British experts say it’s impossible to prevent every cyber attack – but staff can be trained to notice more irregularities in the system.
Just before lunch on a spring day in London, a financial officer received an email from their CEO asking that they make a payment to a supplier with whom the CEO had just had a meeting. The payment was large, but no larger than they had expected. Seeing the CEO’s secretary, the financial officer asked when the payment needed to be made. “I’ll just check,” the secretary replied.
A few minutes later the secretary came back looking worried. The CEO had not sent an email requesting a payment. On closer inspection the financial officer noticed an ‘a’ replaced by an ‘e’ in the company email. At first there was a wave of relief – a fluke had saved the company from falling victim to a fraud – but then came the hard questions: How had the fraudsters known about the meeting with the supplier? How had they been able to so closely mimic the CEO’s writing style? Had the fraudsters hacked into the company system?
“This sort of attack wouldn’t normally be considered a cyber attack, unless they got access to the system,” explained Stephen Ridley, Senior Development Underwriter at Hiscox, who provide cyber insurance to over 3,000 businesses in the U.K. “But our policies trigger on a suspected data breach.”
Once hackers have access to a company’s system there are a range of ways they can get money, from gathering information to perpetrate fraud, to encrypting company records and demanding a ransom to return them. A compromised company can provide a back door for hackers into the databases of their partners, clients and suppliers. Companies have a responsibility to deal with suspected data breaches, and it comes at a high price.
“You have to find the breach, then shut it off, assess the system’s weaknesses and work out how to improve security, train staff, get legal support,” said Ridley. Even in the event of unsuccessful frauds, “the costs can be huge. Most claims are straight into the tens of thousands of pounds.”
And then there is PR. If it is found out that a system has been breached then the reputational damage can destroy a business. With an ever-growing volume of online transactions, who wants to give their data to a hacked company? For this reason companies often try and keep incidents quiet.
“We see non-disclosure to various degrees,” said Ridley.
Awareness of the threat is growing. Hiscox has reported a threefold increase in U.K. companies taking out cyber insurance over the past year, driven by a string of high-profile hacks against large companies including Sony, Ashley Madison and LinkedIn. But according to a survey by the Institute of Directors, only 57 percent of British businesses have cyber security strategies in place. That figure does not reflect the number of companies taking active security measures, which is far lower. Nor does it reflect the global picture, as the U.K. is far ahead of similarly developed economies.
“The problem is that a lot of people see minimum security standards as the target to meet,” said Peter Shepherd, Head of Digital Investigations at London-based Hidden Security, who specialize in testing the vulnerability of small- and medium-sized businesses. “The attacker has the advantage. They will always get in. The question is how far?”
Describing a typical cyber operation, Shepherd explained how a hypothetical criminal would scan an area for vulnerable devices: routers, using fake Wi-Fi to gain access to employees’ phones, and pulling company information from social media. A mixture of public and private information then allows for targeted attacks.
“In one case where we were testing a company we learned that they had just signed a deal with a sports company, so we sent around a fake email from the company to staff offering discounted tickets. A few people opened the link and we got access to their system.”
“However,” said Shepherd, “some reported the email to IT. So we sent another email pretending to be from IT warning about the previous email, with a link to allow IT to check that their computer wasn’t affected. Everyone clicked on it. Then we had access to everything.”
The easiest way of converting a breach into cash is through ransom-ware, which encrypts a company’s system, demanding a payment to give back control. Ransom cases represent the largest proportion of cyber-related claims, according to Hiscox. But most cases go unreported.
“Ransoms used to be big,” said Shepherd. “Now they are typically around 250 pounds. At that cost it is easier – and cheaper – to just pay, which most victims do. But if you do these attacks across London, you are going to be collecting a lot of ransoms; earning more than your usual cyber security professional.”
Some frauds are more elaborate, however. Many SME directors take the attitude that their businesses are too small to be the target of a major attack. With awareness of cyber crime driven by public hacks of major corporations and governments, there is a widespread perception that SMEs are below the radar.
In reality, SMEs often provide the perfect entry into larger businesses. Big companies can afford to have dedicated security staff and sophisticated IT defenses. SMEs, by contrast, are, as Shepherd points out, “the weak link in the chain.”
“Big companies rely on SME partners, and once you get into the SME you can exploit the trust relationship between them and the big company to get into their systems.”
With 23 percent of transactions in the U.K. taking place online in 2016, and the proportion projected to grow dramatically, the exposure of SMEs, and therefore larger businesses, is only going to increase. Britain is especially relevant because the U.K. is far ahead of the rest of the world, and so the cyber threat against the British economy showcases what others will face in years to come. Germany, the second most digitized economy, currently has half as many online transactions each year, while the G20 average is just 6 percent. How Britain responds will provide lessons for others.
But countering the threat is difficult. Most breaches are the result of human error. There are ways of avoiding the simplest attacks, and ways of protecting vitally sensitive information systems by identifying and isolating the data – but cyber security experts acknowledge that almost any system will be breached under normal operational conditions. The biggest variable is awareness and attitude – two things that are currently in short supply.
“It is impractical to mandate security measures,” said Ridley. Hiscox does not insure based on a company’s infrastructure meeting arbitrary standards. “The assumption is that attacks will to some extent succeed.”
Instead, Hiscox focuses its discussions with potential clients on their attitude. Shepherd agrees; strong defence is based on awareness. Companies cannot be vigilant 100 percent of the time, but they can encourage awareness by having their IT department send out fake fraudulent emails, and reward staff that spot it, while training staff who fall for the scam. Paying bonuses to IT staff who find breaches is another way of encouraging them to do the dull but essential task of scouring logs to look for irregularities, a job that is usually done around their core duties.
The growing volume of cyber fraud is also driven by a lack of policing. Government responses to cyber crime have been pioneered by the intelligence community, associated with the Government Communications Headquarters (GCHQ). The capability of law enforcement lags behind, and few victims expect to catch the perpetrators. Police do not always distinguish between cyber and traditional fraud, and investigation is hampered because plugging the breach often destroys the tracks of the criminals. As a senior security officer at Morgan Stanley put it, “the police just don’t have a clue.”