My House is Burning – What do I Save First?
We all know the story. Clearing the inbox, the ‘phone’s ringing, other distractions abound and an email from an ostensibly known and/or trusted source is next on the list. Short, anodyne message directing you to open the attachment and, because for a split second you’re not thinking, you do. It turns out that the attachment contains a phishing virus. If it’s your personal account, your whole mailing list hates you. If it’s business, you’re potentially in big, very expensive trouble and the likely damage to your reputation – one of the cornerstones of a successful business – could be huge.
As with the cost of living, the price of cybercrime has also grown – exponentially – to the point where the global cost of this form of crime is predicted to reach TWO TRILLION DOLLARS by 2019, according to the Global Cyber Alliance. That is a three-fold increase since 2015 and it’s predicted to get much worse if we don’t quickly get to grips with it.
Speaking at PIMFA’s Financial Crime Conference, Robin Jones, Head of FCA Technology – Resilience and Cyber Specialist Supervision, gave some illuminating background. He told the sold-out auditorium that, over the last three years, there have been around 600 ‘significant’ cyberattacks in the UK alone and that, over the last 3 months, these are currently happening at the rate of around 10 per week. As an example, the NotPetya attack in June of last year took 19 minutes to infect 10,000 connected systems globally, prompting an analogy to a domestic fire – “If you had 19 minutes, which items would you save first?” Whilst the original target of this attack was apparently the Ukrainian business community, the malware spread to major global businesses, one of whom was FedEx. Three months later, they attributed a $300 million loss to this attack and admitted that their subsidiary, TNT Express, had had to suspend business.
Paul Hoare – Senior Manager, Protect and Prevent for the National Crime Agency – also shared a few interesting facts; Cybercrime is now regarded as a Level 1 threat by UK Government as one eighth of the UK’s GDP is now reliant on the web and over 47% of reported crime now has a cyber element. He added that 92% of cybercrime is enabled through phishing and that 68% of large businesses reported attempted attacks.
As with most problems in life, prevention is better than cure. Whilst there is no “one size fits all” solution, improving our resilience by learning the lessons from recent attacks is critical, along with education, information sharing and training for both staff and Board members alike. He highlighted this by saying that C-Suite members are usually the primary targets of a criminal’s ‘phishing tests’, which can leave firms open to the larger threat of network intrusion.
Paul ended his address with a warning that severe cyberattacks can result in firms going out of business and that the incoming GDPR rules in May will further focus minds in this regard.
Terry Wilson, from the Global Cyber Alliance, made clear that, in his view, a major cyberattack on the UK is a case of ‘when’, not ‘if’ and that many firms are woefully unprepared across all business sectors.
On the plus side, Terry highlighted the importance of the ‘4 Ps’ – Pursue, Prevent, Protect and Prepare – and the fact that there are a myriad of free tools available for firms’ use, derived from collective international efforts and combined agency work, to confront, address and prevent malicious cyber activity. One such example is ‘DMARC’, a quarantine software which has already been mandated for use by the UK Government across all departments, with the US Government shortly following suit. Digital fire extinguisher, anyone?
So, at least in this digitally-oriented environment, it’s evident that we’re under fire from some pretty sophisticated enemies but there are weapons available with which to defend ourselves. If we take a breath, organise, educate and train ourselves using the tools and expertise at hand, we can go a long way towards protecting ourselves and our clients.
After all, nobody wants to end up asking that dreadful question – “What do I save first?”.
To visit the PIMFA Policy Support, Financial Crime section, click here