Cybersecurity experts urge companies to ‘share experiences’ to help fight fraudsters. Sussex Business Times investigates…
Following the government’s announcement that it will be investing £1.9 billion in fighting cybercrime, cybersecurity experts are urging companies to share their experiences in order to tackle the ever evolving sophisticated methods that fraudsters are adopting to dupe their targets.
Jason Fry is a cybersecurity specialist at PAV i.t. services. He has worked with dozens of corporate and independent businesses across the UK helping them to review and update their cybersecurity policies, procedures and solutions. He said: “I have no doubt that the majority of companies have, at some point, been the victim of a cyber-attack, security breach or scam, but I am not convinced they would be open and honest about it through fear of criticism, but this is the only way companies will learn, benefit and ultimately reduce the likelihood of an attack.”
Cybercrime has remained a taboo subject amongst businesses with many fearing reproach from existing clients or new customers in the event they reveal they have been exposed to security breaches – something that Jason says hinders progress in this area.
Jason continued: “Unfortunately the fraudsters are always one step ahead so developing a ‘cybersecurity business network’ to share knowledge and experiences of techniques and scams would only prove advantageous in addressing the numerous cyber threats facing companies today.”
Robert Schifreen is a former UK-based computer hacker who was arrested in 1985 for breaching computers at British Telecom. He now runs a security awareness training programme called SecuritySmart.co.uk. He said: “Certainly there have been huge advances in the ways attacks are carried out and the methods that are adopted by cybercriminals. These days we see more and more sophisticated methods being put in to practice that are scarily ‘real’ to the target, such as a combination of social engineering and ‘vishing’ (fraudulent phone calls that appear to come from trusted sources). Lack of awareness, not just amongst business owners but their employees as well, is a huge part of the problem.”
In 2013 the Home Office launched Cyber Aware – a campaign to help drive behaviour change amongst businesses and individuals and encourage them to adopt simple secure online behaviours such as using strong ‘phrase based’ passwords and downloading the latest software updates.
Jason added: “Getting the basics right is absolutely fundamental to improving online security across the board and I wholeheartedly support the campaign and the government’s investment, however, not enough information is getting through to companies and more needs to be done to drive greater awareness of the tactics being used. A secure and authenticated forum where business leaders could chat anonymously would be one example of how companies could share knowledge without fully exposing themselves. Until companies are willing to discuss cybercrime openly the fraudsters will continue to have the upper hand.”
Three Mobile has admitted that the private information of six million of its customers is at risk after a hacker obtained its customer upgrade database using an employee login.
Please find a comment below from Mark O’Halloran, Partner at leading law firm Coffin Mew:
“People will always be the weak link in cyber security and there are many ways the hacker could have obtained the employee’s log in details. The most common is spear-phishing where the hacker sends an email which appears to come from the IT department asking the employee to log in again. We’ve probably all received those emails, apparently from our bank, asking us to check our account – it’s the same principle and it’s so easy, when you’re busy at work, to fall for it.
“Attacks are definitely increasing but not just because hackers are getting more sophisticated. The really clever hackers use automated, intelligent software (so-called ‘bots’) to trawl the internet. These bots glean information from public sources, including social networks and a company’s own website, to generate spear-phishing emails. However, hackers don’t need to be brilliant programmers themselves. There are many software tools, freely available, to allow someone with only modest coding skills to create a piece of malware, launch a denial of service attack and, indeed, to create spear-phishing bots.
“Therefore, companies need to train their employees on cyber awareness and keep them updated and consumers need to be wary of any email or website asking them to provide personal or financial details.”
Commenting on the news that mobile network Three is the latest victim of a cyber attack, Joe Hancock, Cyber Security Lead at Mishcon de Reya said: “Almost certainly, the reason we know about this breach is because Three had a regulatory obligation to tell its customers. Without this, this news may not have seen the light of day. Given that the new GDPR will drive more notifications like this, how a company manages the communication around such incidents is becoming more critical. In this instance, it seems that customer information was both ‘accessed’, rather than ‘lost’ in bulk, so – whilst in reality it’s possible some data didn’t go anywhere – Three may struggle to prove it.
“As a result, there will likely be the reputational fall out similar to what we would expect from a large scale data theft. Already, the language used around Three mirrors that used around TalkTalk’s breach. It is therefore perhaps better not to go on the record until the business has a clear understanding of how much data and which customers are affected by the breach. Now every Three customer is concerned. It appears that the people behind the breach have been caught, greatly increasing the possibility of preventing use of the data and making financial recoveries from the cyber criminals. Acting quickly is essential to prevent further fraud and to secure the evidence available if there is to be any chance of recovery.”