There has been a significant shift in the methodology used by cyber criminals over the past couple of years, in particular. Whilst traditional ‘hacking’ and malware are still prevalent, there has been a boom in other types of attack, in particular Ransomware and Social Engineering. So, why has this happened?

Most profitable types of cyber attack

There is an old saying, “follow the money”, and nowhere is this more pertinent when considering cyber-crimes against UK business. Look at the number of cyber-attacks over the past 12 months from the Beaming Breaches Report in May 2017 - the usual cyber-attacks still feature highly:

  1. Phishing - 1.3m businesses affected
  2. Viruses - 1.28m businesses affected
  3. Hacking - 1m businesses affected

However, to understand why these emerging threats are becoming so popular, we need to look at the revenues generated:

  1. Ransomware - £7.4bn (388k businesses)
  2. Phishing - £5.9bn
  3. Social engineering - £5.4bn

Whilst there were more than three times as many instances of Phishing against UK businesses in 2016, when compared to Ransomware, it yielded just 80% of the revenue. So, Ransomware appears to be 20 times more profitable, per incident, than hacking attacks, and five times more lucrative than other forms of Malware.

More targeted attacks are, by their nature, a lot more labour intensive but, for the criminal gangs who are willing to put in the effort, the rewards can be huge.

Common cyber security myths

There are a number of myths surrounding cyber security, which are impacting on businesses’ decision-making:

  1. Skilled hackers targeting businesses

There is still a perception that there are darkened rooms full of highly skilled hackers targeting UK businesses. If you are a high value target, e.g. a high-profile business, or you are dealing with high value intellectual property etc., then this may be the case.

However, against the majority of businesses, the investment required to carry out such attacks just isn’t worth it- after all, skilled labour is expensive! A large proportion of the non-automated attacks are carried out by a relatively low skilled labour force, who simply find a ‘victim’, load a weaponised attachment into an email, and click ‘send’.

Methodology used by cyber criminals
As safeguards become harder to breach, cyber criminals need to get creative if they want to get in to our systems
  1. I don’t have anything that hackers want

Unless you are in the “high value target” category, mentioned above, you may not feel that your business has anything valuable to hackers, or to anyone else outside your organisation. However, the data your business holds is extremely valuable to you.

Without data, many businesses could not operate. So, if you lost access to all of your company data, how much would you be willing to pay to get it back? This is why Ransomware is becoming so popular.

  1. Cybercrime is an IT issue

The technical safeguards which have traditionally kept us safe are still vitally important. However, as these safeguards become harder to breach, cyber criminals need to get creative, if they want to get in to our systems.

The beauty of these targeted attacks is that, because they aren’t automated, they don’t always have the indicators which allow them to be detected by anti-virus/anti-malware software, so are more likely to find their way in to employees’ inboxes than traditional mass-mailings.

  1. It’s someone else’s job

If fraudulent emails get past your IT defences, your staff are the only thing standing between you and a potentially significant loss. Now imagine that the employee in question had no knowledge of cyber-attacks, and believed instead that the IT department were solely responsible for stopping cyber-attacks…

The truth is that nothing is 100% effective, so it is everyone’s responsibility to be vigilant. Education, and good business management is just as important to preventing cyber-attacks as the IT infrastructure itself.

Embedding a cyber security culture

Cyber security is not simply an IT issue, and there is no “magic box” to plug in. There are three elements to any system, and cyber security is no exception. Effective cyber security can only be achieved when all three work in harmony.

Technology – your IT ‘estate.’ By ensuring that you have all the necessary IT safeguards in place on ALL your IT assets, including mobile devices, printers, access control systems, CCTV (basically anything connected to your network), you reduce the risk of something getting through.

You also need to ensure that these safeguards are regularly updated – the threats are constantly evolving, your systems need to evolve too

Embedding a cyber security culture with best practices
Effective cyber security can only be achieved when technology, people and process work in harmony

People – your staff. A properly briefed, situationally-aware workforce are your last line of defence, should something get past your technical security measures. They need to understand the risks to the business, and their role in preventing cyber-attacks. Training should be done in three strands:

  • Training for directors – awareness of the risks, governance requirements etc
  • Training for all
  • Training for high risk groups – more focused training for people within your organisation who are more especially at risk, e.g. the Accounts department

However, training is not a one-shot deal. This needs to be an ongoing programme of work, with regular refresher and update sessions.

Process – how you let your staff use your IT. Just as you wouldn’t let every employee have access to your banking and accounting software, cyber risk can be significantly reduced by limiting the ability of staff to access unnecessary areas of your network. By only giving staff relevant permissions to do their jobs, you reduce their ability to inadvertently (or intentionally) do something wrong.

With the proliferation of mobile devices, we need to ensure that users are doing so responsibly. So, we need to ensure that the same security standards are maintained when working remotely, via laptops, tablets and smartphones.

