Blackburn BID Manager Catherine Price attended the recent Cyber Crime conference. Here are her key takeaways from the day to help protect BID members from falling victim to cybercrime.
Why is cybercrime a concern?
- Fraud and cybercrime account for almost half of all crime in the UK.
- Cybercrime costs UK businesses £27bn a year
- 39% of UK businesses experience some kind of cyber attack
- SMEs are more at risk to cybercrime because larger companies invest large amounts in cyber security and staff training. Cybercriminals don’t consider the type or size of business, just whether you have a vulnerability in your systems that can be exploited.
- The most common types of fraud in Lancashire are:
- CEO fraud – criminals impersonate the boss / senior manager of a business to get staff to make an urgent payment outside of the company’s normal financial procedures
- Payment Diversion Fraud – email claiming to be from a contractor or supplier requests to make payment to a different bank account
- Anyone who falls victim to fraud or unwittingly facilitates fraud to their company e.g. by clicking on a fraudulent (phishing) email or making a payment in one of the above circumstances, will be impacted by this. Staff can suffer emotional, psychological and physical impacts of being involved in such an incident.
What types of Cybercrime threats are there?
- Ransomware. Majority of attacks start with a phishing email – that is, an email which appears to be a genuine email which includes a request to click on a link. Accessing the link allows the criminals to get access to the system, whereupon they carry out disruption such as blocking access to company files. The company then receive a ransom demand which can be for tens of thousands of pounds, in order to release the files.
- Script Kiddies. People who use youtube and other online videos to learn how to get access to a company’s system and cause damage.
- Insider threat. A disgruntled member of staff or someone who has been sacked but still has access to the business’ IT system, and accesses it to cause damage to the company and/or employees. An example is a sacked member of Morrisons supermarket staff accessed the system to get all employees’ bank details, which they then posted on the dark web.
- OCGs (Organised Crime Gangs). Hackers will be employed or coerced to attack business networks and demand ransoms. They won’t necessarily be huge ransom demands, because they’ll attack lots of companies at one time.
- Advanced Persistent Threat. State sponsored ‘actors’ try to take down the IT systems of large, influential companies where they have opposing views or it sends a message to the government of that country.
- Compromise of senior management social media accounts
- Publicly accessible IP addresses – businesses should use a VPN. A VPN is an intermediary server that encrypts your connection to the internet — and it also hides your IP address.
- Using old or end of life software.
What can I do?
- Prevention is better than cure. These are ways you can help to protect your business from a cybercrime attack:
- Staff training:
- Take up free cybercrime training from relevant organisations (see below)
- Train staff to:
- STOP – Take a moment to stop and think, if you receive an email requesting you to click on a link, or change bank details, or process an urgent payment.
- CHALLENGE – Challenge the request. Could it be fake? Verify the request, look for signs it might not be genuine.
- PROTECT – If you believe you have been the victim of fraud, contact your bank immediately. Then report it to Action Fraud.
- Install malware and security software and ensure its up to date
- Have a firewall in place
- Change the default password on your router – some default passwords are published on the internet
- Protect your IP address by using a VPN
- Have a Cyber Incident Response Plan and Disaster Recovery Plan
- Guidance available here: https://www.ncsc.gov.uk/collection/small-business-guidance–response-and-recovery
- Test your cybercrime policies and procedures
- Ensure no one in the organisation uses an obvious password and consider changing them regularly – lists of the most commonly used passwords are available on the internet – 23.2m people still use 123456!!
- Staff training:
What do I do in the event of a cybercrime attack?
- If you experience a live incident, call Action Fraud (www.actionfraud.police.uk/) immediately on 0300 123 2040 and press 9 on your keypad. This will allow your call to be dealt with as a priority and your live incident will be triaged over the phone. Next your incident will be passed to the National Fraud Intelligence Bureau (NFIB) who will review your report and conduct a range of enquiries, it may then get passed to the relevant police agency. You will be kept informed of the status of your report.
- The advice is not to pay a ransom in the event of a ransomware attack, however it is a matter for each individual business and to whether they do. It is also a matter for the victim business as to whether they negotiate with the attacker, and the police cybercrime unit can support you with that if you choose to do it – sometimes it can help with trying to trace the criminals.
- The criminals will tell you not to contact the police as they will know if you do. They’ll also tell you that the police will confiscate equipment and disrupt your business. This is not the case on either count.
What training and support is available?
- The National Cyber Security Centre offers free training https://www.ncsc.gov.uk/section/information-for/small-medium-sized-organisations#section_3 including:
- Exercise in a Box – An online tool which helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment. https://www.ncsc.gov.uk/information/exercise-in-a-box
- Online training for small organisations and charities – guides you through all the actions you need to take to reduce the likelihood of you becoming a victim of the most common cyber attacks.https://www.ncsc.gov.uk/blog-post/training-for-small-organisations-and-charities-now-available
- E-learning training package: ‘Staying Safe Online: Top Tips for Staff‘ – The NCSC’s e-learning package ‘Top Tips For Staff’ can be completed online, or built into your own training platform. https://www.ncsc.gov.uk/training/top-tips-for-staff-scorm-v3/scormcontent/index.html
- The Lancashire Cyber Foundry is a series of multi-million pound secure digitalisation projects in partnership with Lancaster University that will help SMEs across Lancashire to Defend Innovate and Grow their businesses. They can help to teach you how to defend your business from cyber-attacks and be compliant to regulations such as General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS), making it safer for you, your supply chain, and your customers to do business together. They can offer student support including a Studentship within your business to provide you with support for cyber security in your organisation.
- The North West Regional Organised Crime Unit (NWROCU) have a dedicated cybercrime team who work proactively and reactively on significant cybercrime investigations. The Little Book of Cyber Scams – A comprehensive booklet giving you information on how criminals target you online and how to protect yourself and your business – can be found here: https://www.nwrocu.police.uk/protecting-you/cybercrime
- The Cyber Resilience Centre (CRC) for Greater Manchester supports and helps protect small businesses in the North West of England against cybercrime. Working with local Universities and the Police provides the CRC with access to the latest information on emerging cyber threats, criminal trends and best practice to provide businesses with trusted guidance to help protect against the latest cyber crime threats. The CRC provide free and affordable testing and training services and signpost to government approved Cyber Essentials and Cyber Essentials Plus certifiers based in the North West region, who are recognised by Police as Trusted Partners. You can register here https://www.nwcrc.co.uk/all-services for free membership and receive:
- Free Cyber Security Guide for Small Businesses
- Free Cyber Incident Response Pack
- Free Police Cyber Scams Information Booklet
- Free NWCRC newsletter tailored to North West Businesses
- Free National Cyber Security Centre (NCSC) materials
- Free Cyber security guidance materials
- Free Member-only communications and events
- Free Police updates on cybercrime trends in the North West