By Andrew Watterson
In my role as Business Crime Manager at the East Midlands Chamber (Derbyshire, Nottinghamshire, Leicestershire), I speak to businesses of all shapes and sizes about many different issues, but by far the greatest concentration of enquiries over these past few years are concerned with cybercrime.
Whilst the specifics of each case are slightly different (as, indeed, every business is different), the nature of the majority of these incidents fall into a comparatively small number of crime types.
There has been a significant shift in the methodology used by cyber criminals over the past couple of years, in particular. Whilst traditional ‘hacking’ and malware is still prevalent, there has been a boom in other types of attack, in particular Ransomware and Social Engineering.
So, why has this happened?
Most prevalent v Most profitable
There is an old saying, “follow the money”, and nowhere is this more pertinent when considering cyber-crimes against UK business.
If we look at the number of cyber-attacks over the past 12 months, we see that the usual cyber-attacks still feature highly:
- Phishing - 1.3m businesses affected
- Viruses - 1.28m businesses affected
- Hacking - 1m businesses affected
(Beaming Breaches Report, May 2017)
However, to understand why these emerging threats are becoming so popular, we need to look at the revenues generated:
- Ransomware - £7.4bn (388k businesses)
- Phishing - £5.9bn
- Social engineering - £5.4bn
(Beaming Breaches Report, May 2017)
As you can see, there were more than three times as many instances of Phishing against UK businesses in 2016, when compared to Ransomware, yet it yielded just 80% of the revenue.
The losses due to traditional hacking were <£1bn (£916m), meaning it can be argued that Ransomware is 20 times more profitable, per incident, than hacking attacks, and five times more lucrative than other forms of Malware.
The traditional attack vectors are still popular because they are very easy to automate, as they work on the premise that, if you cast your net wide enough, you’ll eventually catch something.
Social Engineering, and more sophisticated phishing attacks are, by their targeted nature, a lot more labour intensive but, for the criminal gangs who are willing to put in the effort, the rewards can be huge.
Dispelling the myths
There are a number of myths surrounding cyber security, which are impacting on businesses’ decision making:
- Skilled Hackers targeting businesses
There is still a perception that there are darkened rooms full of highly skilled hackers targeting UK businesses.
If you are a high value target, eg. a large multi-national, a high profile business, or you are dealing with high value intellectual property etc., then this may well be the case. However, against the majority of UK businesses, the investment required to carry out such attacks just isn’t worth it.
After all, skilled labour is expensive!
A large proportion of the non-automated attacks are carried out by a relatively low skilled labour force, who simply find a ‘victim’, create/clone an appropriate email address, then copy and paste some text into an email (along with a weaponised attachment, in the case of Ransomware), and click ‘send’.
- I don’t have anything that hackers want
Unless you are in the “high value target” category, mentioned above, you may not feel that your business has anything valuable to hackers, or to anyone else outside your organisation.
However, the data your business holds is extremely valuable to YOU!
Data is the life-blood for many businesses. Without it many businesses could not operate. So, if you lost access to all of your company data, how much would you be willing to pay to get it back?
This is why Ransomware is becoming so popular.
- Cyber Crime is an IT issue
The technical safeguards which have traditionally kept us safe are still vitally important. However, as these safeguards become harder to breach, cyber criminals need to get creative, if they want to get in to our systems.
The beauty of the ‘plug and play’ type of attacks detailed above is that, because they aren’t automated, they don’t always have the indicative characteristics which allow them to be detected by anti-virus/anti-malware software, so they can be more likely to find their way past our firewalls and in to employees’ inboxes than traditional malware and mass-mailings.
Once these emails land in an inbox, there is relatively little that can be done if someone opens the attachment or, in the case of attacks like invoice fraud, trusts the ‘sender’ and carries out the instructions on the email.
- It’s someone else’s job
As you may have guessed from this last statement, if fraudulent emails get past your IT defences, your staff are the only thing standing between you and a potentially significant loss. Now imagine that the employee in question had no knowledge of cyber-attacks, and believed instead that the IT department were solely responsible for stopping cyber-attacks…
It doesn’t bear thinking about, does it?
The truth is that nothing is 100% effective, so it is everyone’s responsibility to be vigilant.
Education, and good business management is just as important to preventing cyber-attacks as the IT infrastructure itself.
Embedding a cyber security culture
As you may have surmised by now, cyber security is not simply an IT issue, or something that can be eradicated by installing a magic box.
