The 'E-crime' Home Affairs Report sent shockwaves throughout the UK business-world this summer, with the conclusion that Britain's struggle in the fight against cyber-crime now considered a bigger threat to the nation than nuclear war. Lifeline IT founder and director Daniel Mitchell analyses what the real risk is and what companies, large and small, can do to protect themselves.
When the e-crime Home Affairs Report hit the headlines this summer, you could almost hear a nervous intake of breath from the business community. It had taken 10 months to reach the findings of the report, with testimonies from the police, security authorities and businesses themselves.
We have all come a long way since the seventies when cybercrime was seen as a 'tiny threat' because people simply did not have computers. Now however, it is conservatively estimated that there is a 77 per cent ownership of PCs and laptops.
And with the creation of the World Wide Web in 1991, which by its very nature has been designed for easy use, came something that has had an effect on all of our working lives – criminals included. If more or less everyone has a computer and most businesses have an IT structure, many crimes could be defined as having some type of e-criminal element, even if all the criminal did was look at a website.
That aside, the committee says cybercrime is now regarded as a Tier One threat to the UK - that's a higher category than nuclear war. And worryingly, Commissioner Leppard of the City of London Police told the Home Affairs Committee "We are not winning the war on cybercrime."
In fact it heard that there are now an estimated 1,300 organised cybercrime groups in existence and that 25 countries predominantly target the UK for cyber-attacks.
The committee also heard that the cost to the UK of e-crime is estimated at £27 billion, a figure that is disputed by many as too high. For example, The British Retail Consortium puts it around the £205 million mark, while Norton security claims 12.5 million people have been the victims of cyber crime in the past year, averaging out as £144 per victim or £1.8 billion in total.
80 per cent of cyber-attacks could be avoided
All of this, of course sent alarm bells ringing, but what is also interesting and what hasn't been so widely reported is the committee's findings that 80 per cent of cyber-attacks could be stopped through basic risk management. That was the evidence of GCHQ. Lifeline IT conducts its own annual 'IT Trends' survey and its findings support those of the committee. Its survey revealed that 60 per cent of companies admitted they felt unprepared to tackle cyber-crime, with those most at risk being SMEs.
But that figure could be even higher, since the Home Affairs Committee heard that many companies do not even know they are victims because of the rise in e-crimes based on stealing small amounts from multiple targets. In fact, businesses reading this may well be victims of e-crime themselves but are not aware they are because the amounts of money involved are negligible. The report called this the 'black hole', where low level e-crimes are committed undetected because they are high volume but low in individual monetary terms.
Putting customers at risk
But, whether it's money, intellectual property or commercially sensitive information, it's not only about stealing from companies. If customers are involved, they could also be at risk and that is another responsibility for businesses. We advise a huge number of our financial and retail clients on how to build their IT infrastructure securely and it is something that you need to re-visit frequently because e-criminals are constantly creating new ways to get into your systems.
An investigation by the Information Commissioner's Office (ICO) revealed alarming lapses in security around data removal from hard drives that had been sold or passed on by companies and individuals. The investigation analysed the amount of data left on computers, laptops and other mobile devices. It found information about employees, their companies and clients, including personal health and financial details.
Whilst the organisations involved were only given warnings and asked to tighten up IT security, other companies may not be so lucky – breaches of the Data Protection Act can result in a fine of hundreds of thousands of pounds. Under the UK Data Protection Act, companies are responsible for all data they receive, from the moment they acquire it to the second it is destroyed.
It can be catastrophic if e-criminals get into your database. When cyber thieves hacked the financial details of 23,000 Sony customers, it cost them $172 million (£108 million) and a nine per cent drop in share price before it was put right.
Getting back to basics
What is very apparent from the report is that many companies are not even taking basic precautions. So how do you stay ahead of the cyber-criminals? I've outlined the key steps that businesses can take to protect themselves:
Get the right support
As fellow IT professionals, I know you'll agree with this one. It makes so much sense when you've invested in IT to make sure you have the right support in place. We find that companies are now embracing technology rather than seeing it as a necessary business function, and the rise in mobile and flexible working has created an even greater demand on services.
