There has been a significant shift in the methodology used by cyber criminals over the past couple of years, in particular. Whilst traditional ‘hacking’ and malware are still prevalent, there has been a boom in other types of attack, in particular Ransomware and Social Engineering. So, why has this happened?
There is an old saying, “follow the money”, and nowhere is this more pertinent when considering cyber-crimes against business. Look at the number of cyber-attacks over the past 12 months from the Beaming Breaches Report for the UK in May 2017 – the usual cyber-attacks still feature highly:
1. Phishing – 1.3m businesses affected
2. Viruses – 1.28m businesses affected
3. Hacking – 1m businesses affected
However, to understand why these emerging threats are becoming so popular, we need to look at the revenues generated:
1. Ransomware – £7.4bn (388k businesses)
2. Phishing – £5.9bn
3. Social engineering – £5.4bn
Whilst there were more than three times as many instances of Phishing against UK businesses in 2016, when compared to Ransomware, it yielded just 80% of the revenue. So, Ransomware appears to be 20 times more profitable, per incident, than hacking attacks, and five times more lucrative than other forms of Malware. More targeted attacks are, by their nature, a lot more labour intensive but, for the criminal gangs who are willing to put in the effort, the rewards can be huge.
Common cyber security myths
There are a number of myths surrounding cyber security, which are impacting on businesses’ decision-making:
1. Skilled hackers targeting businesses
There is still a perception that there are darkened rooms full of highly skilled hackers targeting UK businesses. If you are a high value target, e.g. a high-profile business, or you are dealing with high value intellectual property etc., then this may be the case. However, against the majority of businesses, the investment required to carry out such attacks just isn’t worth it- after all, skilled labour is expensive! A large proportion of the non-automated attacks are carried out by a relatively low skilled labour force, who simply find a ‘victim’, load a weaponised attachment into an email, and click ‘send’.
2. I don’t have anything that hackers want
Unless you are in the “high value target” category, mentioned above, you may not feel that your business has anything valuable to hackers, or to anyone else outside your organisation. However, the data your business holds is extremely valuable to you. Without data, many businesses could not operate. So, if you lost access to all of your company data, how much would you be willing to pay to get it back? This is why Ransomware is becoming so popular.
3. Cybercrime is an IT issue
The technical safeguards which have traditionally kept us safe are still vitally important. However, as these safeguards become harder to breach, cyber criminals need to get creative, if they want to get into our systems. The beauty of these targeted attacks is that, because they aren’t automated, they don’t always have the indicators which allow them to be detected by anti-virus/anti-malware software, so are more likely to find their way into employees’ inboxes than traditional mass-mailings.
4. It’s someone else’s job
If fraudulent emails get past your IT defences, your staff are the only thing standing between you and a potentially significant loss. Now imagine that the employee in question had no knowledge of cyber-attacks, and believed instead that the IT department were solely responsible for stopping cyber-attacks. The truth is that nothing is 100% effective, so it is everyone’s responsibility to be vigilant. Education, and good business management is just as important to preventing cyber-attacks as the IT infrastructure itself.
Cyber security is not simply an IT issue, and there is no “magic box” to plug in. There are three elements to any system, and cyber security is no exception. Effective cyber security can only be achieved when all three work in harmony.
Technology – your IT ‘estate.’ By ensuring that you have all the necessary IT safeguards in place on ALL your IT assets, including mobile devices, printers, access control systems, CCTV (basically anything connected to your network), you reduce the risk of something getting through. You also need to ensure that these safeguards are regularly updated – the threats are constantly evolving, your systems need to evolve too
People – your staff. A properly briefed, situationally-aware workforce are your last line of defence, should something get past your technical security measures. They need to understand the risks to the business, and their role in preventing cyber-attacks. Training should be done in three strands:
• Training for directors – awareness of the risks, governance requirements etc
• Training for all
• Training for high risk groups – more focused training for people within your organisation who are more especially at risk, e.g. the Accounts department
However, training is not a one-shot deal. This needs to be an ongoing programme of work, with regular refresher and update sessions.
Process – how you let your staff use your IT. Just as you wouldn’t let every employee have access to your banking and accounting software, cyber risk can be significantly reduced by limiting the ability of staff to access unnecessary areas of your network. By only giving staff relevant permissions to do their jobs, you reduce their ability to inadvertently (or intentionally) do something wrong. With the proliferation of mobile devices, we need to ensure that users are doing so responsibly. So, we need to ensure that the same security standards are maintained when working remotely, via laptops, tablets and smartphones.
It doesn’t stop at IT policies. Criminals “follow the money”, so it is important that there are financial policies in place to reduce the risk of accidentally sending money to the wrong place. ‘CEO Fraud’ happens when a criminal, pretending to be the CEO of a business, sends an email to the accounts department requesting a payment be made to a nominated bank account.
In some cases, accounts staff have transferred many thousands of pounds to fraudsters, when a simple process of confirming all financial transaction requests in person, or via telephone, would have identified the fraud straight away
Could it be that the very word “Cyber” is turning us off? The mere mention of the word “cyber” security may cause the non-technically minded to glaze over, dismiss it as “an IT issue”, and leave it to the IT staff to deal with. At board level, this default cascading of cyber security to the IT department is one of the most significant barriers to achieving cyber resilience in business. If the “C” word puts you off, think of it as ‘Digital’ Security, and consider: Do you understand your digital risks in the same way as you do your physical risks? Or your legal or compliance risks?
And therein lies the fundamental truth: The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business, and treat it the same way, instead of dismissing it as an IT issue. If you understand where the digital risks are, how they can affect your business, and what you would need to do in the event of an incident – in exactly the same way as you would for everything else on your risk register – you have taken your first steps to securing your business in the digital age.
