There has been a significant shift in the methodology used by cyber criminals over the past couple of years, in particular. Whilst traditional ‘hacking’ and malware are still prevalent, there has been a boom in other types of attack, in particular Ransomware and Social Engineering. So, why has this happened?

Most profitable types of cyber attack

There is an old saying, “follow the money”, and nowhere is this more pertinent when considering cyber-crimes against UK business. Look at the number of cyber-attacks over the past 12 months from the Beaming Breaches Report in May 2017 - the usual cyber-attacks still feature highly:

  1. Phishing - 1.3m businesses affected
  2. Viruses - 1.28m businesses affected
  3. Hacking - 1m businesses affected

However, to understand why these emerging threats are becoming so popular, we need to look at the revenues generated:

  1. Ransomware - £7.4bn (388k businesses)
  2. Phishing - £5.9bn
  3. Social engineering - £5.4bn

Whilst there were more than three times as many instances of Phishing against UK businesses in 2016, when compared to Ransomware, it yielded just 80% of the revenue. So, Ransomware appears to be 20 times more profitable, per incident, than hacking attacks, and five times more lucrative than other forms of Malware.

More targeted attacks are, by their nature, a lot more labour intensive but, for the criminal gangs who are willing to put in the effort, the rewards can be huge.

Common cyber security myths

There are a number of myths surrounding cyber security, which are impacting on businesses’ decision-making:

  1. Skilled hackers targeting businesses

There is still a perception that there are darkened rooms full of highly skilled hackers targeting UK businesses. If you are a high value target, e.g. a high-profile business, or you are dealing with high value intellectual property etc., then this may be the case.

However, against the majority of businesses, the investment required to carry out such attacks just isn’t worth it- after all, skilled labour is expensive! A large proportion of the non-automated attacks are carried out by a relatively low skilled labour force, who simply find a ‘victim’, load a weaponised attachment into an email, and click ‘send’.

Methodology used by cyber criminals
As safeguards become harder to breach, cyber criminals need to get creative if they want to get in to our systems
  1. I don’t have anything that hackers want

Unless you are in the “high value target” category, mentioned above, you may not feel that your business has anything valuable to hackers, or to anyone else outside your organisation. However, the data your business holds is extremely valuable to you.

Without data, many businesses could not operate. So, if you lost access to all of your company data, how much would you be willing to pay to get it back? This is why Ransomware is becoming so popular.

  1. Cybercrime is an IT issue

The technical safeguards which have traditionally kept us safe are still vitally important. However, as these safeguards become harder to breach, cyber criminals need to get creative, if they want to get in to our systems.

The beauty of these targeted attacks is that, because they aren’t automated, they don’t always have the indicators which allow them to be detected by anti-virus/anti-malware software, so are more likely to find their way in to employees’ inboxes than traditional mass-mailings.

  1. It’s someone else’s job

If fraudulent emails get past your IT defences, your staff are the only thing standing between you and a potentially significant loss. Now imagine that the employee in question had no knowledge of cyber-attacks, and believed instead that the IT department were solely responsible for stopping cyber-attacks…

The truth is that nothing is 100% effective, so it is everyone’s responsibility to be vigilant. Education, and good business management is just as important to preventing cyber-attacks as the IT infrastructure itself.

Embedding a cyber security culture

Cyber security is not simply an IT issue, and there is no “magic box” to plug in. There are three elements to any system, and cyber security is no exception. Effective cyber security can only be achieved when all three work in harmony.

Technology – your IT ‘estate.’ By ensuring that you have all the necessary IT safeguards in place on ALL your IT assets, including mobile devices, printers, access control systems, CCTV (basically anything connected to your network), you reduce the risk of something getting through.

