Moving targets - putting cyber-crime on the agenda

By James Hurley

Cyber-crime is on the agenda at board level at multinational firms, but what about mid-sized businesses? They are increasingly at risk... 

Boxes piled to the ceilings in packed warehouses, staff resorting to paper and pen to tackle the enormous backlog, and furious customers demanding to know why the vital supplies they ordered weeks ago still haven’t arrived. That was the nightmare scenario that TNT, the delivery company owned by FedEx, endured in June and July.

The Netherlands-based business was merely one among scores of famous names hit by the cyber-attack known as NotPetya, which involved the spread of a virus via a Ukrainian tax software product.

It affected organisations in more than 60 countries, with Maersk, the shipping company, unable to dock and unload containers at some of its ports, while the homepage of WPP, the advertising giant, was downed by the hack.

In the boardrooms of big business, the penny is finally dropping about the scale of the threat. More than half of respondents to a recent government-backed survey of FTSE-350 bosses said that they considered cyber-attacks to be one of the biggest risks they faced, up from 29% in 2014, even if there is still plenty of ignorance and inertia over what to do about it.

But what is the level of awareness of cyber-attacks among Britain’s army of mid-sized businesses? According to digital security company Avast, more than a third (37%) don’t even have a proper system in place to ensure software updates are made in a timely fashion, one of the basics of cyber-security.

What’s more, Node4, a data centre company, says a quarter of mid-market companies lack basic anti-virus protection. Of the organisations that have a security policy in place, only 52% say it is well adhered to by staff.

‘Many mid-market companies believe they aren’t at risk because they aren’t big players,’ warns Steve Nice, Chief Security Technologist at Node4. ‘Cyber-criminals know this and are quick to exploit the fact that so many smaller organisations are complacent. The result is a big rise in the volume, complexity and intensity of attacks on mid-market businesses.’

As well as the risks they face to their reputation and trade from being hacked, there’s an increasing regulatory threat for companies to be wary of. Once new European data regulation laws come into force in May 2018, companies that don’t put adequate protections in place will face hefty fines if their negligence results in the loss of personal data.

One of the key requirements of the General Data Protection Regulation (GDPR) is that should a company suffer a data breach, it must report it within 72 hours. Depending on the value of the compromised organisation, such a breach could result in a fine of €20 million or 4% of global turnover, whichever is greater.

Knowledge is power

Some businesses may not even realise they have been hacked. Node4 research found that as many as 67% of medium-sized companies do not have ‘intrusion detection’ systems in place.

‘Many companies have no idea what data they hold and where it resides,’ says Kevin Chapman, General Manager of the small and medium-sized business division at Avast. It means smaller companies can be a particularly happy hunting ground for hackers who wish to use them as a conduit for targeting their better-known customers.

‘Partners connected to large companies’ IT systems may not have the same level of protection and therefore become the weak link in the chain,’ says Nice. ‘SMEs may not hold the data the criminals are after, but often they are connected to the big players who do.’

Recognising threats

So what are the cyber-threats that medium-sized companies should be most wary of? Some can be surprisingly rudimentary. Nice says he has spotted a rise in ‘spear phishing’ or CEO fraud. ‘A hacker designs an authentic-looking email that claims to be from the CEO of the company, then sends it to a more junior employee with a request for sensitive company information or a money transfer,’ he explains. Simple procedures, such as two senior people having to authorise such transfers, can help prevent such attacks.

Ransomware, where hackers encrypt data, then demand payment to return the system to normal, has become a common threat too. Last year, Avast identified more than 150 ransomware ‘families’ on the Windows operating system alone. Regularly backing-up corporate data to secondary storage devices such as external hard drives can prevent downtime and data loss.

It’s better to stop it happening in the first place, of course. When a cyber-attack using WannaCry ransomware hit 47 health trusts in May, leading to more than 15,000 NHS appointments being cancelled, it was found that basic security updates had not taken place. Many private businesses also fall foul of hackers simply because they do not have malware-prevention tools or the most recent versions of software.

Another emerging area of interest for hackers is in biometric security, which can use facial recognition instead of traditional user names and passwords. Apple, for example, has moved to 3D facial recognition and biometrics. Chapman says there’s no guarantee it will prove any more secure in the long term: ‘Hackers and security experts have already used photos and videos to beat biometric checks. We need to watch this space closely.’

A new front has also opened up by way of the Internet of Things (IoT), which covers millions of devices such as video cameras and set-top boxes. In 2016, an orchestrated hack of such items enabled a huge ‘distributed denial of service attack’ (DDoS) on Dyn, a US company that monitors and routes online traffic. The net result was that people were prevented from accessing some of the world’s most famous websites, including Twitter, Spotify, Netflix, Amazon and PayPal.

‘As more devices connect to the internet we will get more IoT-related hacks,’ warns Chapman. And, as mobile web-browsing becomes more common than desktop browsing, hackers are increasingly targeting smartphone operating systems.

Human error

As well as ensuring they get the basics right, businesses need to check whether there is enough awareness across their organisation of cyber-crime.

‘If managers don’t understand the nature and variety of threats, there’s little chance of creating a security culture throughout a company,’ says Chapman.

‘Staff training is also important as many data breaches start with inadvertent human error. Staff need to be trained and educated about hackers’ common attack patterns, and common mistakes they could make – and, of course, how to avoid them.’

Nice agrees that the ‘biggest internal threat to business is the human element’. He recommends that ‘as a minimum’ mid-sized companies take part in Cyber-Essentials Certification (CEC). This government- and industry-backed initiative recognises companies that have the technology and knowledge to protect themselves.

We spoke with Manu Sharma, Director, Head of cyber-security and resilience about cyber-crime trends 

What trends are you seeing in cyber-crime?

There has been a significant rise in ransomware – where data is encrypted without the organisation’s consent and money is sought to receive a decryption key. It is important that organisations routinely train their staff to be vigilant against ransomware but, as we’ve seen with the Wannacry and NotPetya attacks, despite the best efforts of organisations, malware infections can still disrupt operations. Decryption is tough, so the only solution is to remove the malware from the environment and repopulate with clean data. This can be done if there are regular back-ups, and the completeness and integrity of the backed-up data is validated.

How is the regulatory landscape changing?

We will see an emergence of more regulation around cyber-security as regulators and organisations realise the seriousness of the threat. One of the major regulations affecting organisations on personal data is the General Data Protection Regulation (GDPR), which comes into effect in May 2018.

It brings the potential for punitive fines for non-compliance. The Directive on Security of Network and Information Systems will also be implemented in 2018, covering organisations that deliver essential services to the nation. Failure to adequately protect the systems that support those services or deliver adequate continuity of services may also attract punitive fines. Cyber-security regulation is becoming an integral part of other regulations as it has a wider impact on organisations.

What’s your message to businesses?

The volume, scale, complexity and ingenuity of incidents are increasing. Organisations need to understand the risks to their operations and then put in place appropriate investment, controls and capabilities to face the challenges these attacks create. It is also important to prepare for when a cyber-attack happens so that damage can be minimised.

> To find out more, contact Manu Sharma, Director, Head of cyber-security and resilience 

Discover more about managing your cyber risk and reducing threats to your business Find out more