UK firms failing on cyber security

According to all the evidence, UK firms are still failing to take basic precautions against cyber attacks. This often includes crucial basic procedures such as teaching employees about cyber security and consistently backing up mission critical or customer sensitive data.

A recent government report states that two-thirds of large UK firms have been hit by a cyber attack. At the same time, the UK's Open University reports that, despite the prevalence of cyber attacks and the growing scale of the threat, only 17 per cent of UK firms have cyber security training in place for their staff.

Lack of awareness due to widespread ignorance

This lack of awareness is partly the result of widespread ignorance regarding the nature of cyber crime. High-profile cases such as TalkTalk reveal only the tip of an iceberg of cyber crime. Few companies which have suffered a loss care to admit to it for fear of worrying investors or losing the confidence of their customers. Reporting of cyber attacks is not yet obligatory and few firms wish to openly reveal their failings in this direction. So those cyber attacks which generally are reported tend to be of the less serious and less sinister variety. Often, the stolen data appears to have been obtained by amateur hackers, contributing to the hugely out-of-date stereotype of the hacker as a pimply teenager working from his bedroom without parental consent.

The reality is that cyber crime is increasingly dominated by organised criminal groups which are often based overseas. The fact that cyber crime is committed over the Internet makes it hard to trace and therefore almost impossible to police. Local police forces in the UK are frequently baffled when confronted with a report of a cyber crime conducted against a local organisation which may have been directed from another country while orchestrated in a third. International policing groups such as Interpol are already overstretched and lack the resources to tackle cyber crime on its current scale.

Bent on maximising their profits, criminals are now largely focusing their attention on companies rather than individuals. Such as the recent Bangladeshi Bank hack, where $81 million was captured by exploiting the SWIFT banking system. A frequent and largely unreported form of cyber crime involves the use of ransomware, malicious software designed to encrypt mission critical information, effectively locking out the data's legitimate owner. The target organisation is then asked for a payment in the form of a ransom. According to anecdotal evidence and cyber industry reports, the sums involved in the ransom demands have been increasing dramatically over recent months. The reason these crimes often go unreported is that few firms wish to admit that have effectively lost large sums of cash through carelessness, as the financial damage from dealing with such attacks and the damage to their reputation far outweighs the cost of paying the ransom itself.

In most cases, companies can avoid becoming victims of cyber crime by taking logical steps to protect their data, which should be constantly backed up in a secure fashion. It is also absolutely essential that companies train their staff to follow security procedures. This involves not only being wary of opening attachments which may contain malware, but also being wary of releasing restricted information, pass codes or large sums of cash in response to an email or phone call or to a combination of both. Cyber criminals often obtain the contact details of employees in order to send multiple communications to a targeted employee. As these can all be constructed in such a way as to appear to come from legitimate sources, employees who do not cross-check their veracity risk handing over the entire corporate database to the cyber criminals.

Most cyber crimes are simply confidence tricks

While no company wants its staff to be deliberately obstructive, international cyber crime relies on trust. In fact, most cyber crimes are simply old-fashioned confidence tricks which happen to be conducted via modern electronic communications. Any member of staff receiving an even slightly unusual request from a superior via email, should know that it is their duty to verify the source of the request. Simply glancing up at the email address from whence the message came and guessing it looks about right is no longer enough. Criminals spoof corporate email addresses which look almost identical to the real ones. Similarly phone calls from unknown numbers must always be treated cautiously, particularly if the caller's voice is unknown to the recipient. The use of social engineering and basic psychological techniques such as a crying baby or a person in distress can facilitate eliciting valuable information.

The relatively few high profile cases that do hit the headlines generally also tend to involve very well known brands such as Talk Talk, or the recently reported attack on British Airways, which took its website down for an hour and is reported to have cost the company £100,000.

The reality is that all companies are now vulnerable to cyber attacks, even those with a low public profile in industries not generally associated with cyber crime are now being targeted by cyber criminals. Even if their own data is of no particular value, it can still be stolen and ransomed. Contractors and partner organisation's with poor cyber security can also provide an entry point for cyber criminals targeting associated companies.

With cyber criminals now operating on an international scale and increasingly targeting companies of all sizes, it is now urgent that firms not only deploy stringent cyber security procedures if they haven't already done so.

They must also validate their defenses for real life scenarios and prepare emergency procedures for coping with the aftermath of an attack to minimise the resultant financial and reputational damage.

Elad Ben-Meir, Head of Marketing at Cyberint

Image source: Shutterstock/GlebStock