In the 12-month period up to the end of June 2016, the Office for National Statistics estimates that there were almost 6 million instances of online fraud cybercrime in the UK. It’s one of the fastest-growing areas of crime, and the government has unveiled a £1.9bn programme to protect the UK from cybercriminals until 2020.
With many commentators focusing on high-profile, state-sponsored cyber-attacks, it remains to be seen how this latest investment will affect the UK’s SME community.
Tony Richardson, MD of cyber-security experts Octree, will be speaking at the UK200Group Annual Conference on Friday. Speaking about the government’s new programme, he said: “Will it be a success? That depends on where the money is spent. One of the problems, for example, in the police force, is a lack of skilled people, and I think that training and awareness should be top of the government’s agenda.
“In the long term, this is about education; trying to encourage youngsters to take on ICT-type courses and then move into cyber-security in further and higher education. One of the fundamental problems is that there are fewer people studying ICT at school than there were 20 years ago.
“If the government are just going to throw money at countermeasures, it’s a futile exercise. We’ve got to look at things from an education basis, from a secondary school level.
“For all organisations, security training has to be moved up the agenda. It is social engineering that leads to problems as far as ransomware is concerned, because the delivery mechanism will always be an email being delivered or a website being visited. Therefore, people need to be educated not to click on links or open attachments, and to be prepared to question suspect emails and, if necessary, escalate them.
“Ultimately, directors are going to be liable, so I’m sure they’ll be keen to get that message across.”
Tony, a veteran of the IT industry with 28 years of experience, guides us through two of the most common – and dangerous – types of cyber-attack.
“I became involved with a financial services firm after a ransomware infection, called CryptoWall, had completely compromised their systems, locking them out. This was due to their incumbent IT firm not ensuring that basic anti-malware was installed on their computers. They didn’t have a backup and their files were completely locked, so their choice was to pay a significant ransom or attempt to rebuild their data and database from paper records.
“They chose to rebuild their database, which I suspect will have been extremely costly and time-consuming. It’s not unusual for small businesses to be in a situation in which they are unaware that they are unprotected, one of the fundamental problems being that a lot of small organisations do not think that they are vulnerable to these types of attack.
“The second dangerous fraud we’ve seen recently is a whaling attack, or CEO fraud, in which an email is sent, purportedly from the CEO or Finance Director of the organisation, generally to the finance department staff, asking them to make urgent money transfers otherwise risk losing some business. The email proves to be fake and the money is lost.
“It’s the social engineering element that is the biggest threat vector for businesses. We’re all part of that altruistic society, we want to help out and provide information and this is the thing that is being exploited. The fundamental problem is that people just aren’t aware of the risks.
“Organisations need to become more aware of the dangers of cybercrime and the options that they have available to them. There’s a perception that cybersecurity counter-measures are incredibly expensive, and therefore it’s better just to ignore the danger, put the head in the sand and hope not to be affected by cybercrime.
“There are ways to ensure that you and your organisation are taking appropriate measures without breaking the bank.”
Digital tax an opportunity
HMRC is in the process of ‘Making Tax Digital’, which means that by 2020 all businesses, including charities, earning over £10,000 per annum will manage their tax affairs through a digital, online account, and will be required to update HMRC at least quarterly.
Taxpayers will be expected to use software accounting systems to record day-to-day transactions, categorise them into different types of income and feed back to HMRC. However, Richardson sees this as an opportunity to tighten cybersecurity measures: “I’m a great believer in cloud computing improving security, because cybersecurity becomes the responsibility of the software provider, which is in a better position to address those.
“[Organisations should] review any service-level agreements and security certifications. Bear in mind that you will have very little influence on negotiation on a large Software as a Service (SaaS) provider, but if you imagine how damaging a successful cyber-attack would be to a large SaaS provider, that offers some reassurance that they will be ensuring their systems are up-to-date.”
A new report published by the House of Lords Select Committee on Charities has outlined the role digital technology can play in the future success of charities
New report make number of recommendations while praising work of charities
Half of charities surveyed said they do not have a digital strategy and only 9% said they have been through digital transformation and embedded it
Government, funders and large charities must take urgent action according to new analysis by Lloyds Bank Foundation