Rory Clarke, director at J R Rix and Sons, explores the potentially devastating impact of cyber crime and what you can do to protect your business…
In this age of increased connectivity and data sharing, the danger of cyber crime is one of the most insidious threats a company can face. In the Government’s Cyber Security Breaches Survey 2016, 65% of large firms reported that they had detected a breach or attack in the last 12 months, and 25% of these firms found that they experienced a breach at least once per month. The widespread and regular nature of these attacks is alarming, which is why it is increasingly important that businesses – both large and small – take the necessary steps to protect themselves.
The internet is a big place, and a threat can appear from any number of potential avenues. The survey mentioned above found that the most common threats to companies were viruses, spyware, and malware, followed by attempts made by an attacker to impersonate the target organisation. Here at J R Rix and Sons, our recent experience of cyber crime began with the latter – fraudsters impersonating the business with the aim of financial gain.
In January 2016, someone got in touch with our phone provider, attempting to pass themselves off as a company director in an effort to get our calls diverted.
Thankfully, the security measures that we have in place with our provider prevented this diversion from taking place, which proved to be crucial in the long-run.
The ultimate aim of the scam was to request a payment of £750,000 from our bank by forging the signatures of our managing director and finance director. As soon as the bank flagged this as suspicious they called us to authorise the transaction. Had the call diversion tactic worked, the bank would have reached the criminals and not us, and the theft would have potentially been committed.
From this first-hand experience, it’s easy to see the lengths these fraudsters will go to in an effort to get their hands on your money or data. This attempted theft was sophisticated and clearly planned out, which shows that criminals are willing to put the time and effort into learning about your company if there is a chance that they will be successful. There are a great many tools available to fraudsters, including: distracting DDOS attacks; remote control scams where a legitimate business, like Microsoft or Apple, is impersonated; various forms of phishing; and ever more complex malware and Trojans. Worryingly, these are only a few of the hazards that can be utilised to threaten your security.
Unfortunately, the threat to the most vulnerable businesses – small and medium-sized enterprises (SMEs) – is even greater. While larger firms can easily implement company-wide security measures and provide regular training for staff, SMEs can often struggle due to factors like budget and time restrictions, which make rolling out or reinforcing new security measures difficult. Furthermore, if fraud does take place, larger firms can usually absorb the financial blow, whereas a serious case can put an SME out of business.
The findings in the aforementioned survey seem to draw the same conclusion. When asked if employees had received cyber security training in the last 12 months, only 22% of small enterprises said they had, while medium (38%) and large (62%) companies were more likely to have provided regular training. This lack of preparation is what makes SMEs such an easy target group for fraudsters – they can hold data hostage with a simple attack, often causing business operations to grind to a halt. With the potential loss of revenue, as well as heavy fines for data loss, it isn’t hard to see why cyber crime drives so many enterprises into collapse.
The Government is very aware of this and has provided support for businesses with their 10 Steps campaign, as well as a guide with more tailored advice for SMEs, and wider support through their Be Cyber Streetwise scheme. There are also organisations like Financial Fraud Action UK and Action Fraud that provide useful guidance relating to prevention, detection, and what to do in the aftermath.
Here at Rix, we have learned from our experiences and implemented improved security measures. We’re using multi-tiered threat analysis across all of our operations, at all levels, which includes firewalls, anti-virus software, anti-malware software, and spam filters. We also keep everything up to date to make sure we are protected against the latest cyber security threats.
Additionally, we’ve joined the board of the Humber Business Resilience Forum (HBRF) with the aim of using our experiences to educate the region’s businesses about the threats that they face. We suffer phishing, spear phishing, and malware attacks, amongst others, on a regular basis. These attacks change and evolve and it is critical that we update our software protection and staff training on a regular basis to keep on top of the threat. Part of the reason that we joined the HBRF is to share our experience, but also to keep up to date with the latest information on cyber threats and the best ways to defeat them.
I would strongly urge business owners to review any cyber security policies that they have in place, and to read up on some of the measures that can be taken to protect the future of their enterprise. There’s plenty of advice out there, it just takes an extra bit of effort to implement it and make your staff aware of the changes.
Rory Clarke
Director
JR Rix and Sons
www.rix.co.uk