This week, we discuss new reports from KPMG, Beaming and the NCSC, which cover a huge increase in cyber fraud, the massive business cost of phishing, and how to fight the “significant and growing” cyber threat.
Hello and welcome to the IT Governance podcast for Friday, 17 March 2017. Here are this week’s stories.
KPMG has published the latest results from its Fraud Barometer – a biannual examination of fraud trends affecting the UK economy – and the results are more than a little alarming, if not entirely surprising. Cyber-enabled fraud increased by 1,266% on 2015 figures, and included the largest recorded cyber fraud seen in the UK courts since 2008 – a £113 million operation in which professional criminals cold-called victims, pretending to be members of their bank’s fraud department, and persuaded them to reveal security details.
According to KPMG, victims “saw false telephone numbers appear under the caller ID, and were unable to make or receive calls whilst their accounts were being drained. The fraudsters made between £1 million and £2 million a week at the scam’s peak and operated like a nine-to-five business using information from corrupt bank insiders.”
As KPMG’s Hitesh N Patel commented: “public and private organisations openly acknowledge that cyber attacks are one of the most prevalent and high-impact risks they face, and yet many operate on the basis ‘it won’t happen to me’. […] You can have [a] variety of IT protections in place to defend yourself, but it’s all for nothing if you are tricked into giving away the keys to the electronic vault.”
Talking of phishing, newly published research from Beaming found that 2.9 million British companies were hit by some sort of cyber crime in 2016, at a total cost of £29.1 billion, and phishing was the most common type of attack, affecting 1,299,178 businesses at a cumulative cost of £5,923,634,311. Other forms of social engineering accounted for a further £5,350,684,088 of losses.
Phishing is popular because it’s easy to target a large number of people, it exploits human fallibility rather than network and system vulnerabilities, and people are arguably much easier to manipulate than technology – and it can be combined with other attacks. Best still for the aspiring cyber criminal, many phishing tools can be found online, making life very easy for the unskilled.
A good phishing staff awareness course is therefore a must for all organisations. Once a malicious email gets past your filters – and many of them do – your security is in the hands of your staff. The more they know about the risk the better.
Meanwhile, the new National Cyber Security Centre and the National Crime Agency this week warned about the “significant and growing” cyber threat to UK businesses. According to their joint report The Cyber Threat to UK Business, “the UK has been hit by 188 high-level attacks which were serious enough to warrant NCSC involvement” in the three months since the NCSC was created.
The report also points out that “the most commonly exploited vulnerabilities in 2016 were well known and failing to patch legacy systems is leaving many organisations unnecessarily vulnerable. […] This is one example of where the Government’s Cyber Essentials scheme, which lists ‘patch management’ among its five technical controls, can assist in improving an organisation’s cyber security.”
Describing how organisations can “fight back”, the report notes that businesses should “implement basic cyber security […] such as Cyber Essentials and training your people, who can be part of your best defences”. IT Governance is a leading CREST-accredited Cyber Essentials certification body, and has awarded hundreds of Cyber Essentials certifications. For more information, visit our website.
Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.
And don’t forget that IT Governance’s March book of the month is Once more unto the breach – Managing information security in an uncertain world, by Andrea C Simmons. Save 10% if you order by the end of the month.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.