Helena Wootton, our data protection expert, attended the recent Midlands Cyber Crime Breakfast with Insider Magazine as a panel expert in April 2016.
This article was originally published in Insider May 2016 | Copyright Newsco Insider Limited 2016
https://www.brownejacobson.com/about-us/news-and-media/published-articles/2016/04/secure-wall-how-should-companies-protect-themselves-from-cyber-crime
Secure Wall - how should companies protect themselves from cyber crime?
1. ADVICE
insider MAY 2016 15
How big a threat to business
is cyber crime?
Gary Sirrell It’s a huge threat that’s mas-
sively under reported. We can’t do anything
unless it’s reported. Report it to the Action
Fraud, the national central agency for
fraud, or the local police. Phishing (when
hackers send emails or set up websites in
the hope of ensnaring a naïve computer
user) is huge. People think they should
spend a lot of money on protecting their
IT. I would advise some basic training of
your staff; they’re your greatest asset but
also your greatest liability when it comes to
cyber crime. Ransomware (which hackers
use to block a company’s access to vital
data until the business pays a ransom)
is an effective business model because
they ask for the kind of sums – usually a
few hundred pounds – where companies
seriously consider paying the ransom to
quickly regain access to their data, and
many end up doing just that. A hospital in
the US recently paid a few thousand dollars
to a ransomware hacker. But you’re funding
organised crime if you do this.
Ian Batten There’s an easy way to avoid this:
have data backups. Businesses that don’t
have backups don’t care about their data.
This just doesn’t protect them against that
sort of crime, but a wide range of IT threats,
including hard drives going bad.
Helena Wootton One of our clients had a
secretary who copied the inbox of one of
the directors and then threatened to pass
out sensitive information. A report by PwC
found 60 per cent of small businesses were
attacked from inside last year.
SECUREWALLHOW SHOULD COMPANIES PROTECT THEMSELVES FROM CYBER CRIME?
PANEL ONE
IAN BATTEN
lecturer in computer security,
University of Birmingham
HELENA WOOTTON
partner, Browne Jacobson
GARY SIRRELL
detective sergeant, West Midlands
Police Cyber Crime Unit
“Your staff are your
greatest asset but
also your greatest
liability in when it
comes to cyber
crime.” Gary Sirrell
Why is the level of reporting
to police so low?
Sirrell There are some issues with Action
Fraud at the moment and there’s time
delays built into the system. The police are
quite good with victim care when it comes
IAN BATTEN HELENA WOOTTON GARY SIRRELL
SPONSORED BY
p15-17 Cybercrime breakfast.indd 15 07/04/2016 15:41
2. CYBER CRIME BREAKFAST
16 insider MAY 2016
to traditional crime, but not so good when it
comes to the technical side. But things are
improving.
Wootton Businesses are concerned about
being honest about breaches; they may not
want to report anything to the police be-
cause of the nature of the data that’s lost.
They also may not want to report it because
it’s an inside job.
Batten The argument that there’s a huge
undercurrent of cyber crime not being
reported may be true, but it’s unknowa-
ble. It seems strange the British Crime
Survey, seen as the gold standard of crime
reporting, doesn’t actually back up these
claims. These crimes can be protected
against fairly easily using old-fashioned
data processing hygiene. When I worked in
industry the big focus was on stopping the
corrupt employee in accounts receivable
How can cyber crime be best brought to
the forefront of directors’ minds?
Wootton What’s coming out of the new data
protection legislation is the threat of being
fined up to €20m, or four per cent of global
annual turnover. There’s also obligations on
businesses that process customer data. All
this is going to be more enforced rigorously.
Batten Very few companies recover from an
IT disaster. What concerns me is that the
narrative about cyber security is frighten-
ing people away from storing data in the
cloud, when there’s far more of a risk of a
fire or power failure in their building. If you
lose your accounts receivable or accounts
payable you’re dead.
Sirrell A lot of victims are being subject to
basic attacks which could be put right by
taking simple measures. If you make it
harder the bad guys will go elsewhere.
“The narrative about
security is frightening
people away from
the cloud when other
risks are far greater.”
