Elections make for a volatile time, not only in politics but also in terms of resilience to cyber attack. They offer an opportunity for citizens to have an opinion on the governance of their country and beg the question, ‘do you have trust in the country’s governance?’.

The consequences of a cyber attack during an election campaign can therefore be extremely damaging; with the potential to both undermine trust and give life to disinformation campaigns that may have otherwise been ignored.

The Labour Party knows this only too well after suffering the consequences of two DDoS attacks in 24 hours.

While Labour has publicly said that they have dealt with the incident ‘quickly and efficiently’, it has led to a wider debate around cyber security and underlines that attacks do not necessarily have to be sophisticated in nature to succeed. Consequently, getting the security basics right is now more essential than ever before.

Disconnect in cyber confidence

Our research has shown that this disconnect isn’t so unusual. When surveying almost 300 CISOs we found that the cyber confidence among CISOs often doesn’t align with that of the business.

Indeed, more than a third of security professionals were not moderately or very confident with the final choice of security solution, despite 71% saying that their organisation touts its cyber robustness to partners and customers.

It is critical that security professionals and the wider business are on the same page when it comes to cyber defence. While it is natural that a CISO might be slightly more cautious about claiming the effectiveness of the security solutions in place – there is no silver bullet – this disconnect in cyber confidence should act as an alarm bell to organisations.

The reason for the disconnect in cyber confidence, could come down to a lack of security understanding. In the private sector, the majority (71%) of c-suite executives we interviewed admitted to having gaps in their knowledge when it comes to the main cyber threats.

What’s more the types and number of cyber attacks are vast. In recent years governments across the world have had to deal with Chinese state hackers reportedly stealing in excess of 21 million passwords from current and former federal employees of the OPM through government contractors.

The US elections in 2016 were allegedly infiltrated by Russian hackers and Russia has been accused of numerous attacks on Critical National Infrastructure (CNI), including that which caused major power outages in the Ukraine. Not to mention the NHS and multiple cities across the US that have been hit by ransomware.

A changing landscape for elections

It was only a matter of time before fierce competition on the campaign trail made its way into the online world. Attacks could be instigated by a competitive party or another nation state looking to cause disruption and undermine confidence in the broader electoral system and governance.

Regardless, recent history goes to show that elections will now be fought in both the virtual and physical world.

In terms of what this means for the current elections taking place, one thing is evidently clear; understanding of cyber threats, their significance and the potential consequences is key to being able to evaluate risk and defence.

Measurement of the security stack will be a fundamental part of this, but also ensuring that there is both breadth of visibility and the ability to early identify threats, is also fundamental to giving the security team confidence that they can defend against attacks.

Often an overlooked area of defence is to monitor for brand adjacencies. In a political climate where visitors to political sites will be at a high, ensuring that cyber criminals haven’t taken advantage of your brand to create a malicious domain, is just one aspect of security and reputational protection that should be implemented as standard.

Ultimately, confidence from the security team comes from both technical maturity, open communication and an understanding of the cyber threats and defence possible. Without this, any claims of cyber resilience are innately risky from both a security and reputational standpoint.

By Stuart Reed, VP of Cyber at Nominet.