The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business

It doesn’t stop at IT policies. Criminals “follow the money”, so it is important that there are financial policies in place to reduce the risk of accidentally sending money to the wrong place. ‘CEO Fraud’ happens when a criminal, pretending to be the CEO of a business, sends an email to the accounts department requesting a payment be made to a nominated bank account.

In some cases, accounts staff have transferred many thousands of pounds to fraudsters, when a simple process of confirming all financial transaction requests in person, or via telephone, would have identified the fraud straight away

Securing your business in the digital age

Could it be that the very word “Cyber” is turning us off? The mere mention of the word “cyber” security may cause the non-technically minded to glaze over, dismiss it as “an IT issue”, and leave it to the IT staff to deal with. At board level, this default cascading of cyber security to the IT department is one of the most significant barriers to achieving cyber resilience in business.

If the “C” word puts you off, think of it as ‘Digital’ Security, and consider: Do you understand your digital risks in the same way as you do your physical risks? Or your legal or compliance risks?

And therein lies the fundamental truth: The key to protecting your business against cyber-attack is to view the digital risks in the same context as the other risks to your business, and treat it the same way, instead of dismissing it as an IT issue.

If you understand where the digital risks are, how they can affect your business, and what you would need to do in the event of an incident - in exactly the same way as you would for everything else on your risk register - you have taken your first steps to securing your business in the digital age.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

In case you missed it

How intelligent video surveillance supports smart mobility
How intelligent video surveillance supports smart mobility

The ease of getting from point A to point B, the effective movement of goods and services, and the flexibility and integration of various modes of transportation are key aspects of mobility today. Smart Mobility has been a key theme in the transportation industry for a while. The idea is to keep traffic flowing and help people to get where they need to be, in a smarter way. To this end, industry players are now innovating and introducing advanced technologies and solutions. Examples include intelligent traffic management systems, free-flow tolls, autonomous driving, smart location solutions, and more. At the same time, traffic congestion, aging infrastructure, rapid urbanisation, and increasing sustainability demands are also intensifying the need for smart mobility solutions. One way to overcome these obstacles is to use intelligent video surveillance technology for improved traffic management, making the roads safer and more efficient for every user, while also reducing emissions. Perceptive intersections Relying on intelligent video analytics, traffic video cameras identify traffic build ups at intersections by counting numbers of vehicles crossing an intersection and detecting their speed, while also counting the number of vehicles queueing in real-time. Aggregated data informs the system when to switch traffic lights to red or green. Intelligent optimisation for traffic signals ensures more effective traffic flow.Aggregated data informs the system when to switch traffic lights to red or green The benefits? Improved safety on the roadways; intersection reconstruction can be avoided; drivers can be advised about the speed of their route, forecasted by traffic signals; reduced wait times and stress for commuters; reduction of harmful emissions; and positive impact on public satisfaction. Road safety Traffic incidents can be disastrous, not merely for causing congestion on the roads but sometimes far worse – resulting in injuries and even fatalities. These incidents have many causes, not the least of which is drivers willfully violating traffic laws. Video technology can aid in detecting all kinds of events – for example, illegal parking, running a red light, wrong-way driving, speeding, and making illegal U-turns can all be detected by smart camera technology. By using deep learning technology, cameras can recognise these events and traffic authorities can be immediately notified and take necessary actions even before traffic incidents occur. Scenarios include stopping a driver who is occupying an emergency lane, or notifying a driver who parked their car illegally. Furthermore, ticketing systems can be incorporated to further regulate driving behaviors. Benefits here include incident prevention, better driver performance, and increased safety on the roads and streets, to name just a few. Scenarios include stopping a driver who is occupying an emergency lane, or notifying a driver who parked their car illegally Public information Sharing information is key to keeping city drivers and travelers informed. Intelligent communication about warnings and updates helps everyone save time, avoid frustration, and simplify everyday mobility. This can be done via traffic guidance screens displayed at highly visible locationsThis can be done via traffic guidance screens displayed at highly visible locations, such as congested areas, transportation hubs, shopping malls, and city plazas – or even at your fingertips on your favorite mobile apps! Traffic video cameras generate real-time data of traffic flow and incidents, sending it to a central platform to further fuse with data from third-party systems such as radar and GPS systems. They also disseminate traffic information, including traffic status, warning and advisory notices, as well as parking status.  The benefits are improved public awareness of traffic information, improved travel convenience, overall enhancement of mobility in the city, and more. The Hikvision practice Hikvision has accumulated sophisticated experience in traffic management both at home and abroad. Product lines offer versatile solutions to resolve multitudes of problems in urban traffic management, traffic incident management, highway management, and more. Going deeper, it’s essential to note that efficient signal control management is dependent on the quality of traffic data, system algorithms, and the hardware devices in use; it is also closely related to the mobile environment, such as road conditions, historical traffic conditions, and urban infrastructure. Because of this, no single solution solves traffic congestion everywhere. Hikvision believes that only by working closely with city authorities, public safety organisations, consultants, even academia and other relevant stakeholders, can applications and operational processes be developed to achieve the best possible outcomes. The possibilities for traffic video data are endless, especially now that it can employ artificial intelligence for advanced functionality. Harnessing its power will make all the difference, but the ultimate goal remains the same: safe and smooth traffic, smart mobility, and improved quality of human life.

