Support: 0330 332 7933 Sales: 0808 500 1436

A virtual coffee on cyber attacks with Jayson Dudley from Mazars LLP

Cyber attacks are said to cost the global economy £266 billion, affecting more than 800 million people a year and removing 15% to 20% of the value created by the internet.

“removing 15 to 20 per cent of the value created by the internet.”

How many of the points below have you either expressed or heard being discussed in the workplace?

  • ‘Our type of company does not need security; our data would be useless to a hacker’
  • ‘Security is not a priority for us now’
  • ‘It is not worth the expenditure’
  • ‘It hasn’t happened to us yet so I am sure we will be fine’

Consider the following situations:

TalkTalk lost 101,000 customers and suffered costs of £60m due to a cyber attacks on the company in October 2015.

Data breaches at Home Depot during both 2013 and 2014 resulted in a total cost of $162 million.

On February 4, 2016, a cyber attack on the central bank of Bangladesh resulted in losses of $81 Million and prevented another $850 Million in transactions from being processed.

Hackers used SWIFT credentials of Bangladesh Central Bank employees to request the Federal Reserve Bank of New York to transfer nearly $1 billion of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia.

This is not just something that large organisations are battling but SME’s also with the average attacks costing businesses £250,000 at a time.

This is a combination of the economic loss directly because of the attack, legal costs, staff costs and loss of business coupled with reputation cost. To a small company this could result in bankruptcy.

To get an insight on the topic of cyber security, I spoke to Jayson Dudley, the Group Chief Information Officer responsible for information security best practices for Mazars LLP.

Q: What do you think are the most vulnerable areas of security for companies currently?

Phishing attacks are one of the biggest issues currently. End users are not on that level yet and because of the way these sites can pick up and disappear overnight they are very hard to block.

Companies need to get into a training regime to catch people clicking on phishing emails. There are campaigns you can then send out to a group of people within your company to test just how successful your training has been.

It is simply a case of getting the person to check the information they have been given. In all the hacks I have seen of late they have started from someone clicking on something or there not being the appropriate level of control within their firm.

This is an example of a phishing attack I received last weekend from “Amazon” (notice the spelling and grammar errors):

Q: What information are you exposing as a company as a result of a phishing attack?

Users hate user id’s and passwords. We ran a test in one of my previous roles, their employees had access to 12 different systems within the company and most of them used the same user IDs and passwords for all 12.

The biggest example of this I have seen was around £35 million being lifted from a company due to CEO fraud. You find that once you have the credentials for one system you tend to have access to the rest.

Q: What areas of security will be most important to companies in the upcoming years?

Two really. Passwords are all well and good but even on my personal accounts I have two factor authentication. I think two-factor authentication is a big thing, the likes of Microsoft and Google use it currently. More companies need to put this in place.

Sometimes you have to cater for stupid and the best way to do that is to use digital rights management. The data is encrypted and you know it is only going to be opened by the person you send it to. It is all very well saying data is not going to leave the company. It is going to leave the company so you need to make sure it is inaccessible.

The data may not be lost forever but what you can do is prove to that client that the data was inaccessible.

“It is all very well saying data is not going to leave the company. It is going to leave the company”

Q: What would be your initial bread and butter advice when initiating a security strategy?

I wrote an article about bent bananas the other day. What I was trying to express is to never take anything on face value. I would say to the end user, if getting info via email or over a phone call do not take it on face value, check it out. Worst case scenario is that you annoy someone by ringing them and asking if they really sent it. If you don’t call, the worst-case scenario is that you lose £35 million like I mention previously. A CFO of a company was fired because of this.

I worked for a law firm preciously. The firm was dealing with a large global German company. We had filtering on our side which was blocking any emails from this company. It turned out they had an open relay on their email server.

So, I logged onto their server and sent them an email as me from their company and it absolutely scared the pants off them. He rang me almost instantly. I said are you going to tell them or do I.

This was a huge company based in Germany. It is so easy to spook email addresses.

Q: When it comes to cyber attacks on financial and legal firms, what do you think they are attacking for?

I have not seen any specific cyber attacks. I used to work for Norton Rose. There was event that happened (look at Claire Swires) that generated millions of emails. We normally received £600k a month and we got 6 million a month due to this. I do not think there is a great deal of industrial espionage going on. Generally, people are after monetising this stuff as quickly as possible through encryption emails and gaining access to bank accounts.

There is a path of least resistance. There is no point in trying to hack a bank for example because they have so much security in place it is unbelievable. However, I know from experience that you only have to pay somebody in a bank to do something wrong and they will do it for enough money.

If you really want to prevent access to something then you look at your weakest link and that is normally your end users.

Q: What risks are there for a company when receiving phishing emails?

The largest issues are where there aren’t internal checks in place for bank account information. If I were to send an email to someone low on the finance team, such as:

‘I am the Chief Executive, can you transfer this money to this account right now because we are going to lose a deal if not. ‘

If I do not check with this person first, worst case scenario, we could lose all the money in our bank account. For the smaller companies this could cause them to go bankrupt, they could go to the wall if they do not have the appropriate level of insurance.

The key points to take away from this are the following:

  1. Don’t be stupid. Read important emails once, then again and then double check with the “sender” before acting upon it. It is worth the embarrassment of checking.
  2. Put technology in place which can help prevent these cyber attacks before they get to you. You need to make sure you have this in place across your whole network, especially your mobile phones which is the weakest part of a company’s network right now.
  3. Make sure when data is lost from your company it is inaccessible, whether that is on a memory stick, laptop or phone. Make sure encryption or remote wiping is in place.

