It’s not just the big boys that get caught out

It's not just the big boys that get caught out

It’s not only the big boys – Tesco, Talk Talk, Google, Camelot, PayAsUGym, Yahoo – that get caught out by cyber attacks, but also the small, medium size companies and organisations.

The Bellevue Place Education Trust, a Trust covering a chain of seven state primary schools in London and the South East, recently had their system infected with a virus that could have destroyed their financial records. The virus was removed after the trustees paid a “ransom” of hundreds of pounds.

The end that the criminals seek is to enhance their financial position and they will employ any means to achieve their end. Stealing and selling financial information, hacking personnel bank accounts, extortion and in this case blackmail. No opportunity is left unturned. No weakness left unexploited.

Beaming, an internet service provider, estimates that last year the average firm was subject to a cyber attack nearly 230,000 times. A mind boggling figure that will grow exponentially as technology advances and threat that cannot be ignored.

The Government has now launched the National Cyber Security Strategy and established the National Cyber Security Centre. Both initiatives are to be welcome and their protective nature is to be applauded.

The EU has adopted a different approach, which the British Government supports and intends to adopt, and that is the obligation being placed upon companies and organisations to report successful hacking incidents upon the data that they hold. This will be enforced with potential fines of 4% of world-wide turnover or a 20 million euro fine for failing to report successful hacks. The size of the punishment emphasises the seriousness with which the authorities view the threat.

In June 2017 the Chinese are going one step further with penalties up to and including imprisonment or the death penalty. Foreign companies doing business in China will be required to localise any data that may contain sensitive privacy data or state secrets, failure to do so may result in fines for organisations or civil and criminal penalties.

It would be easy for SME’s to shrug their shoulders and dismiss the matter as not an issue that will affect them. The optimism is to be lauded, if not admired, but it is an indication of a fool’s paradise.

The scale of the threat to small businesses cannot be underestimated with an estimated seven million cyber-crimes a year, at a cost of some £5.3 billion. With potential fines of £52 billion for cyber security breaches in 2018, for small to medium size enterprises, the pressure is on and the viability of many SME’s is under threat.

Estimates of up to 60% of incidents indicate that internal threats are equally concerning. A malicious attack from a disgruntled (former) employee, poor security practices, pathetic passwords, fake invoices and attachments, or poor induction training for new employees who inadvertently open an attachment that lets loose a malware virus.

It is estimated that the cost of a breach could be between £75,000 and £320,000. RSA research shows that 28% of SME’s would go out of business if they were faced with an unexpected (extortion) of £50,000.

The reality is that we are all at risk and cyber-crime is growing exponentially. The organised crime gangs are sophisticated, fast moving, technologically adept, flexible, cash rich and unobstructed by committee structures, protocols or sclerotic decision making. So they are able to make real time decisions and they are currently several steps ahead of both the regulators and the intended targets – us, corporately and individually.

“Hello, I’m from Microsoft and we have noticed that your computer is slow. Please switch it on and I’ll show you how to fix it”.

“Please call this number to claim your Euro prize”.

“We note that your payment account details are out of date. Please check and update them on the link below”.

For the individual the answer is to apply common-sense and extreme caution. For SME’s and larger enterprises the answer is not to believe it will not happen to me but to seek help and guidance on how to prevent cyber attack and how to respond quickly if you are hit. In doing so you, will improve the resilience of your business and put in place continuity plans to return your operations to business as usual as quickly as possible after a cyber event.

Be Aware. It could be you.

Richard Barnes