Cybercrime – it’s a human problem!
According to the recently released Crime Survey for England and Wales published by the Office for National Statistics there was a 5% rise in fraud in the year to March 2016 compared to the same period the previous year. There were 1.9m ‘cyber’ related frauds and 2m ‘computer misuse’ offences. The 2m computer misuses is further broken down into 1.4m virus related and 0.6m unauthorized accessing of personal information.
Cybercrime has also recently been highlighted by the Fraud Advisory Panel as a major risk to businesses.
When looking to prevent cybercrime it is all too easy to focus only on technical solutions. While it is undoubtedly important to seek technical solutions for what appears to be a totally technical problem it is easy to lose sight of the fact that this is at its heart a human problem. The fraud is committed by humans not machines, and the human factor i.e. your staff and customers are probably your biggest weakness when it comes to preventing some of this fraud.
Weak and repeated passwords that can easily be cracked and a ‘click now’ culture whereby people click on email links without a second’s thought are just two ways your people can leave you vulnerable to cyber-attacks. This combined with the increase use of social media increases the risks of fraud and regulatory non-compliance.
Ransomeware appears to be an emerging threat whereby criminals will install malicious code onto your network and threaten to use it to steal business critical/sensitive information if you don’t pay them a ransom.
I am aware of an attack where an individual within the organisation concerned received an innocent looking email inviting them to an industry event. Without thinking they clicked on the link and immediately their computer froze. They called the IS helpdesk and thankfully the person on the helpdesk was switched on enough to recognise this as an attack on their network and immediately isolated the PC from the network.
By clicking on the link the person had inadvertently downloaded malware onto the PC which was designed to gain backdoor access to the network. The quick thinking of the IS helpdesk prevented this from happening. Within 10 mins of clicking on the link the individual had also received a ransom demand from the criminals who at that stage thought they had been successful in introducing the malware to the organisation’s network. Because the PC had been isolated the attack was unsuccessful and the organisation was able to politely tell the criminals to go away. Even a delay of about 10 mins by the individual or the IS helpdesk could have resulted in a different story.
This raises the question of firstly would your staff know to call IS immediately if something like this happened (or would they just assume that their PC had crashed again!); or secondly would your IS helpdesk recognise the signs of attack and know how to respond quickly? Maybe it’s time to raise awareness and also re-consider your incident response plans?
The fact that humans can be your biggest weakness is however good news because there is something you can do at relatively low cost! Raising awareness and developing a culture of professional scepticism are key. So maybe it’s time to review your communication, fraud alerts and fraud reporting lines and improve the strength of your weakest link!
Here are 3 free things that might help you better protect your business from cybercrime:
- Encourage your employees, contractors, suppliers and customers to be ‘cyberstreetwise’. This is a government backed website that provides information to individuals and businesses including advice on creating strong passwords.
- Download the free ‘cyber essentials’ guidance and accreditation scheme available on the government backed website. Obtaining the cyber essentials badge advertises the fact that your business adheres to government back standards that.
- Getsafeonline is a public/private partnership website offering free advice to individuals and businesses including a helpline.
Cyber fraud is just one of the many fraud threats faced by businesses. Reducing your losses to fraud requires treating them as a business cost and taking a strategic approach to reduce that cost.