Developing the culture to tackle cyber crime

CA_03.03.16-13

In business there tend to be very few things that can genuinely scare you but as I listened to the Association’s guest speaker at our recent All-Members’ Meeting, I have to admit I was left rather jittery and somewhat unnerved. For those of you unable to attend, the man at the centre of this was Richard Bach (pictured above), Assistant Director, Cyber Security – Digital Economy Unit, at the Department of Culture, Media & Sport.

Richard gave an illuminating talk about the ongoing threats to our cyber-security that all businesses face and also highlighted how we might boost our cyber resilience in order to stave off such threats. When you sit down at a session and hear that “cyber attacks happen every second of everyday” you might immediately think, “but not to me” however the fact of the matter is that, particularly in a sector which handles considerable sums of money like conveyancing, the threat to firms is real and genuine and needs to be taken seriously.

A point Richard made very early on was around the approach to tackling cyber crime by businesses. He said that this is not just an IT department problem but instead it needs to be approached by the entire business; indeed, there needs to be a culture within each firm, from the top-down, which prioritises a firm’s approach to cyber crime and does everything necessary at all levels in order to tackle it.

This is probably an illuminating point to many in our business who might well think that the IT department leads such activity and effectively runs the show. Not the case. Richard cited the recent cyber attack on the Sony Corporation which was huge in scale and effectively cost that business a huge amount in both actual harm and reputational harm. Take, for instance, the data that was stolen which was estimated to be around the 100 terabytes mark; secondly, and something I wasn’t aware of, but not only did the hackers steal that data and disseminate it out to the world – including films which had not yet been released – but for a great many of the machines used the Master Boot Record was deleted thereby rendering much of the hardware useless.

Just considering this one case, and the potential that it could happen to your firm, should perhaps give you pause for thought that this is not just an issue to be tackled by the technology department, but everyone in all parts of the business. Apparently, in the case of Sony, that sort of leadership on cyber security was missing at the highest levels and the defences in place were (quite clearly) nowhere near enough to provide the protection they needed.

While we might think we are a rather smaller fish than Sony the threat is still very real. As Richard again pointed out, if our industry feels threatened, then it has good cause to. Essentially, we do need to be worried, frightened and paranoid – the fraudsters and cyber-criminals are out there and they are seeking to do us harm.

So, how do we put that protection in place? Well, this is all about managing risks – as Richard pointed out, it’s going through our various systems and reducing the ‘attack surface’ by which a cyber criminal can wreak their havoc. The protagonists may very well only be 15-year olds, sat in their bedroom, working out of what I like to call ‘Fraudistan’ but if you have a susceptible system which can be successfully targeted, then the threat is real, and the damage that can be caused can be great. Just ask Talk Talk.

The good news is that your Association is working hard in this area to provide members with support, guidance and practical help on what you can put in place to mitigate the risk. We are not too far away from launching our Cyber Security Protocol for members to give them a best practice guide to share with staff and reduce the threat of attacks and intercepted emails on their business and client money. We’re also looking to create a cyber-risk insurance policy as firms’ existing policies often do not cover for the loss of their own money or the cost of recovery from an attack.

This Protocol is but weeks away however the need for vigilance is constant. The cyber-fraudsters will not stop, so neither should you in the pursuit of protection. And on that note, as Nick Ross used to say on Crimewatch, “Don’t have nightmares, do sleep well.”

Leave a Reply