What impact are data analytics having on security?
What impact are data analytics having on security?

We live in an era of Big Data. Surrounded by a flood of information, more companies are looking for ways to analyse that information (data) and systematically extract intelligence that can help them operate more efficiently and profitably. The data obsession has extended to the physical security industry, too, where large amounts of data have historically been a little-used byproduct of our access control and even video systems. But the picture is changing. We asked this week's Expert Panel Roundtable: What impact are data analytics having on the security market?

Embracing digital transformation in the security industry
Embracing digital transformation in the security industry

Many industries are, to a greater or lesser extent, in the throes of digital transformation. As with any change programme, digital transformation efforts often under-perform against expectations. Yet, the number of digital transformation programmes continue to increase, as commercial pressures intensify. As security professionals we need to embrace our role in digital transformation, as security is everybody’s business. For all those people weary of hearing about digital transformation and believe it’s a business fad, consider your own behaviours. If you use a smartphone to search, find, order, buy, message, watch, learn, play, bank, pay, enter, exit, navigate, communicate and more then you are part of the reason that digital transformation is a commercial necessity. The way we live our lives has changed significantly over the past twenty years and this needs to be reflected into how we rethink the way we do business. Digital transformation is about more than technology, it allows people to solve their traditional problems in new and better ways than before. Better can mean faster, at lower cost, using fewer resources, easier to maintain, more compliant and/or easier to report insights. IoT, criminal activity and security  The number of internet connected devices worldwide is increasing at an exponential rate; by the end of 2025 there are expected to be 75.44 billion. Internet of Things (IoT) means digital transformation converges physical and digital for security professionals. Criminals use smarter digital tools such as malware, drones, key cloners, signal readers and more, which impact both physical and cybersecurity. To counter this, digital transformation provides security professionals with access As security professionals we need to embrace our role in digital transformation, as security is everybody’s businessto valuable actionable insights to identify and deter threats to people and assets. All transformation starts with an idea generated by people and ends with people experiencing the output. Therefore, digital transformation starts and ends with people. To ensure a solid foundation to any digital transformation agenda, people need to have a clear purpose to engage. This is where security leaders can inspire their colleagues with a laudable purpose of embracing disruption at the same time as focusing on safeguarding people and assets. Non-security colleagues should understand that security risks are advancing at a faster pace than enterprises can adapt. As a security leader, you are advocating a movement where your colleagues adopt relevant enterprise security risk management practices in their daily thinking and working. The message is clear that digital transformation presents abundant opportunities and these need to be evaluated alongside the proliferating security threats that can become a business continuity failure. Security professionals and digital influence  The number of internet connected devices worldwide is increasing at an exponential rate; by the end of 2025 there are expected to be 75.44 billionSecurity professionals can influence digital transformation success by translating an enterprise’s strategy into secure operational reality. The security narrative should emphasise the people side of digital transformation and how technology can act as an enabler of a safe and secure experience, both for employees and customers. Operationally, digital transformation is about agility, adaptability and navigating uncertainty. Old ways of thinking and working will be blockers to transformation, so security leaders ought to identify the rapid enablers of a ‘secure’ digital transformation. Better people, processes and overall technology People generally don’t want more in their lives, they want better. Better people. Better data. Better technology. Better processes. Digital transformation creates significant ‘better’ benefits for security: For example, connected (IoT) sensors, video analytics at the edge and machine learning identify threats faster; workflow technologies and automation detect, investigate and remediate routine responses; cloud provides many benefits such as agility, scale and mobility; and, smartphones/digital devices provide real-time communication and collaboration. Tackling all the ‘better’ needs within a security approach is necessary – focusing on the prioritised commercial needs first. Think about how to drive radical simplification into digital transformation agendas to ensure complexity doesn’t create too many unmanageable risks. Designing enterprise security risk management into the business operating model will facilitate colleagues to be empowered for safe and secure change. Communicating security successes and breaches with commercial impact insights in a timely and concise manner across the enterprise will prove the value of active security engagement throughout digital transformation programmes. Transforming the world Digital technology is transforming the world around us, in a way that impacts every area of security. Security professionals are now businesspeople and technologists, in addition to their traditional security remits. Embracing this impacts security recruitment, training and employee engagement, within the security team and with non-security colleagues. Without a doubt, security professionals are integral to digital transformation programmes.