With the cyber insurance market set to surge this year, and UK businesses losing over £6.2 million to cyber scams in 2020, cyber security should be at the forefront of every business owner’s mind. But why is cyber such a threat, and how can you protect your business?
We’ve caught up with Vijay Rathour, Head of the Digital Forensics Group at Grant Thornton, to find out how cybercrime has become the biggest global risk to businesses, what security options are available and why the best thing you can do is be prepared.
To start with, what is your role and how did you get into cyber security?
I’m the Head of the Digital Forensics Group at Grant Thornton. I head up a team that conducts high-level digital investigations for clients on both sides of regulatory investigations like the Financial Conduct Authority (FCA), the Serious Fraud Office, the UK courts and the Information Commissioner’s Office (ICO). We go out to places where there’s been a cyber-attack, cyber security incident or data breach, gather digital evidence and analyse it to get to the bottom of what’s happened. It’s a 24/7 operation, so if we get notice that there’s been an incident we can mobilise anywhere in the UK to jump on the back of the attack.
How I ended up here is a little round about! I started my career 20 years ago as a lawyer and followed my interest in litigation for banks and financial regulators and started working for the FCA. I was planning to work inside the bank as a traditional lawyer. But, in my spare time, I was a hacker. Mostly ethical, hacking into mobile phones and computer systems out of curiosity of what was possible. I soon realised that a job as a traditional lawyer was a bit too conventional for me. What I really wanted was to combine my interests in computers and law, so 10 years ago I joined a small cyber boutique team. I was there for six years, and then was asked to come to Grant Thornton.
So my work is effectively at the interface of law and regulatory response as a result of cyber security attacks. We keep you safe, investigate what’s happened so we can mitigate the risk, stop attacks from happening and keep you out of the news.
Why is cyber such a threat to businesses?
Cyber crime is classified as the top risk to businesses according to the Allianz risk barometer, which ranks all the risk data in the world. In the past, the biggest risks have been things like fire, theft and terrorism but cyber has been moving up. For the last two years, it has been a clear number one on the list. When you put that in the context of things like the environmental damage caused by the wildfires in Australia last year, you’re looking at trillions of dollars of damage. Yet cyber is still seen as a clearer and more present threat than that.
Cyber criminals are usually financially motivated and will target things you might not consider to be valuable. This happened to a computer game called Cyberpunk 2077. It had a high-profile launch in December but the publisher was hacked in January and the source code was stolen. The publisher refused to engage with the criminals so the attackers threatened and then carried out an auction of the intellectual property on the dark web. They sold that source code for what’s believed to be around $7 million. The attack took a few hours, and the bad guys made a huge profit from it.
Cyber crime is classified as the top risk to businesses and has been for the past two years
It’s not just those huge attacks that you need to be aware of. Ransomware attacks – where a criminal breaks in, does some damage and demands money to fix it – are becoming more common. If you’re prepared, your cyber security will probably catch the attack, stop it and you’ll bounce back from it with no further questions to ask. But a lot of businesses aren’t prepared and fall victim to ransomware, suffer some kind of financial and business continuity impact, then have to consider paying the ransom.
The advice used to be to never engage with the attackers, but the volume of attacks has risen so much during the pandemic that insurers are more likely to pay out on claims. They’ve recognised that, frankly, it’s often more pragmatic to just pay the money and move on. Unfortunately that just nurtures further bad behaviours as criminals realise there is profit to be made here. Sadly there is a huge segment of the market that is just not able to bounce back from the impact of an attack and so are becoming victims of the crime.
An even more sinister development is “double dipping”. Victims are paying to get their data back from the first attack, but by failing to rapidly engage with teams like mine to investigate and fix the problem, the attackers are coming back literally with days and repeating the whole attack again, for twice the ransom!
Have any new cyber risks been created by the pandemic?
TTPs (Tactics, Techniques and Procedures) are constantly evolving, and, when you look at the statistics, the sheer number of attacks keeps rising. Social engineering attacks are becoming much more prevalent because we’re working in weird places, often using our personal devices. When we’re not in the office environment, there’s not the same organisational visibility over what staff are doing and cyber security measures typically aren’t as strong. Stretched technology budgets and home working have made it much easier to break in.
For example, how many times have you had an email with a link to a Teams call with someone you’ve never met before over the past year? And you click on the link, put in your password, because you always put in your password with a new invite, and end up on the call as expected. But, there’s an attacker sitting in the middle, unknown to you or me, and now they’ve got your password. Essentially they’ve got the keys to your kingdom. Attacks don’t have to be complicated to do a lot of damage.
What security is available to mitigate these risks?
