Cyber attacks are said to cost the global economy £266 billion, affecting more than 800 million people a year and removing 15% to 20% of the value created by the internet.
“removing 15 to 20 per cent of the value created by the internet.”
How many of the points below have you either expressed or heard being discussed in the workplace?
- ‘Our type of company does not need security; our data would be useless to a hacker’
- ‘Security is not a priority for us now’
- ‘It is not worth the expenditure’
- ‘It hasn’t happened to us yet so I am sure we will be fine’
Consider the following situations:
TalkTalk lost 101,000 customers and suffered costs of £60m due to a cyber attacks on the company in October 2015.
Data breaches at Home Depot during both 2013 and 2014 resulted in a total cost of $162 million.
On February 4, 2016, a cyber attack on the central bank of Bangladesh resulted in losses of $81 Million and prevented another $850 Million in transactions from being processed.
Hackers used SWIFT credentials of Bangladesh Central Bank employees to request the Federal Reserve Bank of New York to transfer nearly $1 billion of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia.
This is not just something that large organisations are battling but SME’s also with the average attacks costing businesses £250,000 at a time.
This is a combination of the economic loss directly because of the attack, legal costs, staff costs and loss of business coupled with reputation cost. To a small company this could result in bankruptcy.
To get an insight on the topic of cyber security, I spoke to Jayson Dudley, the Group Chief Information Officer responsible for information security best practices for Mazars LLP.
Q: What do you think are the most vulnerable areas of security for companies currently?
Phishing attacks are one of the biggest issues currently. End users are not on that level yet and because of the way these sites can pick up and disappear overnight they are very hard to block.
Companies need to get into a training regime to catch people clicking on phishing emails. There are campaigns you can then send out to a group of people within your company to test just how successful your training has been.
It is simply a case of getting the person to check the information they have been given. In all the hacks I have seen of late they have started from someone clicking on something or there not being the appropriate level of control within their firm.
This is an example of a phishing attack I received last weekend from “Amazon” (notice the spelling and grammar errors):
Q: What information are you exposing as a company as a result of a phishing attack?
Users hate user id’s and passwords. We ran a test in one of my previous roles, their employees had access to 12 different systems within the company and most of them used the same user IDs and passwords for all 12.
The biggest example of this I have seen was around £35 million being lifted from a company due to CEO fraud. You find that once you have the credentials for one system you tend to have access to the rest.
Q: What areas of security will be most important to companies in the upcoming years?
Two really. Passwords are all well and good but even on my personal accounts I have two factor authentication. I think two-factor authentication is a big thing, the likes of Microsoft and Google use it currently. More companies need to put this in place.
Sometimes you have to cater for stupid and the best way to do that is to use digital rights management. The data is encrypted and you know it is only going to be opened by the person you send it to. It is all very well saying data is not going to leave the company. It is going to leave the company so you need to make sure it is inaccessible.
The data may not be lost forever but what you can do is prove to that client that the data was inaccessible.
“It is all very well saying data is not going to leave the company. It is going to leave the company”
Q: What would be your initial bread and butter advice when initiating a security strategy?
I wrote an article about bent bananas the other day. What I was trying to express is to never take anything on face value. I would say to the end user, if getting info via email or over a phone call do not take it on face value, check it out. Worst case scenario is that you annoy someone by ringing them and asking if they really sent it. If you don’t call, the worst-case scenario is that you lose £35 million like I mention previously. A CFO of a company was fired because of this.
I worked for a law firm preciously. The firm was dealing with a large global German company. We had filtering on our side which was blocking any emails from this company. It turned out they had an open relay on their email server.
So, I logged onto their server and sent them an email as me from their company and it absolutely scared the pants off them. He rang me almost instantly. I said are you going to tell them or do I.
This was a huge company based in Germany. It is so easy to spook email addresses.
Q: When it comes to cyber attacks on financial and legal firms, what do you think they are attacking for?
I have not seen any specific cyber attacks. I used to work for Norton Rose. There was event that happened (look at Claire Swires) that generated millions of emails. We normally received £600k a month and we got 6 million a month due to this. I do not think there is a great deal of industrial espionage going on. Generally, people are after monetising this stuff as quickly as possible through encryption emails and gaining access to bank accounts.
There is a path of least resistance. There is no point in trying to hack a bank for example because they have so much security in place it is unbelievable. However, I know from experience that you only have to pay somebody in a bank to do something wrong and they will do it for enough money.
If you really want to prevent access to something then you look at your weakest link and that is normally your end users.
Q: What risks are there for a company when receiving phishing emails?
The largest issues are where there aren’t internal checks in place for bank account information. If I were to send an email to someone low on the finance team, such as:
‘I am the Chief Executive, can you transfer this money to this account right now because we are going to lose a deal if not. ‘
If I do not check with this person first, worst case scenario, we could lose all the money in our bank account. For the smaller companies this could cause them to go bankrupt, they could go to the wall if they do not have the appropriate level of insurance.
The key points to take away from this are the following:
- Don’t be stupid. Read important emails once, then again and then double check with the “sender” before acting upon it. It is worth the embarrassment of checking.
- Put technology in place which can help prevent these cyber attacks before they get to you. You need to make sure you have this in place across your whole network, especially your mobile phones which is the weakest part of a company’s network right now.
- Make sure when data is lost from your company it is inaccessible, whether that is on a memory stick, laptop or phone. Make sure encryption or remote wiping is in place.
How can you act upon this blog? Talk to the experts in the industry.
Here at Intercity Technology we offer security solutions to ensure your whole environment is secure. We keep up to date with the latest threats by implementing the latest technology so all you need to worry about is simply contacting us.