I’ll be going to see my parents this weekend. They are in their 60’s and 70’s and not exactly the most tech-savvy people in the world. After the tea and biscuits and gentle admonishments (usually about wrapping up in Winter and wearing sunscreen in the Summer) it will be my turn to administer the advice and voice my concerns for their wellbeing (and point them in the direction of this super-useful guidance from the NCSC https://www.ncsc.gov.uk/guidance/data-breaches).
My worry? The constant stream of phishing (email), smishing (SMS), and now vishing (fraudulent phone calls) we are all now subject to on a daily basis.
Perhaps it’s just working in Cyber Security and being hyper-aware of the threat levels out there? But I don’t think it is just me and my industry that is worried… The National Crime Agency in the UK reports Cybercrime is one of the fastest growing crimes in the country and the US already considers it as a very significant threat. e. Estimates are that Cybercrime is going to cost the global economy around $6 Trillion by the end of 2021. That’s an insane amount of money and the reason it’s so much? The criminals behind this aren’t just going after us as individuals, our parents or even high net-worth targets. They are going after businesses.
Unless you have been living in a vacuum recently, you cannot fail to have heard about the recent Cyber Attacks on business and organisations in the US and US https://portswigger.net/daily-swig/cyber-attacks . The scary thing is, these are just the big-fish; the ones we get to hear about. Behind every single one of these headline-grabbing security breaches, are literally thousands upon thousands of other businesses that have experienced an attack.
An area of particular growth is the Ransomware attack. For those that aren’t sure what this is, it’s where a criminal organisation tricks an employee or a supplier with access to company networks, into downloading software (Malware). This malware then encrypts your company data into an unreadable and unrecoverable format, or copies and extracts it. They then demand a ransom to be paid or they will publish the data on the internet and/or refuse to give you the decryption key to access it.
In its 2021 State of Email Security Report, Mimecast found that 61% of organizations experienced a ransomware attack that led to at least a partial disruption of business operations. The previous year, 51% of organizations reported experiencing these types of malware attacks, so the number has risen substantially. The average remediation cost of a successful ransomware attack to UK enterprises is $840,000, and one small business in the UK is hacked every 19 seconds according to Hiscox Insurance.
The jaw-dropping fact behind these figures, is that the people behind these attacks aren’t shady young men or women operating from their parents’ basement. Over 80% of hackers now work for an Organized Crime Group, and most are professionally skilled individuals in their 30’s and 40’s.
The Cybercrime organisations they work for are highly organised and are structured much like legitimate businesses. They have CEO’s, a Head of Operations, a Head of Sales & Marketing and Customer Services teams. They have Quality Control departments checking the effectiveness of their ransomware and fund Research and Development teams who are constantly looking for new ways to penetrate cyber security defences. I recently saw a copy of a Terms of Business for a Ransomware provider. It was virtually identical to the client contracts I have worked on in the past. It had service level agreements, codes of conduct, a helpline number to call for advice and even an upselling area at the bottom with a link to information about additional services like “You’ve stolen from your enemy, now destroy them completely with our criminally award-winning ‘I Will Destroy You’ package”. (Okay, that last bit wasn’t verbatim, but it was along the same lines!)
Many of my contacts are from the Hotel & Travel Industry, Recruitment Firms, Law Firms, Accountancy Practices and most are small to medium sized businesses that don’t have inhouse Cyber Security or even IT Teams. The one thing they have in common is the vast amount of valuable data they own; data these Cyber criminals would love to steal or encrypt and then make you pay for.
It really is enough to keep you up at night but there ARE ways to mitigate these threats and we AREN’T fighting a losing battle. Arculus can help. We work closely with our customers of all sizes to understand their unique challenges and offer pragmatic advice and guidance on how to protect your business.
Our approach will identify the most suitable cost-effective frameworks and standards including Cyber Essentials, CE+ and ISO 27001 and SOC2. From good practice such as implementing anti-malware, ensuring up-to-date patches are applied, and vulnerabilities are managed, through to risk management and comprehensive information security policies and procedures supported by a programme of penetration testing, Arculus can help to make you less vulnerable and more ready to deal with a cyber-attack.