated hacking groups looking for profit. There’s a particularly prominent history of this in the U.S. among financial institutions, government services, agencies, and utilities who have fallen victim to ransomware.

Mission Critical: Is ransomware the main attack vector businesses should be looking out for or are there other methods to be aware of?


Nicholson: Ransomware is a big one, certainly. Especially human operated ransomware, which we discovered has been on the rise globally in some recent research we conducted. It poses a bigger challenge than your typical ransomware to businesses, as highly skilled attackers have their hands on keyboards. This means businesses need to be especially diligent with their cyber hygiene and become proactive in identifying threats, so they can stop them early in the kill chain.

 

We also talked about malware earlier, and I would expect this trend to continue as well. DDoS [distributed denial of service] attacks, network attacks, and advanced persistent threats are also possible threats to look out for. Realistically, it’s impossible to accurately predict what form these attacks will take, and doing so isn’t necessarily the best approach. Businesses are much better off increasing their cyber resilience as a whole so that they’re prepared for any eventuality.

 

Mission Critical: Aside from cyberthreats, are there any other pressing concerns for U.S. businesses?

Nicholson: I’d say the Computer Security Incident Notification Final Rule, which just recently came into effect, is an additional pressure for U.S. businesses. In short, it dictates that companies which are part of core national infrastructure must report any “significant” cybersecurity incident within 36 hours of discovery. This makes detection a bigger priority for a lot of organizations. For these industries, I’d recommend they improve their detection by implementing stronger audit policies and detection/ hunt analytics. 

The cyber skills shortage is another one. Having the right expertise and talent is fundamental to a business's cybersecurity — whether that’s in response to the war in Ukraine or other threats. To secure their businesses, then, they need to either nurture the right talent in-house, or they can look to work with an external consultant who can bring that expertise to them. By expanding to the U.S., we hope to help businesses overcome the cyber skills shortage by bringing our own expertise into the market.