Cyber crime: Q&A with Chris Payne of Advanced Cyber Solutions
IT security consultant Chris Payne of Advanced Cyber Solutions shines a light on cyber threats old and new, and explains how your small business can mitigate risk.
How much of a threat is cyber crime to small UK businesses?
Chris Payne (CP): “Significant. Often they don’t have the sophisticated defence systems that larger businesses have. It’s difficult to say exactly how many businesses are affected, because most don’t disclose breaches. But according to the Federation of Small Businesses, 2.9m UK businesses were targeted by cyber criminals in 2016, resulting in losses worth £29bn. The FSB estimates that two thirds of UK small businesses have been affected by cyber crime in the past two years.”
Who are the cyber criminals?
CP: “Malicious actors can be domestic or foreign criminal gangs or just individual ‘chancers’ who obviously do it to make money illegally. Certainly, cyber gangs have been responsible for most ransomware attacks for years, but it’s become much easier for individuals with limited technical know-how to get involved. Their motive is almost always financial.”
What about internal threats?
CP: “The other major threat can come from within – your own people. This can potentially be even more damaging, because they already have access to your IT system or network – and possibly to even more sensitive data. The threat could come from a disgruntled employee who commits an act of sabotage out of revenge or a staff member who steals data from your business.”
What is the most common damage a small business suffers?
CP: “Most cyber attacks are financially motivated – either direct theft or they demand a ransom. They normally request a significant yet affordable sum of money, whether the business decides to pay or not. However, businesses can also suffer significant reputational damage, which can threaten its survival. Following disclosure, customers and suppliers can flee from a business. And there can be serious regulatory implications.”
Is the nature of cyber crime evolving continually?
CP: “Absolutely – that’s one reason why it’s such a big problem. Ten years ago cybercrime wasn’t as widespread or as sophisticated, and many businesses relied less on their IT and data processing. The threat evolves, almost daily, and the challenge for business is to keep pace.”
How are small firms usually targeted by cyber criminals?
CP: “Phishing emails are common, which look like they come from a legitimate source, inviting you to click on a link. After you do, your laptop, PC, tablet or smart phone can become infected with ransomware and you’re asked for payment to unlock your system. Sometimes criminals breach your system and target others in the network.
“Stolen files can be used for ransom or sold online. I’ve also seen cases where a malicious actor infiltrates a communication network and later poses as a person with managerial responsibility, requesting that money be transferred to accounts.”
Are there any new cyber crime threats?
CP: “Cryptojacking has grown in the past 12 months. The malicious actor steals a company’s processing power so they can mine cryptocurrency. It requires far less effort and there’s a lower risk of discovery. Often, cryptojacking code is inserted into the company website, so, when someone visits it, their laptop/PC starts to use all its resources to mine cryptocurrency for the malicious actor. In some cases, the cryptojacking software will even move onto the visiting laptop/PC and continue to mine.”
What steps should small firms take to protect themselves from cyber crime?
CP: “You can’t protect yourself 100% – but you can reduce risk. Someone within your small business must take responsibility for IT/cyber security. They should be aware of basic threats and maintain their knowledge.
“Solid staff training is essential, because this is often where businesses are most vulnerable. Also have robust basic defence measures in place, such as antivirus software on all devices, firewalls on networks, servers and devices, restricting network traffic to known channels. Have two-factor authentication on any public facing logon prompt, because we all use weak passwords – no matter how much we’re warned.”
Where do small businesses often go wrong?
CP: “Too many ignore the risk of cyber attack. They falsely believe it won’t happen to them – but it can and it does – it doesn’t just affect bigger businesses. Often small businesses look for a ‘one-size-fits-all’ solution to their IT/cyber security needs, but the threat is complex and each business is different. Mitigating risk requires thought, investment, adding layers of defence and realising that it’s an ongoing challenge. The threat isn’t going away.”
Any other words of advice?
CP: “Yes, consider certification programmes such as Cyber Essentials. Sponsored by the UK Government, it can provide basic security controls. Also, create a plan, so you know exactly what to do if your business is a victim of cyber crime. You must limit damage quickly and recover to minimise impact. Learn lessons from any breaches. And reassess risk every month. There’s no better way to defend yourself than to understand and address your weaknesses. For extra peace of mind, find a good IT/cyber security adviser.”
Read more: IT disaster prevention