There are three elements to any system, and cyber security is no exception:
- Technology – your IT ‘estate’
- People – your staff
- Process – how you let your staff use your IT
Effective cyber security can only be achieve when all three work in harmony:
By ensuring that you have all the necessary IT safeguards in place on ALL your IT assets, including mobile devices, printers, access control systems, CCTV (basically anything connected to your network), you reduce the risk of something getting through.
You also need to ensure that these safeguards are regularly updated – the threats are constantly evolving, your systems need to evolve too.
A properly briefed, situationally-aware workforce are your last line of defence, should something get past your technical security measures.
They need to understand the risks to the business, and their role in preventing cyber-attacks.
Training should be done in three strands:
- Training for directors – awareness of the risks, governance requirements etc
- Training for all
- Training for high risk groups – more focussed training for people within your organisation who are more especially at risk, eg. accounts department
However, training is not a one-shot deal. This needs to be an ongoing programme of work, with regular refresher and update sessions.
If you were to learn to drive a fork-lift truck, you could come back to a fork-lift after several years and it will look pretty similar to how it did when you learned to drive it - BUT, as stated already, cyber-attacks are constantly changing. If we were still only looking for the threats we were experiencing a few years ago, we would miss the vast majority of today’s attacks.
The way members of staff use technology in your business has a profound impact on your vulnerability to cyber-attack. Left to their own devices, employees can get up to all sorts. So you need to impose a framework for them to operate within.
Just as you wouldn’t let every employee have access to your banking and accounting software, cyber risk can be significantly reduced by limiting the ability of staff to access unnecessary areas of your network. By only giving staff relevant permissions to do their jobs, you reduce their ability to inadvertently (or intentionally) do something wrong.
With the proliferation of mobile devices, we need to ensure that users are doing so responsibly. So we need to ensure that the same security standards are maintained when working remotely, via laptops, tablets and smartphones,
And it doesn’t stop at IT policies. As mentioned earlier, the criminals “follow the money”, so it is vitally important that there are financial policies in place to reduce the risk of accidentally sending money to the wrong place.
For example, a common cyber-fraud, called ‘CEO Fraud’ happens when a criminal, pretending to be the CEO of a business, sends an email requesting a payment be made to a nominated bank account (usually under the pretext of an invoice that has been missed).
In some cases, accounts staff have transferred many thousands of pounds to fraudsters, when a simple process of confirming all financial transaction requests in person, or via telephone, would have identified the fraud straight away
Finally, a word on Passwords…
It is essential that businesses have stringent password policies in place to protect their data and systems. However, these can often be overly burdensome or complicated.
One controversial aspect of password policies is how often they should be changed…
Something that is worth bearing in mind, when asking people to regularly change their passwords, is that human beings are, for a large part, rather lazy! And, if someone’s password is ‘Tuesday5’, it’s a pretty safe bet that their password the following month will be ‘Tuesday6’, then ‘Tuesday7’, and so on.
So it can be argued that a password policy which requires users to change their password every month, may actually be reducing your level of security.
Best practice guidance is constantly evolving, as we begin to know more about how cyber criminals work so, rather than offering ‘definitive’ guidance here, it is best to check on the latest guidance on passwords, and other ways to protect your business, on the government’s “Cyber Aware” website www.cyberaware.gov.uk
The ‘C’ Word
I.T. is no longer a business tool, it runs through virtually every aspect of modern business, and many businesses are completely reliant upon it.
The paradox is that, when our businesses are so reliant on data and technology, why do we pay such scant regard for securing it?
Could it be that the very word “Cyber” is turning us off?
In some cases, the mere mention of the word “cyber” causes the non-technically minded to glaze over, dismiss it as “an IT issue”, and leave it to the IT staff to deal with.
At board level, this default cascading of cyber security to the IT department is one of the most significant barriers to achieving cyber resilience in business.
If the “C” word puts you off, think of it as ‘Digital’ Security, and consider:
- Do you understand your digital risks, in the same way as you do your physical risks? Or your legal or compliance risks?
And therein lies the fundamental truth:
The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business (and treat it the same way, instead of dismissing it as an IT issue)
If you understand where the digital risks are, how they can affect your business, and what you would need to do in the event of an incident - in exactly the same way as you would for everything else on your risk register - you have taken your first steps to securing your business in the digital age.
Want to find out more?