There are two types of business when it comes to cyber

14 September 2017

Written by Rob May

I was at conference two years ago and the FBI were talking about cybersecurity. They made the statement that there are two types of business, those that have suffered a cyber-attack and those that will. A few months ago I was at another meeting and the FBI were speaking, this time they stated that there are two types of business, those that have suffered a data breach and those that don’t know they have. It’s a sobering thought isn’t it?

The thinking used to be that a cyber-attack happened and you quickly became aware of it, the reality however is that we really don’t know most of the time when a breach happens, what we do know is that any business of any size is a game target and if you’re not aware of breach as yet, it is only a matter of time.

The UK is hugely connected and reliant on digital technology in business (more than anywhere else in the world), 23% of our transactions take place on-line (The G20 average is just 6%) and with that advantage comes a great deal of risk. Cybercrime is estimated to be worth $3trn per year which makes it the number one crime in the world. The people attacking your business are slick business operations, one company I know called the number given on screen when they suffered a ransomware attack and they were asked what language they wanted technical support in so as to help them pay the ransom, these guys were running a huge multi-lingual helpdesk in order to support their “business”.

The core of the problem and the path to improved security is the people we employ. Cyber criminals don’t attack computer operating systems per se rather they attack our human operating systems.

I’ve countless examples of speaking with people who have suffered a cyber breach and at some stage the CEO will call me up and have a moan because their thinking is that they’ve invested in lots of IT security and yet now they’re suffering the pain of an attack. I always explain that yes, they’ve got the very best firewall technology, they’re paying for email and web filtering, they’ve got the industry leading antivirus software on their PC’s etc. This is akin to them buying a state of the art alarm system for the office premises, installing 5 lever mortice locks on all doors and fitting bars to all the windows, the issue in most cyber-attacks is that what happens is the criminal walks up to the front door presses the buzzer and a member of staff lets them in.

Every other year the IT Security world descends on London for an event called InfoSec, during the last one a survey was run at Liverpool Street Station at morning and evening rush-hour for the two days of the show. Commuters were stopped and asked for their employer name, network login and password. 34% of people stopped gave the requested information! Much worse than that however was the fact that if someone said no they were then offered a mars bar in exchange for the info and the number of respondents then rose to a shocking 70%. I’m sure like me you’d like to think that none of your staff would be so foolish however the stats suggest that someone in your business would happily give that information away in exchange for a bar of chocolate. The worrying thing is of course that it actually only takes one employee to do something foolish in order for you to get a leak in your data security pipe.

I do a lot of talks around the subject of the human firewall and this really is essential for you to be discussing in your business. Cyber-crime is an ever changing complex and sophisticated minefield and training your staff is essential. What training do you give your staff? How aware are the board of directors as to the business risk of cyber and what is your corporate response to this? How comprehensive is thinking around cyber in your business continuity plan? My experience is that lots of business owners have great plans for flood or fire but most haven’t accepted the far more likely reality of damage and disruption caused by a cyber-attack.

Please don’t deal with this issue through the use of policies either as the truth of the matter is these don’t protect you, in most cases they simply make the director given responsibility for cyber feel they’ve dealt with the issue, right up to the moment the breach surfaces and then reality bites.

One popular current attack works on the use of macros in Excel, the spreadsheet being sent is clean per se and doesn’t contain a virus thus it will get through that stage of your network protection, however it contains a macro and the macro includes an instruction to unleash problems from a secure website if run. The scam works on a spoofed email sent usually from one director in your business to another and says something like “ahead of our board meeting on Tuesday please find attached a spreadsheet detailing proposed pay rises for all staff”, the email is ‘accidentally’ copied into all staff and of course the spreadsheet needs the macros to be enabled so as to see what pay rise the recipient and all their colleagues are going to get. Alas human nature is such that someone in your business is likely to open this. There is also another variant of this same scam which details “Post Brexit planned redundancies for discussion”, again all it takes is one member of staff to find it impossible to resist and you’ve got a big problem in your business.

Cyber-security and current risk awareness needs to be a recurring item on your board agenda, if you’ve not already taken professional advice I urge you to do so quickly. Consider the on-going training of your ‘human firewall’ and sanity the check the level of awareness within your directors.

Rob May is managing director of ramsac limited who have a mission to make IT simple. He is also an ambassador for cyber security for the Institute of Directors. [email protected] 

If you would like to one of the PwC Cyber team, please get in touch with Richard Horne via [email protected] or on Tel: 020 7213 3227.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.