The headlines have been dominated with scary statistics like ‘Cyber Crime Costs the UK between £18bn and £27bn a year’ and ‘93% of large organisations and 87% of small firms were targeted in 2012’. But what is the cause of these cyber crimes and how can businesses combat them? Chris Evans reports
A fascinating, but frightening recent survey by KPMG highlighted the ease with which cyber criminals can access a company’s vital data, walking away with millions of pounds and/or crucial secret information.
“The bad guys can simply get this information from corporate websites. All they have to do is download basic documents on the site, often produced by the marketing department, and look at the metadata within them,” explains Martin Jordan, head of Cyber Response at KPMG.
“These contain the internal user names, email addresses, and the software and IP address of the server. Hackers simply combine all this information into a targeted phishing email.”
These phishing emails are the weapon of choice for many cyber criminals. They come in many guises (eg a link with the name of the document taken from the corporate website, packages being delivered with invoice details attached, someone purporting to be a business contact etc), but the result is always the same.
As soon as the recipient clicks on the link it executes code that bypasses the anti-virus software and firewall. The computer will then recall back out into the internet, and the internal firewalls will just think the user is browsing the internet, and has no idea it’s a piece of malware operating as the user. At that point, the hacker can do what he likes on the computer.
“To counter this threat, companies need to do intelligence gathering of their own. They need to identify the risk areas, what is causing the problems, try to combat them, educate the staff about computer use, and put the necessary preventative measures in place.”
This advice now applies as much to the SMEs as it does to the FTSE 350 companies. In the UK Government’s Department for Business, Innovation and Skills’ 2013 Information Security Breaches survey it highlighted a 10% increase in the number of small businesses suffering a data breach and a whopping 86% confirming they’d been hacked in the past year.
Any company selling goods online is particularly at risk, but equally smaller organisations in car manufacturing, aerospace and engineering sectors are targeted for Intellectual Property, such as blue prints of new products.
“Several consumer products are coming out with relatively poor security on them. Things like Bluetooth connections with, at best, a four digit pin,” says Hugh Boyes, the Institution of Engineering and Technology’s cyber security expert. “The problem is SMEs are struggling to make ends meet, and don’t have the money (or time) to pay hundreds of pounds in IT support.”
This is where the FTSE 350 have the advantage. Many of them have IT divisions, and some have specialist teams, such as BAE’s cyber and security division, Detica, which condenses clients’ data down, analysis it, and identifies key risks.
“We help organisations understand the specific monetary risk of IP data and sensitive information. That is vital to get the right decisions made by the boardroom, which filters down to the IT department,” says David Bailey, Detica’s Chief Technology Officer for Cyber Security.
Assessing the goings on in the IT department is extremely important. Many IT staff at FTSE 350 companies were found to be posting inner secrets about companies and clients on news group forums and chat rooms, the KPMG study showed. “They’d be saying things like “I’m developing this or that for Client X, can’t get Java to work, should I patch it up with this version using this password?,” says Jordan.
Similar problems arise on social media where employees have been known to freely divulge information about their companies without realising the severity of their actions. This is why it is important companies have a strict policy on social media usage, and there should be training for staff on the do’s and dont’s within the workplace, as well as how to react if a computer is compromised.
Ensuring “all” devices are secure is also extremely important, particularly mobile devices. The lines between personal and professional technology, and home and office are blurring. Increasing numbers of organisations are allowing employees to use smart phones and tablets for work and to access sensitive information on the move. This can save money and increase efficiency, but also exposes the organisation to the risk of devices being stolen, and the dramatic rise in malware targeting mobile devices. Unfortunately, a YouGov survey found that employees are unaware of or apathetic about the risks.
“It is essential that IT specify which platforms will be supported and how; what service levels a user should expect; what the user’s own responsibilities and risks are; who qualifies; and that IT provides guidelines for employees purchasing a personal device for use at work,” insists David Willis, vice president and analyst at technology research company Gartner.
Overall, companies need to make sure the controls they’ve got in place (anti-virus, firewalls etc) are working and up to date to detect known threats. Then they need to make sure they are producing data that gives visibility about what’s happening on the internal network, assess what access external suppliers have to the company’s data, and perform regular security monitoring, Bailey stresses. “But also accept that a compromise is going to happen and have an instant plan in place, from the boardroom down, and ideally have insurance to cover the costs.”
The government also provides advice and support for small businesses in its cyber guidance document (https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know), and the Technology Strategy Board has extended a scheme to allow SMEs to bid for up to £5,000 to improve their cyber security by bringing in outside expertise