What Are the Digital Threats to Your Business?
By James Brewer
Executives have been recommended to exercise a “healthy level of paranoia” over the safety of their computerised systems. The advice came from Sandis Medins, a specialist at IDYNAMIC Group, a business IT consultancy with offices in London, Riga, Lublin and Stockholm.
He was speaking to the theme What Are the Digital Threats to Your Business? to a meeting of representatives of small firms, hosted by NatWest Bank, in Bromley, Kent.
Mr Medins urged companies to work on the assumption that everyone has something of value that is worth something to others. “The logical conclusion: anyone is a potential victim.” It was vital to develop a culture of cybersecurity.
He said that while the Association of Chief Police Officers had defined cyber-crime as “the use of networked computers or internet technology to commit or facilitate the commission of crime,” it should be remembered that non-networked computers could deliver serious attacks. One of the best-known examples of this phenomenon was dubbed the StuxNet Worm which in 2010 infected Iran’s programme of nuclear enrichment, and is said to have delayed it by three years.
Data from the new UK National Cyber Security Centre put the average cost of a security breach at £600,000 to-£1.15m.
The ‘insider’ threat was the biggest one, and this meant not just employees but contractors or others to whom access might be given.
The main offences hitting businesses were economic crimes, unauthorised access to systems, and sabotage (hacking, distribution of viruses, computer espionage, computer forgery, and computer fraud).
Within the threat landscape were commodity and bespoke capabilities, with ‘hacker toolsets’ available for the former.
Mr Medins reeled off a list of techniques used for untargeted attacks including phishing, water-holing (when an attacker aims to compromise a specific group of end users by infecting websites they are known to visit) and ransomware (malware that holds to hostage a victim’s data).
He gave examples of common targeted attacks: spear-phishing (scamming a specific individual or organisation, often to steal data), deploying a botnet, and subverting the supply chain. “The supply chain is the dangerous thing!” One trick was setting up a website similar to a genuine portal, to divert money and consignments of goods. Some criminals intervene in transactions to siphon payment their way by means of a bogus invoice. “Targeted attacks are happening every minute.”
Who might be attacking you? Cyber criminals, industrial competitors, foreign intelligence services, hackers, hacktivists, employees, and users with legitimate access, either by accidental or deliberate misuse.
Mr Medins, who was accompanied at the event by IDYNAMIC chief executive for the UK Flavio Menghini, went on to list short-sighted and dangerous attitudes. A company might say it was too small to be targeted – but miscreants would seek to find hidden value. It might argue “We are different – no one is interested in us.” Think twice! “We are safe.” No-one is safe!
Biggest mistakes were failure properly to train and certify employees, contractors, vendors, and suppliers who think cyber security is merely a technology problem; failure to classify data and trade secrets; failure to understand the insider threat; understanding the difference between a ‘perimeter protection’ strategy and a ‘datacentric’ strategy; emailing unencrypted data; unencrypted data on mobile phones; taking sensitive data home on work computers; and neglecting security testing;
Urging vigilance, he warned that often a company does not see the valuation that others espy. Evildoers could disseminate child porn or other illegal content, using your servers. “They are not using their computers, they are using someone else’s.”
How to be on the safe side: “take a holistic approach to cyber defence. People, technology, processes. Empower employees to combat cyber threats, restrict use of removable data, reduce impact of social engineering campaigns. Patch software regularly, limit third-party connections and remote access, separation and isolation of systems.” Develop cybersecurity plans, physical security plans for cybersystems, an incident response plan and information-sharing programmes.
He advised companies to undertake audits and reviews, and organise workshops with management and stakeholders. An independent risk manager would avoid conflicts of interest.
Mr Medins reiterated: “Understand your value and cyber-threats. Anyone is a potential victim. No-one is safe, not even the CIA.”
The presentation by Mr Medins (www.idynamic.co.uk) was followed by a separate briefing on another urgent topic – Westminster’s tax-filing reforms.
Matthew Finch, a principal adviser at A4G (Accountants for Growth), which covers the Kent and London area, startlingly entitled his talk The Death of Manual Records.
The firm says that the number and speed of changes to the UK tax system over the last six years has been hard for many businesses to keep up with. The days of manual records, Excel spreadsheets and standalone software look to be coming to an end, says A4G (www.a4gsolutions.co.uk)
Mr Finch outlined a new system announced by former Chancellor George Osborne that would make all records digital and replace the annual return with quarterly filing. A treasury minister had said of the Making Tax Digital programme “This new system will make the UK’s tax administration more efficient and straightforward, and will offer businesses greater clarity when it comes to paying their tax bills.”
The government has committed to abolishing the need for an annual tax return by the end of the current Parliament in 2020.
From 2018, accurate bookkeeping will have to be submitted to the revenue via software every three months. Half of the UK’s 5.4m small businesses are expected to be affected.
Mr Finch said there would be £5,000 fines for failing to keep good, up-to-date records. “HMRC want more information than they have ever had before. They are hitting the smaller guys first, because they are trying to get money in quicker. They will “want to know a lot more about you and a lot earlier.”
Mr Finch recommended choosing a cloud-based accounting package to deal with the challenges. His firm had employed the support of one of the product leaders, Xero, and this had yielded excellent results. Xero was founded 2006 in New Zealand and has 1m subscribers.