“Cyber Crime” is a phrase we hear in the news all the time. But what does it actually mean? And is it a real threat to your business?
Probably the first thing you think of when you hear cyber-crime is hacking? With a data theft scandal being at the centre of the US election it’s been hard to avoid the topic.
It’s not just Government agencies falling foul of cyber criminals. Big businesses are also being targeted by hackers.
In 2016 Talk Talk suffered serious reputation damage when its entire customer database was breached. The whole of Guernsey’s business community found itself subject to a ransom demand when they were locked out of the internet.
And it’s not just large corporations being attacked. The FBI believe that 97% of companies are aware that they have been subject to a cyber crime attempt, the remaining 3% have also been victims but are blissfully ignorant.
The key is not to think we’re too small a business for to be worth anyone’s while. Instead you need to think, “If it can happen to them it can happen to anyone.”
Businesses are slowly realising that cyber crime presents a very real threat. A recent survey of SME’s found that for 74% of boards placed Cyber Attacks in their top 3 concerns.
Coming soon: New Data Regulations
May 2018 will see the implementation of the government’s General Data Protection Regulations. There will be severe penalties for non-compliance and if your data security systems are breached your company will be liable for notifying every contact record in writing.
What are the most common Cyber Attacks?
- Email hacking/phishing – if someone in you company clicks on or replies to one of these they may activate Trojan horse software. This will operate on their web browser. It’s cable to mirror the key strokes of the user and may inform the hackers of passwords being typed in. This method has been used to illegally withdraw significant amounts from online bank accounts. In many cases the financial institutions in question have not accepted liability.
- Email cloaking – an email is sent appearing to be from one high level employee to another requesting that a payment is made. Money is sent to the hackers account.
- Rasonware/Virus – Much like those that succeeded in crippling Guernsey criminals working on the dark web have built sophisticated businesses with the sole aim of gaining control companies technology networks and systems. They then send demands for payment in exchange for returning the status quo.
- Password theft/breach – that enables sensitive data to be accessed and released. A disgruntled employee at the super market Morrisons did just this in 2015 costing the firm over £2 million.
How do they succeed?
IT is now integral to most businesses. Many people now work from home and access systems remotely than ever before. Most companies now accept data submissions and payments online. Our flexible working practices have made us more vulnerable.
Craig Watson who leads on financial risk for insurer RSA’s believes that, “Humans are the most likely weakness in the system. It has been proven that if your child’s name forms part of your password then it will take a determined hacker 43 seconds to crack it.”
The Financial Times has their system hacked recently. Their password was revealed to be password1. With 1 in every 900 emails now a phishing email it may be time to review your passwords and systems to prevent.
It’s also worth looking at the cover your business insurance provides. A recent insurance survey found that 52% of clients think they have cover to protect them against cyber crime but only 10% actually do.
Why rob a bank with a shotgun anymore?
These hackers are getting smarter. It is no longer an email from a Nigerian Prince looking for an account to place to temporarily funds. They understand business practices and know how to target weakness.
For example on a Friday solicitors will be bombarded with cloned emails requesting internet banking transfers to specific accounts. This is because they know that Friday is the busiest day of the week for house completions and that the accounts teams in these companies will be under pressure to process transactions, meaning that they might not think to question unusual requests and best practice procedure can sometimes be overlooked.
How could cyber crime cost my business?
Take the following examples. You might be:
- MOT station owner – sending out reminders to their clients that their vehicle requires its periodic inspection
- Car dealers – more and more websites are moving towards online payments. Data could be breached and those supposed to be completely the transactions could be impersonated.
- Taxi operator – running marketing campaigns to your regular customers
In each of these cases your company could lose a significant number of data records. If these were accessed by hackers after the GDPR then you would need to write to every contact informing them of the breach. RSA estimate that this could cost up to £35 per record.
Cyber insurance can be arranged to cover the cost of this process. You may also want the benefit of PR advice to minimise the impact on your firm’s reputation. The cost of this can also be included in cyber policy.
Let’s take another possible scenario featuring a hotel company that operates an online booking system. Their employee accidentally opens an xl document containing a Trojan virus sent in an email attachment by a hacker. This then shuts down their website’s booking system. Their IT team attempt to remove it for 3 days.
The business is completely out of action in much the same way that a flood or fire would have impacted it. Business interruption cover should be considered to cover these types of potential eventuality.
Better cyber security processes
As well as reviewing your insurance cover it might be worth taking at look at the following areas of your business:
- Password protocol
- Firewalls/Email quarantining process
- Regular back-up systems
All of these methods will help a company avoid the risk of extortion but if they fail a cyber policy can prove vital to countering the effects of commercial cyber crime.