You also need to ensure that these safeguards are regularly updated – the threats are constantly evolving, your systems need to evolve too

Embedding a cyber security culture with best practices
Effective cyber security can only be achieved when technology, people and process work in harmony

People – your staff. A properly briefed, situationally-aware workforce are your last line of defence, should something get past your technical security measures. They need to understand the risks to the business, and their role in preventing cyber-attacks. Training should be done in three strands:

  • Training for directors – awareness of the risks, governance requirements etc
  • Training for all
  • Training for high risk groups – more focused training for people within your organisation who are more especially at risk, e.g. the Accounts department

However, training is not a one-shot deal. This needs to be an ongoing programme of work, with regular refresher and update sessions.

Process – how you let your staff use your IT. Just as you wouldn’t let every employee have access to your banking and accounting software, cyber risk can be significantly reduced by limiting the ability of staff to access unnecessary areas of your network. By only giving staff relevant permissions to do their jobs, you reduce their ability to inadvertently (or intentionally) do something wrong.

With the proliferation of mobile devices, we need to ensure that users are doing so responsibly. So, we need to ensure that the same security standards are maintained when working remotely, via laptops, tablets and smartphones.

The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business

It doesn’t stop at IT policies. Criminals “follow the money”, so it is important that there are financial policies in place to reduce the risk of accidentally sending money to the wrong place. ‘CEO Fraud’ happens when a criminal, pretending to be the CEO of a business, sends an email to the accounts department requesting a payment be made to a nominated bank account.

In some cases, accounts staff have transferred many thousands of pounds to fraudsters, when a simple process of confirming all financial transaction requests in person, or via telephone, would have identified the fraud straight away

Securing your business in the digital age

Could it be that the very word “Cyber” is turning us off? The mere mention of the word “cyber” security may cause the non-technically minded to glaze over, dismiss it as “an IT issue”, and leave it to the IT staff to deal with. At board level, this default cascading of cyber security to the IT department is one of the most significant barriers to achieving cyber resilience in business.

If the “C” word puts you off, think of it as ‘Digital’ Security, and consider: Do you understand your digital risks in the same way as you do your physical risks? Or your legal or compliance risks?

And therein lies the fundamental truth: The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business, and treat it the same way, instead of dismissing it as an IT issue.

If you understand where the digital risks are, how they can affect your business, and what you would need to do in the event of an incident - in exactly the same way as you would for everything else on your risk register - you have taken your first steps to securing your business in the digital age.

Download PDF version

Author profile

In case you missed it

Bosch startup SAST addresses need for evolved solutions in security industry
Bosch startup SAST addresses need for evolved solutions in security industry