Whilst being economically prudent and limiting overheads makes sound like business sense, cutting corners on technology as highlighted can threaten security and cost companies thousands in legal fines.
From a financial perspective, outsourcing IT is often the most cost effective route - employing an internal IT team can be up to three times as expensive as using an external supplier. Outsourcing IT also adds a highly flexible resource to an organisation - unlike any internal alternative, it is easily switched on and off, and grown or shrunk, which is an attractive advantage for SMEs.
Businesses need to keep themselves up to speed with what's happening in the IT world. Make sure you're aware of what's happening in your own organisation and amongst your employees – the growth in mobile communications and BYOD means that the majority of staff may be carrying confidential company data (such as emails, contact details) in their pocket via a PDA. It's also a case of being e-crime aware and on your guard. Do you know what 'clickjacking' or 'phishing' is? If not, get researching.
Identify critical systems
Identify the IT systems that are crucial to your business, so a recovery plan can be put into place to retrieve information in emergency situations. Which critical data do you need to keep operating, should a disaster happen? This critical data needs to be stored in a central location that can be accessed quickly – there's no point holding it on a server or USB disk if no-one can get to this in an emergency. Central to that should be a recovery plan in case of hacking for both yourself and your customers.
Know the risks
The obvious risks are accidental, for example, hardware failure or damage from a flood, fire or theft as well as e-crime. A company can be at risk from its own employees, often unintentionally. Flexible working now means the divide between home and office is blurred – employees could be using a shared family PC that does not have the same IT safeguards in place as a work computer.
Even systems designed to secure information can be vulnerable to security lapses – for example, passwords are often written down and left in unsafe places. But more on passwords later. Workers are frequently travelling around the world with highly confidential information on their laptops, PDAs and tablet devices that can be misplaced or stolen. Every week, nearly 1,000 business laptops go missing at Heathrow airport, of which only half are recovered, according to Dell.
Establish a recovery path
You need to plan your recovery scenario in case there is a malfunction in your IT systems. Plan for all potential emergency situations and consider different options for backing up your critical system data. Many companies are now choosing to back-up certain data online, as well as using back-up tapes, which enables business critical information to be accessed quickly from any location.
IT security policy
Companies underestimate the importance of having an IT policy – it should be a set of guidelines that all staff understand and buy into. Your policy must be concise to ensure it is read and understood - a couple of pages are often sufficient. Ensure employees adhere to it, both inside and outside the office. Review your security on a monthly basis - cyber-criminals act quickly and so must you.
Getting back to basics is crucial. In our latest survey we discovered that one in five companies had used the word 'password' as their 'password'. You might as well just keep the office doors unlocked. The research also revealed that over a third admitted using their date of birth as part of their password, a further 15 per cent use a family member's or friend's name, with 13 per cent using a family member's or friend's birthday.
Other findings from the Lifeline IT survey showed that a third store their passwords in their mobiles and seven per cent with instructions that came with their PC or laptop.
Password protection is vital
As we've seen, passwords can actually be a company's security downfall. In fact password protection is the lynchpin of security and can save you thousands of pounds, which is why it warrants more detailed advice. We know that even strong passwords are becoming vulnerable to hacking, due to factors such as re-use, advances in hardware and software used to crack passwords, and non-random distribution of characters.
Inadequate password protection could result in billions of pounds of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks. Organisations need to establish better password security policies - a lack of rules regarding password expiration, minimum length, use of the full symbol set, and password resets can leave systems vulnerable and this needs to be strengthened.
How to ensure good password practice
It helps to understand that common attempts to 'break passwords' rely on dictionary based attacks, 'brute force' sequential character attempts or most likely a combination of the two with specialist software. To defend against brute force attacks, longer passwords are needed, changed with reasonable regularity (perhaps every couple of months or so). To defend against dictionary attacks, passwords should be free from so-called 'dictionary words', such as names and places.
Therefore, the best passwords should consist of a random set of upper and lower case letters, symbols and numbers, but avoid very obvious substitutions, such as "pa$word" or "pa55word". Aim for a minimum of eight characters for most purposes, but consider using longer, more complex passwords to protect really sensitive information. Finally, use different passwords for different applications.