How can you act upon this blog? Talk to the experts in the industry.

Here at Intercity Technology we offer security solutions to ensure your whole environment is secure. We keep up to date with the latest threats by implementing the latest technology so all you need to worry about is simply contacting us.

Up next

The Road to Five Nines

What is Five Nines

When used to describe the availability of any system, Five Nines means 99.999%, which is equivalent to no more than about 5 minutes’ worth of unplanned or planned downtime in a rolling 12-month period.

A system with Four Nines availability (99.99%) has no more than about 53 minutes’ downtime over the same period, so Five Nines is about 47 minutes a year better.

2. How to Get Five Nines

High-availability services (with Five Nines) typically have the following attributes.

No single point of failure

In terms of infrastructure, this means for example that service continuity does not depend on any single site, platform, device or connection. In terms of people – in the case for example of managed IT services – there is no dependence on any individual at any time.

Geographic diversity

This means that service is delivered from different places. For example, using data centres located (as a rule of thumb) at least 30 miles (or 50km) apart and providing local access from different telephone exchange buildings, each connected to geographically-diverse core network nodes.

Network resilience

Use of core connectivity provided by different network operators protects against an outage (fault, planned maintenance) in any single operator’s network. Local connectivity provided by different operators or using the same operator’s resilience product avoids disruption arising from any single fault with an operator’s line plant – cabinets or masts, ducts, cables etc.

3. Why Five Nines Costs More

Five Nines reliability is designed into any reputable service, but what is outside of the control of the service provider is any local connectivity between the service and its users on the corporate network or whilst roaming.

Any purchaser of services needs therefore to strike a balance between service performance (user experience, availability) and purchasing cost. The operational importance of any applications running over-connectivity is a decisive factor. For example, if email access is interrupted it’s a nuisance, but if (say) hosted telephony in a contact centre goes down, it is extremely disruptive and frustrating for the affected organisation’s users, customers or constituents.

Matching connectivity to the applications it carries is, therefore, an important risk-based decision. Consider for example the various types of fixed-line connectivity that we provide and their respective monthly availability service levels as set out in Table 3‑1 below.

Type of Connectivity

Monthly Availability Service Level

Broadband, Fibre Broadband

N/A

Fibre Ethernet, EoFTTC, EFM – without Broadband backup

99.9%

Fibre Ethernet, EoFTTC, EFM – with Broadband backup

99.95%

Fibre Ethernet with EoFTTC or EFM backup

99.99%

Dual Fibre Ethernet with different tail providers

100%

Dual Fibre Ethernet with same tail provider using their resilience product

100%

Table 3‑1 – Managed Data Availability

The key difference between a Four Nines service (Fibre Ethernet with copper-based backup) and the highest-availability services is that the latter use dual fibres. In the UK market, at least for now, fibre is priced at a premium over copper, so to get from Four Nines to Five Nines using fixed-line connectivity, the additional cost of the spare fibre is unavoidable.

One alternative is to take the Four Nines service and put in place a business continuity plan which factors in the reduced service performance available when there is an incident with the fibre. Another alternative is to use our 4G Direct Internet Access (4G DIA) as a back-up, providing a fast mobile data connection (subject to the quality of mobile coverage at the served site).

4. Intercity – Our Five Nines Capability

Our network has no single point of failure, is geographically diverse and is resilient, as illustrated in Figure 4‑1 below.

Figure 4.1 -Intercity Network

In the UK, the main hub of the Internet is Telehouse North (THN) which is the primary home of The London Internet Exchange connecting over 850 autonomous systems from over 80 countries. Our network includes connectivity between this site and our new data centre in Birmingham. In addition, our Bolton data centre is connected to Equinix MA1 in Manchester, which is the most important network node outside of London, providing geographic resilience which is not dependent on London Docklands. A layer 2 private transit connection also connects between THN and MA1.

Data centres

Our data centres are built to Tier 3 specification, each supporting 99.98% uptime, a target which has never been breached, with no outages in the last 3 years.

Multiple carriers

We deliver services using connectivity from a number of different carriers and this includes the external connectivity and interconnects used within our network. Our Birmingham data centre is served by fibre from a Tier 1 carrier, whilst at Bolton our connectivity partner is a different Tier 1 carrier. This multi-carrier approach, using separate networks, guards against an incident affecting any single carrier.

Our network is configured to fail-over automatically via its internal interconnects, provided by three different Tier 1 carriers, each with their own network.

Services delivery from active/standby platforms monitored 24/7

Our Touch portfolio of cloud services, providing telephony, computing and firewall are delivered from dual platforms hosted in Birmingham and Bolton.

For example, a customer’s firewall (Touch Secure) service can be delivered primarily from Birmingham, with Bolton on standby or vice versa. This means there is no reliance on a single data centre for continuous security service availability.

We monitor our service delivery platforms and network connectivity from our Intercity Secure Operations Centre (ISOC) which is based in the same buildings as our data centres and manned round the clock.

The ISOC also provides our managed IT services, maintaining, monitoring and managing our customers’ networks, providing a managed service desk and remote support.

Advice on how many nines you need

You are best placed to understand the importance of any applications used within your organisation and the financial impact of any service interruption. We can help by advising on the various means of service delivery and setting realistic expectations about their respective availabilities.

You are then best placed to decide on the number of nines you need.