Security and Safety Things GmbH (SAST) is a new company that has announced its vision for an Internet of Things (IoT) platform for the next generation of security cameras. The Bosch startup plans to build a global ecosystem for the development of innovative security camera applications. Based on the Android Open Source Project (AOSP), SAST provides libraries, an API framework, and codecs for developers to work with. The SAST App Store will allow developers to build and market new applications, similar to today’s app stores for smartphone applications. We presented some questions to Nikolas Mangold-Takao, VP Product Management and Marketing, about the new venture, and here are his responses: Q: Why a new company now? What technology innovations have made this a good time to launch this company? The time is right to bring market needs and technological innovations together on one platform"Mangold-Takao: From a technical perspective we see two main drivers: increasing computing power at the edge and increasing internet connectivity, which will enable devices to directly communicate with each other and bring new technologies such as artificial intelligence also to the security and safety industry. At the same time, we see that this industry and its users are hungry for more innovative solutions – addressing new security needs while at the same leveraging the possibility to improve business operations for specific verticals, e.g. retail and transportation. The time is right to bring market needs and technological innovations together on one platform for this industry. Q: Why does SAST need to be a separate entity from Bosch? Mangold-Takao: SAST is setup as a wholly owned subsidiary of the Bosch Group. We wanted to make sure that SAST is able to underline its role as an industry standard platform across multiple players. SAST is open to get additional investors and is being setup as a startup in its own offices in Munich to foster the environment where speed and innovation can more easily take place. Having said that, several entities of the Bosch Group are very interesting partners for SAST. The SAST App Store will allow developers to build and market new applications, similar to today’s app stores for smartphone applications Q: Please explain your "value proposition" to the industry. Mangold-Takao: We will bring new innovations and possibilities to the security and safety industry by providing an open, secure and standardised Operating System for video security cameras, to also address pressing issues such as cyber security and data privacy concerns. Devices that run then with the SAST operating system will work with an application marketplace provided and operated by SAST. Integrators and users can then use these apps from this marketplace to deploy additional functionality on these devices. With our platform we will be able to build up a community of app developers, including the ones not yet developing for this industry who have expertise in computer vision and artificial intelligence. Q: It seems what you are doing has parallels with the Apple and Android "app" stores. How is your approach the same (and how is it different) than those approaches? We are setting up SAST as a user-centric company and involve selected users very early on in the process"Mangold-Takao: The approach is similar in the way that we plan to generate revenue by operating the application marketplace and thus participate in the app revenue. The difference is that there is much more needed than apps and cameras to create a complete working solution addressing a user problem in this industry – we need to make sure that our own platform as well as the new applications being created will work as a part of an end-to-end solution. Q: "Critical mass" and wide industry participation seem to be requirements for your success. How will you achieve those goals? Will you involve integrators, consultants, or other parties in addition to manufacturers (to drive awareness)? How? Mangold-Takao: SAST is in close exchange with device manufacturers, integrators and consultants, as well as application developers and large end-users at the moment to ensure that we are building the right platform and ecosystem for this industry. We are setting up SAST as a user-centric company and involve selected users very early on in the process. We will run dedicated programs and hackathons to attract app developers, already active and new to our industry. We will also run selected pilots with end-users throughout 2019 to ensure we have all partners involved early on. SAST sees the industry is hungry for more innovative solutions – with the retail vertical market a target for these solutions Q: What timeline do you foresee in terms of implementing these initiatives? Mangold-Takao: While we start with first app development programs and plan our first pilots already for this year, we are planning our commercial launch for end of 2019. Q: How does your new company relate to the new Open Security & Safety Alliance (OSSA)? Mangold-Takao: The Open Security and Safety Alliance has been working very closely with SAST over the past year, defining some important concepts and elements required. One of the most important elements is an open and standardised Operating System, specific to this industry, which will then bring forward new innovative technologies and solutions. SAST is actively working on this Operating System, based on Android Open Source Project (ASOP), but is evolved and hardened with industry-specific features. Q: What's the biggest thing you want the security industry to understand about SAST? What is your "message" to the industry? Mangold-Takao: Our message is simple: let’s build better security and safety systems – together! But for real, innovating an industry is a joint effort, we can only bring new innovation to this industry with partners who share our vision and are excited about new technology. At the same time, we strongly believe that our platform allows every partner to bring forward what they do best but also invite new partners to our industry.

What is the value of remote monitoring systems’ health and operation?
What is the value of remote monitoring systems’ health and operation?

When is it too late to learn that a video camera isn’t working properly? As any security professional will tell you, it’s too late when you find that the system has failed to capture critical video. And yet, for many years, system administrators “didn’t know what they didn’t know.” And when they found out, it was too late, and the system failed to perform as intended. Fortunately, in today’s technology-driven networked environment, monitoring a system’s health is much easier, and a variety of systems can be deployed to ensure the integrity of a system’s operation. We asked this week’s Expert Panel Roundtable: How can remote monitoring of a security system’s health and operation impact integrators and end users?

What is the changing role of training in the security industry?
What is the changing role of training in the security industry?

Even the most advanced and sophisticated security systems are limited in their effectiveness by a factor that is common to all systems – the human factor. How effectively integrators install systems and how productively users interface with their systems both depend largely on how well individual people are trained. We asked this week’s Expert Panel Roundtable: What is the changing role of training in the security and video surveillance market?