Over a long weekend, an average individual can get started on a new career in cybercrime Spring 2017 CyberCrime You have something they want All businesses – large and small – are now likely targets for cyber-crooks, so get a grip on your security The most common attempted ‘conversation-closer’ a cyber security evangelist will hear is: ‘But I have nothing they want.’ This might have been a reasonable statement once, when the principal constraint for criminals was the availability of strong technical skills. Companies could be caught out, of course, but the perpetrator was often a hacker in training, honing their skills on a softer target. Often they would just enter and leave, happy to have ‘bagged another’ victim. However, things have moved on now, with sophisticated tools available for download, often for free. All organisations should revaluate their stance on cyber security, knowing that – over a long weekend – an average individual can get started on a new career in cybercrime. A whole support ecosystem has sprung up, with professional levels of customer service. As the process has deskilled, many more give it a shot, and so the targets needed to keep them busy increases. There are only so many ‘big sh’, so smaller companies become the bread and butter of the newly minted cyber criminals. So, what do you have that they might want? The obvious answer is money – they can extort, con and redirect payments. In some cases ransomware demands have fallen from tens of thousands to a few hundred pounds. Demands are being set at a level that a company can a ord to pay, and are often cheaper than other recovery costs. It’s becoming a high volume, small margin game. An organisation that keeps a oat is then ripe for plundering again – not that sustainability is an overriding ethic in this murky world. Your employee data can also be a target, and charities have donor lists. If your organisation is a school, or if you care for elderly or vulnerable people, be aware that you hold a database of identities – both of those in your care and of those responsible for them. The identities of individuals can be resold multiple times, exposing them to scams and attacks. Identity data is valuable. It’s not always money they want. Your computers and connected devices are useful for a denial-of-service attack on someone else. If you exchange documents or data with another organisation, you can be used to deliver malware. For the more espionage-minded, it might be your secret sauce recipe, or your customer lists and price list. Your social media can be used for phishing, or for reputational damage – either of your organisation, or others. By the way, if you lose data and cannot demonstrate duty of care, you can be subject to very large nes. However small your business is, you need to take responsibility. But don’t be wowed by expensive gizmos and fast-talking advisers. Get a little education and you can probably do most, or all, of it yourself. Don’t – initially – be overly concerned with certi cations; what counts is action. Check out Cyber Essentials, make sure you understand what the government recommends as the minimum level of cyber security, and just do it! Visit the National Cyber Skills Centre teaching practical self-defence, and keep an eye on its blog..protect your buSineSS l the internet can be a hostile environment. the threat of attack is ever present as new vulnerabilities are released and commodity tools are produced to exploit them l Doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims More information and free advice can be found at: l West Midlands police l get Safe online l cyber essentials l introduction to cyber Security Credit: Dr Stephen Wright, Cyber Skills Centre tHe Devil reAlly iS in tHe DetAilS At the recent Federation of Small businesses’ ‘Steps to business Success’ conference, Det con Dan chappelow, from the cybercrime unit of West Midlands police, gave a very powerful presentation on avoiding becoming a victim of cybercrime, which really focused audience attention. He started by explaining exactly what cybercrime is and the most common types of everyday dangers faced, both personally and in our businesses. outlining some fairly scary statistics on the number of reported cybercrime incidences, he listed the top three known threats: clicking on links you shouldn’t; malware; and denial of service messages – automated messages you see on your screen stating that a problem has been detected and asking you to ‘click here’ to x. Dc chappelow demonstrated just how easy it is for our information to be hacked when shopping online by showing a youtube video, The Devil’s in Your Details, which perfectly encapsulates what many of us have done – entering our details in response to a ‘ ash ad’. He then went on to outline an ‘insider threat’ – a current or former employee, contractor or other business partner, who has/had authorised access to an organisation’s data and/or systems. this may include those with a knowledge or understanding of internal processes, exploiting their trusted positions to access restricted information for criminal purposes. Measures to reduce your exposure include: l installing rewalls, an internet gateway, malware protection, patch management – allowing regular updates to be installed from a known source to ensure your system remains robust l implementing ‘whitelist’ and execution control, preventing auto-run or self-install software l implementing secure con guration, restricting functionality of devices to the minimum needed l ensuring a password policy is in place and followed l instigating an it policy and ensuring all sta are trained on adhering to it For further information, please contact your local trading Standards Service