How to protect yourself from the biggest global threat to businesses: Cybercrime
With the cyber insurance market set to surge this year, and UK businesses losing over £6.2 million to cyber scams in 2020, cyber security should be at the forefront of every business owner’s mind. But why is cyber such a threat, and how can you protect your business?
We’ve caught up with Vijay Rathour, Head of the Digital Forensics Group at Grant Thornton, to find out how cybercrime has become the biggest global risk to businesses, what security options are available and why the best thing you can do is be prepared.
To start with, what is your role and how did you get into cyber security?
I’m the Head of the Digital Forensics Group at Grant Thornton. I head up a team that conducts high-level digital investigations for clients on both sides of regulatory investigations like the Financial Conduct Authority (FCA), the Serious Fraud Office, the UK courts and the Information Commissioner’s Office (ICO). We go out to places where there’s been a cyber-attack, cyber security incident or data breach, gather digital evidence and analyse it to get to the bottom of what’s happened. It’s a 24/7 operation, so if we get notice that there’s been an incident we can mobilise anywhere in the UK to jump on the back of the attack.
How I ended up here is a little round about! I started my career 20 years ago as a lawyer and followed my interest in litigation for banks and financial regulators and started working for the FCA. I was planning to work inside the bank as a traditional lawyer. But, in my spare time, I was a hacker. Mostly ethical, hacking into mobile phones and computer systems out of curiosity of what was possible. I soon realised that a job as a traditional lawyer was a bit too plain Jane for me. I wanted to combine my interests in computers and law, so 10 years ago I joined a small cyber boutique team. I was there for six years, and then was asked to come to Grant Thornton.
So my work is effectively at the interface of law and regulatory response as a result of cyber security attacks. We keep you safe, investigate what’s happened so we can mitigate the risk, stop attacks from happening and keep you out of the news.
Why is cyber such a threat to businesses?
Cyber Crime is classified as the top risk to businesses according to the Allianz risk barometer, which ranks all the risk data in the world. In the past, the biggest risks have been things like fire, theft and terrorism but cyber has been moving up. For the last two years, it has been a clear number one on the list. When you put that in the context of things like the environmental damage caused by the wildfires in Australia last year, you’re looking at trillions of dollars of damage. Yet cyber is still seen as a clearer and more present threat than that.
Cyber criminals are usually financially motivated and will target things you might not consider to be valuable. This happened to a computer game called Cyberpunk 2077. It had a high-profile launch in December but the publisher was hacked in January and the source code was stolen. The publisher refused to engage with the criminals so the attackers threatened and then carried out an auction of the intellectual property on the dark web. They sold that source code for what’s believed to be around $7 million. The attack took a few hours, and the bad guys made a huge profit from it.
It’s not just those huge attacks that you need to be aware of. Ransomware attacks – where a criminal breaks in, does some damage and demands money to fix it – are becoming more common. If you’re prepared, your cyber security will probably catch the attack, stop it and you’ll bounce back from it with no further questions to ask. But a lot of businesses aren’t prepared and fall victim to ransomware, suffer some kind of financial and business continuity impact, then have to consider paying the ransom.
The advice used to be to never engage with the attackers, but the volume of attacks has risen so much during the pandemic that insurers are more likely to pay out on claims. They’ve recognised that, frankly, it’s often more pragmatic to just pay the money and move on. Unfortunately that just nurtures further bad behaviours as criminals realise there is profit to be made here. Sadly there is a huge segment of the market that is just not able to bounce back from the impact of an attack and so are becoming victims of the crime.
An even more sinister development is “double dipping”. Victims are paying to get their data back from the first attack, but by failing to rapidly engage with teams like mine to investigate and fix the problem, the attackers are coming back literally with days and repeating the whole attack again, for twice the ransom!
Have any new cyber risks been created by the pandemic?
TTPs (Tactics, Techniques and Procedures) are constantly evolving, and, when you look at the statistics, the sheer number of attacks keeps rising. Social engineering attacks are becoming much more prevalent because we’re working in weird places, often using our personal devices. When we’re not in the office environment, there’s not the same organisational visibility over what staff are doing and cyber security measures typically aren’t as strong. Stretched technology budgets and home working have made it much easier to break in.
For example, how many times have you had an email with a link to a Teams call with someone you’ve never met before over the past year? And you click on the link, put in your password, because you always put in your password with a new invite, and end up on the call as expected. But, there’s an attacker sitting in the middle, unknown to you or me, and now they’ve got your password. Essentially they’ve got the keys to your kingdom. Attacks don’t have to be complicated to do a lot of damage.
If any business owners are reading this and worried that they don’t have cyber security measures in place, what can they do right now to increase their protection?
Some of the most impactful things you can do to improve your cyber security are free. Multi-factor authentication – when you log into your email with your password but also get a code sent to your phone – is a quick and easy way to add a layer of security. Regular backups of your systems are useful but think about where you store those backups? Don’t stick them on an old computer in the corner as they’ll be vulnerable to a ransom if it happens – store them on a hard drive offsite and disconnected from the system to keep them safe. Examine your culture and training, make sure everyone is aware of the risks, and keep reminding them how to be safe online and, the fourth thing to do is test and consider changing your passwords.
You can take it a step further and hire a consultant or service like my team who will come in and conduct a cyber health assessment – these aren’t costly but are extremely useful. You can also pay for something called a penetration test, which will highlight all the weaknesses in the system. And of course, get a cyber insurance policy in place. It will be there as the safety net to help you recover from an attack.
What’s the one thing that you wish businesses knew to be aware of when it comes to cyber?
It sounds a bit doom and gloom but if the bad guys want to get in, they will get in. So make sure you’re prepared for it. Don’t live with a victim mentality, harden yourself to the fact that a cyber-attack could happen and make a plan for business continuity from a cyber perspective. Get those protections in place – at a minimum think about the crisis and how you would respond: it costs nothing and could save your business.