Cyber risks and fraud - preparing for the inevitable
A Thinking Business publication.
The risk of cyber attacks against UK businesses has significantly increased since the start of Russia’s offensive in Ukraine, with the threat of spill over attacks becoming more widespread. The current conflict is amplifying an already broad trend of an increased volume, size and sophistication of cybercrime and has driven the UK’s National Cyber Security Centre (NCSC) to warn businesses that they could be targeted.
In March, the NCSC – which is part of GCHQ – called on organisations in the UK to bolster their online defences, saying: “There has been a historical pattern of cyber attacks against Ukraine with international consequences. HermeticWiper, a wiper malware used against Ukrainian organisations, also has the potential to impact organisations outside of Ukraine and can erase data from the hard drive of an infected computer.”
As the UK has strengthened sanctions against Russia, business leaders and public sector entities in sectors like power, oil, gas, telecoms and financial services have been warned to prepare for retaliatory attacks.
“Cyber warfare is becoming a growing threat,” says Helen Briant, partner in the Trowers & Hamlins commercial litigation practice. “Part of that will mean increased cyber incidents as a result of our engagement in support of Ukraine’s position. The escalating risks that companies face in relation to cyber breaches and fraud mean it is no longer a case of if but when it will happen to you.”
The annual Cyber Security Breaches Survey published by the government in the Spring found that 39 per cent of UK businesses had experienced a cyber attack in the previous 12 months. Around one in five of those were the victim of a sophisticated attack such as a denial of service, malware or ransomware attack, while the most common threat came from phishing attempts. Of those reporting incidents, 31 per cent said they were being attacked at least once a week.
“It is impossible to look at the papers without reading about another organisation that has fallen victim to cybercrime or hearing about a new and more sophisticated type of fraud,” says Briant. “Organisations need to focus on being prepared and making sure their internal controls and response plans are ready and in good shape to deal with an incident.”
Putting in place proper cyber protections requires a commitment of resources that not every business is ready to make, argues Liz Mulley, a senior associate in the same team at the firm. “While organisations are seeing these attacks and frauds taking place, the cost of some of these protections can put these out of reach for some organisations,” she says, pointing to the expenses associated with preventative software and embedding cyber hygiene measures. “Surveys continue to suggest that a lot of organisations still don’t have adequate procedures in place.”
Meanwhile, cyber criminals and fraudsters are getting cleverer in their methods of attack. There are reports of hackers using fake videos of company bosses to give workers instructions that, if undertaken, will lead to fraudulent activity.
Earlier this year, food manufacturer KP Snacks was hit by a ransomware attack that severely impacted its supply chain and prevented it from processing orders or dispatching goods for several weeks. Car manufacturer Toyota also had to suspend production at 14 plants in Japan for at least a day in response to a cyber attack causing a system failure at a key supplier. It was estimated the outage could cause a five per cent drop in its monthly production.
The growing use of ransomware is a particular threat, whereby cyber criminals infiltrate a company’s systems and threaten to either publish sensitive data or block access to systems unless a ransom is paid.
Briant says: “The majority of businesses have policies that say they will not pay ransoms, but if a company falls victim to an incident where someone is effectively holding access to their system hostage, many understandably pay up. In part, people are doing that because they hope to keep the incident out of the public domain, but it is a false economy. It is very hard to keep these things under wraps and the incident may not be a one off.”
She adds: “Realistically, if you don’t do the necessary work to effectively lock the doors, it is highly likely to happen again. All of these risks are exacerbated by a slow response that does not shut down vulnerabilities quickly enough.”
So what should companies be doing to protect themselves? Risk mitigation falls into two categories: focusing on people and then on technology.
Briant says: “The human part of any kind of interaction with technology means your humans are both your worst line of defence and your best protection. A busy or careless employee might miss the fact that an email asking them to transfer £5 million has not actually come from the finance director, while a diligent employee will stop that transfer happening. So training, training and more training is the answer.”
The goal is to increase awareness among employees in terms of what to look out for, and create a zero tolerance culture by, for example, creating comprehensive cyber policies and procedures, implementing those through frequent staff training and running regular simulations to identify gaps in security.
“Those elements are relatively low cost,” says Mulley. “The IT side and the investment in software is potentially more costly, but the majority of key preventative measures are not expensive.”
Briant adds: “When we have dealt with clients that have had breaches, often we hear IT managers saying they have been asking the Board for the budget to upgrade systems for ages. So, to the extent your organisation can, you want to make sure you are making appropriate budget available to the IT team and make the decision-making a boardroom issue, not an IT team issue.”
Outdated systems and controls are going to throw up more weaknesses than the most up-to-date software, so, for some organisations, significant investment may be required.
A response plan that will allow a company to react quickly in the event of a breach is also important. Frequently, a breach occurs and teams from IT, commercial, legal, PR and HR start falling over each other trying to figure out how to react.
“As soon as a data breach happens, you have 72 hours to get an initial response to the Information Commissioner’s Office,” says Briant. “You are going to need legal help, PR help, and – depending on your internal capabilities – you will likely need cyber specialists to come in and tell you what happened and fix it. Then there is the communications piece around messaging to customers, employees and suppliers. Having a clear plan in place beforehand, setting out who will take what roles and responsibilities, makes that crisis management much easier because you don’t have to spend time figuring it out.”
Through a combined effort involving key elements of the business in risk management and cyber response planning, it is possible to identify vulnerabilities early and deal with incidents quickly.
“One area where people fall down is failing to look at supply chains and supplier relationships in a cyber context,” says Mulley. “They can be an organisation’s biggest vulnerability. If you are not regularly reviewing your approved list of suppliers, you could open yourself up to a potential attack by an opportunistic supplier or by a third party finding a way into your systems via a supplier.”
The message for business leaders is that this threat only continues to increase, so taking steps to protect your company must be prioritised.
“Cyber criminals are sophisticated global organisations, not just a bunch of people sitting in their bedrooms hacking into random computer systems,” says Briant. “It is very easy to hack an organisation, if you know what you’re doing, particularly if that system is compromised in some way. These people take the most advanced technology out there and use it against us. You no longer have to put on a balaclava and head to the high street if you want to rob a bank.