(The Rise and Fall of Cyber Crime)
I
was speaking at an event last month and the host Matt Royle of
Probrand highlighted some recent research they’d done showing how,
in the UK, a cyber-attack is more likely than rain (which given our
weather, is pretty depressing.)
“36% of days saw
precipitation in the UK” but “43% of UK businesses
attacked each year” –
YES in the UK, cyber-attacks are
more common than rain…
Considering how us Brits are known for our rain, I thought that it was a brilliant and very impactful way of highlighting figures and stats we know (but often ignore). That old children’s rhyme came to mind, “It’s raining, it’s pouring and cybercrime is soaring….” (In fact it’s soaring so much that a study by Cybersecurity Ventures predicts the annual global cost of cybercrime will be $6 trillion by 2021 – up from $3 trillion in 2015).
So why is cybercrime continuing to grow and why aren’t more resources being thrown at it?
The Appeal of Cybercrime…
Criminals make the same Risk decisions we do – they can’t always measure the potential reward of their crime, but they can strive to lower their risks and maximize their gains.
Traditional crime, such as breaking into a building with a crowbar in the middle of the night, requires lots of effort, is risky and carries higher potential punishment (for rewards such as petty cash and used PC’s).
In contrast, cybercrime is low effort, hard to detect, currently has lower punishments and vastly multiplies their reward. Cybercrime is a numbers game – and it’s not in our favour….
So what is typically at risk?
Client
databases and financial information for multiple people (including
yours as employees). Information on large value client transactions
(property, acquisitions, mergers etc.) Valuable IP (how you do the
things you do and growth plans etc.)
Your ability to operate as a
business (how much do you need system access to perform routine
work?)
Why isn’t it being taken more seriously?
The UK Government IS taking it seriously – It’s been a key area of discussion for decades – securing our critical national infrastructure against cyber-attacks is a visible priority, (as is helping “Joe Public” and SME business owners become more secure too, but it’s not an easy task.)
In June 2014, the UK Government launched a scheme called Cyber Essentials, an information assurance scheme to help businesses and organisations adopt good practice in cyber security and protect against a wide variety of common cyber-attacks. Operated by the National Cyber Security Centre (NCSC), organisations can obtain 2 levels of certification; a self-assessment of systems where the assessment is then independently verified, or an enhanced certification where the systems are independently tested and Cyber Essentials is integrated into a business’s information risk management.
Working alongside the NCSC are Regional Organised Crime Units (ROCUs), these units have specialist cyber security teams that work with businesses and organisations to help them reduce their risk of falling victim to cybercrime. There are currently 10 of these units across the country, each with their own website and social media channels; advising on news, best practice and contact information.
There are also a number of professional industry organisations and high quality publications (such as this one) providing valuable thought leadership, practical guidance and accessible content. I’ve spoken at events held by both CREST and IISP (Institute of Information Security Professionals) and have seen first-hand their drive to advance standards of professionalism and increase the industry talent pool.
What does this mean for you?
The average person or business owner has more readily available advice on good practice (that you can easily follow to reduce your risk) than ever before – and as an industry we’re getting better at communication. People are calling out vendors who operate on “smoke and mirrors” and although there’s still too much jargon – things are getting clearer.
In the end though, it all comes down to you as an individual – deciding what YOU are going to do about security. Some of the actions you can take are in the advice and links at the bottom of this article but ultimately criminals are counting on you not to take them.
Is
your risk increasing and what can you lose?
YES – Whilst traditional crime is generally decreasing, cybercrime risk is increasing.
Your money, your information, your reputation, your IT equipment and your IT based services are all at risk. Whether you manage your own systems and devices, or rely on third-party hosted systems (i.e. ‘in the cloud’), your risk is real, constant and growing.
Criminals have always tried to find the easiest marks with the richest rewards – these are things that increase your risk:
- High potential for Ransomware extortion – data reliance, or a strong reputation you want to protect.
- High
reward for successful man in the middle attacks – intercepting
client funds.
Financial data with high value, that can be sold on the Dark Web for secondary profit. - Strong reliance on systems access – for your team to be able to operate your business.
- A need to safeguard your reputation – especially for protecting clients’ confidential information.
- Having weak security practices or defences – in comparison to their reward if successful.
N.B. If you’re a trusted advisor e.g. a publisher, a security company who sends out client updates, an accountant, a lawyer (anyone whose emails might be immediately “trusted” and clicked on) you may be targeted for your access into others systems. Criminals can make additional money by exploiting your trusted advisor status (and systems), to deliver malicious software to your clients and then extort them too! (It’s the ultimate criminal pyramid scheme and often referred to when discussing “supply chain breaches”).
Protecting yourself & the people you care about:
Managing cyber risk is a business AND personal decision – you may be worried about making the right choices. However, even though your risks are increasing, reducing them has never been easier!
So what can you do about cyber security?
1) Make
sure you have your “Cyber Essentials” covered.
An easy way
to check this is to investigate the UK Government’s “Cyber
Essentials Scheme”. It contains practical, Government backed
advice, from globally recognised cyber experts (including GCHQ /
CESG).
The information from Cyber Essentials is FREE – it helps you understand the real implications and consequences of a cyber-attack and gives you the inside track from GCHQ on protecting yourself.
Evidence shows implementing Cyber Essentials can reduce your chances of a successful attack – by up to 80%.
2)
Check where your Service Providers store your data, and how they are
protecting it.
Ask the same questions of your service
provider, as you would with your own in-house team. They ARE your own
systems and it is your data, even in the cloud! (Even with a hosted
service, the data risks, GDPR requirements and legal
responsibilities, remain yours).
3) Take
action, almost any action – is better than no action.
Harden
Your System Defences – e.g. enabling auto-update for software
patches, anti-virus etc. Reduce “Human Factor” Risk–
e.g. providing cyber security training on Phishing etc.
(It not
only helps protect your business, it helps protect your employees’
families too!)
Protect Yourself if Things go Wrong –
e.g. making offline backups.
(Backups that are made and stored
separately to your system, so ransomware can’t infect them)
Know
that consistent small actions over a period of time (Kaizen) will all
add up to significantly reduce your risk….
Useful Links & Further Reading:
Cyber
Essentials
Government-backed walk-through
on protecting yourself against cyber threats + accreditation options.
Take Action! Reduce your Risk – Protect your Reputation.
(It’s
not difficult and will help you protect your assets and
clients.)
https://www.cyberessentials.ncsc.gov.uk/
A Cyber Guide for Small Business (UK Government)
Policies and practices to Fast-Track your understanding and make Cyber Simple. https://www.ncsc.gov.uk/collection/small-business-guide
Nicola Whiting
Chief Strategy Officer at acclaimed cyber security company, Titania Group. Nicola is an Amazon bestselling author, writer and advocate for diversity in all forms.
In 2017 & 2018 SC Magazine named her one of the top 20 most influential women working in cybersecurity. Nicola was also recently named on SC Magazine’s Women of Influence Top 30 Global CyberSecurity Leaders (2021).
In 2020 she received an MBE for Services to International Trade and Diversity.