If you have nothing, then you’re really effectively painting a big red target sign on your back. You should prioritise cyber security using technical measures and social ones too. On the social point, train your staff; make sure they know how to spot a suspicious email, what cyber-attacks look like, what the best habits are: for example, one good password in place for a while is often better than regularly changing to repeated or bad passwords. After that, get those technical protections in place. We can train everyone, but at the same time, you need those layers of defence in place.
At a minimum you should have virus killer software. Those are free, Microsoft makes one, so get one and keep that, and all your systems, up to date. There’s a statistic that one of the most common operating systems is Windows XP, which has been retired for many years, so it has back doors that will allow cyber criminals to break in. If you were found to be using a retired system like that on your computers and somebody broke into your system, you’ve got no defence or insurance claim because that technology is out of date.
If you have no cyber defences, you’re really effectively painting a big red target sign on your back
Then you’ve got slightly more complicated things like firewalls. Again, these are often free. After firewalls you get into more advanced technologies. There are many acronyms like IDS (intrusion detection systems) and SOAR (Security Orchestration, Automation and Response) systems, which are like radars that work by isolating a computer if it’s doing something unusual. For instance if a computer starts encrypting all its files, chances are it’s ransomware so the radar system can help you isolate that one machine and switch it off so the virus can’t spread. You want to try to reduce the amount of time it takes you to respond to some kind of cyber incident, because the longer you allow it to spread effectively the further the damage. Or, inversely, the quicker you can contain it, the quicker you can fix it and the less likely there is to be damage.
Depending on the size of your business, regulators would expect you to invest in better, more advanced technologies. But even with a relatively modest amount of spend, you can dramatically reduce your risk profile and make sure you’re not the easy target.
There have been a lot of high profile cyber-attacks – Marriott, BA and Manchester United to name just a few – which might lead smaller companies to think they’re not so much at risk. What is your advice to them?
A large company like Marriott or Man United might be able to weather the storm and bounce back from an attack. But, if you’re a small company, how would it affect you?
I have a client that is a metal manufacturing business. There are around 150 staff, mostly working in the factory making metal. Their job is not to think about cybersecurity, but if they were to get a common ransomware attack, it is likely to bring down 100% of their systems, causing a complete failure in their machinery and ultimately stop them being able to do business. They won’t just be unable to manufacture metal, they’ll be breaching contracts, have third party liabilities and cause delays in projects that are relying on their products. While Marriott might suffer a half-day business interruption, our metal manufacturer is looking at complete operational failure for weeks – how many small businesses can survive that?
If your company uses computers, you’re a potential target. The bad guys don’t care, as long as there’s a computer they can hack, they will hack it. You have to think about what impact that will have; it’s likely to be very expensive and very painful and the smaller you are, the more you will feel the impact.
If your company uses computers, you’re a target. The bad guys don’t care, as long as there’s a computer they can hack, they will hack it.
An illustration I use quite regularly is you’ve got fire and theft insurance on your building. How often does your building burn down? Not that often, if ever. Yet, cyber-attacks are hitting every single business. And so it seems illogical to me to have car insurance and fire and theft insurance but not cyber insurance. Don’t limit your ability to respond because you’re concerned about investing in insurance. Let the insurers manage the response to an attack and survive it, instead of becoming a victim.
If any business owners are reading this and worried that they don’t have cyber security measures in place, what can they do right now to increase their protection?
Some of the most impactful things you can do to improve your cyber security are free. Multi-factor authentication – when you log into your email with your password but also get a code sent to your phone – is a quick and easy way to add a layer of security. Regular backups of your systems are useful but think about where you store those backups? Don’t stick them on an old computer in the corner as they’ll be vulnerable to a ransom if it happens – store them on a hard drive offsite and disconnected from the system to keep them safe. Examine your culture and training, make sure everyone is aware of the risks, and keep reminding them how to be safe online and, the fourth thing to do is test and consider changing your passwords.
You can take it a step further and hire a consultant or service like my team who will come in and conduct a cyber health assessment – these aren’t costly but are extremely useful. You can also pay for something called a penetration test, which will highlight all the weaknesses in the system.
And of course, get a cyber insurance policy in place. It will be there as the safety net to help you recover from an attack.
To finish, what’s the one thing that you wish businesses knew to be aware of when it comes to cyber?
It sounds a bit doom and gloom but if the bad guys want to get in, they will get in. So make sure you’re prepared for it. Don’t live with a victim mentality, harden yourself to the fact that a cyber-attack could happen and make a plan for business continuity from a cyber perspective. Get those protections in place – at a minimum think about the crisis and how you would respond: it costs nothing and could save your business.