Ian Batten
from colluding with the corrupt employee
in accounts payable and setting up a fake
supplier, which was made much easier be-
cause they all had each other’s passwords.
Dealing with those problems is much more
realistic than worrying about being attacked
by scary cyber hackers.
p15-17 Cybercrime breakfast.indd 16 07/04/2016 15:41
3. ADVICE
insider MAY 2016 17
What are the main measures businesses
should take to protect themselves?
Mark Lomas Everybody is a target online,
no matter how big the business. It’s about
having the right policies in place, before
you even think about the technical solu-
tions. Staff must be properly trained and
be made aware of the risks.
Susan Hallam Once you know the risks
look at what you need to do to address
them. Don’t try and avoid using the internet,
because that would be impossible.
Gary Sirrell Back up your data as often as
you can, keep data at multiple sites and
practice restoring from backups. Keep your
most important data in the safest place.
Is using the cloud more dangerous for
SMEs than storing data traditionally?
Hallam Many of us are in the cloud already,
but we don’t realise how actively we’re
using it. Don’t take a sledgehammer ap-
proach in trying to avoid the cloud. Instead
take a scalpel approach to make sure
you’re appropriately addressing the issues.
Small businesses are typically exposing
themselves to 400 different apps via staff,
so you need to know the risks you are
taking by allowing staff into the office with a
smartphone every day. Seventy-seven per
cent of apps are not ready to be used in a
secure fashion and are actually borrowing
data from other apps. So the biggest risk is
insider incompetence, by not knowing what
the risks are.
Hallam A lot of businesses are thriving
because they’re working in the cloud, so
they want to continue to use it and make
the most of it. But you should use two-step
verification to protect yourself. Also, many
businesses don’t realise that if someone
tries to get into your Dropbox who isn’t
recognised it will notify you.
How important is an ISO mark when it
comes to cyber security?
Lomas If we all hit those high standards
then we’ll make life so much harder for the
criminals. It’s like vaccination; it doesn’t take
too many children not to be vaccinated to
cause the outbreak of a disease. Ransom-
ware wouldn’t be spreading on the internet
if everybody was universally protected.
We can strive for that by meeting certain
standards in the industry.
Sirrell The ISO 27000 series is not the whole
answer, but it’s important. The Cyber Es-
sentials package, introduced to cover very
small companies that don’t have resources
to go for an ISO standard, is a cyber health
check for a business, which will give you
report on where to go next. It costs £400
to £500 and you do it once a year. The gov-
ernment is saying it won’t do business with
you or your supply chain if you’re not signed
up to Cyber Essentials.
Hallam There are government grants availa-
ble for businesses that are striving to meet
these standards.
PANEL TWO
SUSAN HALLAM
managing director, Hallam Internet
MARK LOMAS
IT consultant, Icomm Technologies
GARY SIRRELL
detective sergeant, West Midlands
Police Cyber Crime Unit
Lomas We’ve seen the emergence of stand-
ards when it comes to the cloud, especially
in the area of security. This includes ISO
27017, which many providers are looking
to certify themselves against. This gives a
level of assurance and clarity. A reason you
may go to the cloud for security is because
providers are going to be more obsessive
about applying best practices around se-
curity in a strict manner. This is something
businesses struggle with. Emails aren’t
necessarily secure either. You need to look
at what you’re using to transfer data, such
as Dropbox or WeTransfer. Staff are using
them through their own personal accounts,
which can have security implications. You
need to have a degree of control with
people in your organisation about what they
can and cannot do.
Sirrell There’s got to be an element of safe
help and investing in training of staff. There
are some very simple measures you can
take to protect against these threats. There’s
a vast amount of resources available to help
you, and it’s all free.
“You need a degree
of control in your
business about
what people can
or cannot do.”
Mark Lomas
“The biggest risk to
business is insider
incompetence, by
staff not knowing
what the risks are.”
Susan Hallam
SUSAN HALLAM MARK LOMAS GARY SIRRELL
SPONSORED BY
p15-17 Cybercrime breakfast.indd 17 07/04/2016 15:41