It's always a challenge coming up with something complex and memorable. You can try starting with first letters from words of a phrase, book title or movie then mix in a couple of symbols and numbers. Consider hp(atooTP)5 - it looks complex, but if your favourite book happened to be Harry Potter and the Order of the Phoenix (the fifth book in the series) then this can be both secure and easily remembered, especially with the addition of the two bracket symbols.
Remember also that alternative methods are frequently used to attempt to learn passwords, including 'phishing' type attacks, where emails are sent purporting to be from a bank or other service provider. These try to trick victims into providing user names and passwords on a convincing but phoney version of the actual provider's site. Always be sure you are on a genuine site by entering the website address directly into your browser address bar, rather than clicking links in emails.
How IT can protect ourselves and our businesses
While the recent e-crime report has raised some very serious concerns around IT security, it's important not to lose sight of the great benefits that technology has brought, enabling far more efficient working and increased flexibility. This can be seen in the results of our annual IT trends survey, which looked at how organisations are using technology to enhance their businesses, and the opportunities and threats this presents.
Companies from a range of sectors, including finance, retail, education, government and banking, took part in the poll and it's interesting to see how technology usage has shifted over the last few years. Not surprisingly, nearly two-thirds said the fax was the technology they used the least, with printer usage also declining as more businesses attempt to reduce their carbon footprint and costs.
How we work has also changed. Although the office is where the majority of workers are based, nearly half of those questioned (43 per cent) spend a substantial amount of time on the road, working remotely. This supports the increasing use of mobile devices - our research showed that smartphones (44 per cent) are starting to overtake landlines (41 per cent) in the workplace, backing up the global prediction that shipments of smartphones should exceed one billion this year. Tablets are also becoming more commonplace in business, with almost a quarter of those surveyed saying they regularly use this device.
Mobile devices are great way of enabling flexible working, but they also bring with them risks. Again, it's often individuals who fall short of some of the basic IT security measures. There's no point having belt and braces protection on your work PC or laptop if you're connecting to public wireless networks with unknown security. Another concern when it comes to mobile devices is that it is easy for them to be stolen and, because of their limited processing capabilities, the encrypting solution employed may not be as strong as their counterparts on the desktop.
Home working was another area that the Lifeline IT business survey looked at, with well over a quarter of us now working from home on a regular basis. Although home working has undoubtedly brought many benefits to both employers and employees, it now means the divide between home and the office is blurred, and workers could be using a shared family PC that does not have the same IT safeguards in place as a work computer, which can be a concern.
One of the encouraging findings of our survey was that organisations are now acknowledging the importance of IT and technology, with over half rating it as essential. Companies are even embracing social media as part of their business operations, with LinkedIn being regularly used by 86 per cent of those surveyed, and a further 84 per cent using Twitter and 76 per cent Facebook.
IT security is an area of concern for companies. Seven out of 10 ranked it as crucial and more than three-quarters admitted they won't cut corners when it comes to investing in security measures such as firewalls and anti-virus software. It's a step in the right direction to see that businesses are placing greater importance on the role of IT, as 2013 is continuing to bring some major advancements in technology, with the expansion of 4G across the UK and password security being tightened up - even heading further into the sphere of biometrics.
Fast-changing technology can be challenging for companies - in fact three-quarters of those questioned in our research admitted that they think IT has become more confusing over the last five years, with over half saying they need more help with it. This is supported by the fact that an increasing number of businesses choose to outsource their IT - over a third of companies in the poll are now using external IT companies to manage their systems and infrastructure. That's a trend we have seen over the past few years.
As the Sony example demonstrates, businesses who think small when it comes to IT could be seriously jeopardising themselves and their business.
Time to act
So where do you start? A good initial step is to check whether small amounts have gone missing in your own transactions or those of customers, to ensure that a cyber-thief isn't already in your system.
You should then review all the technology you use and how you use it. Our trend survey showed that 44 per cent of people use their smartphone rather than a landline for work. Do you have a policy for that? Is there sensitive information on it? What happens if it gets lost?
Using a little common sense and IT know-how, we can start to win the war on e-crime.
Daniel Mitchell is a founder and director of Lifeline IT, a network support company which develops and manages IT infrastructure for a range of companies.