1. The challenges facing cyber security
2. The common types of cyber-attacks and how to spot them
3. How best to avoid becoming a victim of a cyber attack
PRESENTER: So when it comes to online cyber-attacks Rob, what would you say is the situation?
ROB: Well it’s easy to look in all the news reports, the big headlines that we see recently, but there are some pretty stark data points that have been coming out over the past few years. Microsoft at their big conference, their head of security said that three of four years they were seeing around 20,000 attacks a week; now that number is around 600,000 a week. Now, that number is inflated because that includes the fishing emails, which has gone off the scale in the frequency and I’m sure everybody can see that.
The Department of Justice in the US released a paper just a few weeks ago where they said that ransomware attacks in 2016 they were seeing an average 1,000 a day, sorry in 2015 1,000 a day, in 2016 that’s up to 4,000 a day. Closer to home, we’ve got the British Chamber of Commerce saying that 20% of all of the firms that they’ve surveyed had a cyber-attack in the last year. Lloyds of London have said that in 2015 the cost of cybercrime was at $400bn globally, which is a huge number, and they underwrite 20% of cyber security insurance policies. Hiscox, they released their report a few weeks back and they said that’s gone up to $450bn.
Now, if you made that a nation state that would be the 25th largest by GDP, which is a huge number. I think there’s no denying before you even get to the news articles that are coming out all the time around TalkTalk, Tesco’s, etc., that it’s only going in one direction.
PRESENTER: Absolutely, well Stephen some tremendous numbers there, and I have heard it said that where there’s a data there’s a threat. But is there a specific profile of people or companies who are targeted?
STEPHEN: Not really. One important statistic is that a lot of the studies show that it’s not just big companies that are being targeted. So the Verizon’s database, data breach investigations report for this year, says about 40-odd percent of them have 1,000 or less people. So it’s affecting all sizes of organisations. The financial services sector is always up there at the top just because the gains that can be made from successful attacks can be fairly significant.
PRESENTER: So I mean you mentioned fishing, what is the most common attack would you say Rob, is it the fishing or the other one, it’s ransomware that we’re hearing about?
ROB: Yes, I mean fishing undoubtedly is the most common, and there are different types of fishing. There’s fishing and there’s spearfishing, and they’re usually the precursor to ransomware. So fishing is normally they’ll just send, they’ll have a load of email addresses, they’ll even try and guess email addresses and they’ll an email from HSBC Bank saying you need to go and reset your password. And it’ll be, you know, as the name suggests, put a load of bait out there and see what bites. And then there’s spearfishing, which is probably what we see a lot more in relation to businesses. And spearfishing is where they will target a specific business or a specific person in a business, and they do that by basically harvesting data that’s freely out there. LinkedIn accounts, you know, you can see who the CFO is, who the CEO is. Try and pretend to be a person, and try and get them to transfer money into a bank account. Google and Facebook, it was announced a couple of weeks ago that somebody Lithuania had taken them for £110m. So it’s not something that is only the victim of people who don’t know about security.
And then ransomware is normally what happens afterwards, or can happen afterwards, which is where somebody gets access to your infrastructure, and what they will look to do is they’ll try and identify what are your crown jewels, what are your prime assets. So for a financial advice it’s going to be your customer data. They’ll then encrypt that data and essentially extort you. Say you can have your data back, it doesn’t necessarily go anywhere, it’s just encrypted, but we’ll give you the keys to your data if you’ll pay us X number of pounds. And cybercrime has become such an industry that these guys know exactly, they’ve worked out exactly where to price that number. You know, if you’re a $100m business, you know, that might be millions of pounds; if you’re a financial advice business, you know, that might be £10-11,000. And when it comes to the people assessing the cost of remediating that and getting back to normal business, suddenly £10-12,000 seems like you know what I will actually pay that. And people do pay it.
PRESENTER: So let’s the example of ransomware, is somebody has this sort of attack what can they expect to happen, and how should they react?
ROB: So they might get a telephone call, they might get an email. Typically it’s along the lines of, or they might have realised because they can’t access a particular system, and they’re wondering why it’s broken. Then they’ll get an email or a call, and it’ll be along the lines of essentially we’ve got your data, we’ve encrypted it, to unencrypt it what we want you to do is pay us some bitcoins. And typically what they do is they’ll put a link to Wikipedia about bitcoins, because not a lot of people know about bitcoins, with some very clear guidance on how you actually get bitcoins so that you can pay them. Now, at that point you need to make the decision around you’re going to deal with it. Hopefully, the firm have got good backups in place, offsite backups that somebody hasn’t been able to get to, and you probably want to start disconnecting all of the systems that you suspect have been attacked, and start working on a recovery plan, but one that actually leaves the infrastructure intact so that somebody could actually investigate what has happened.
STEPHEN: Yes, I mean the important first steps are to disconnect it from the network, but don’t turn anything off, and then that allows the forensics investigators to be able to get to things that might be in temporary memory for example. And then they will look and see what the infection vector is. So how’s it come in? So if it’s come in by email by example, part of the clean-up will be to get rid of all other copies of that email that could be circulating around. And then to look for, there may be tools available to decrypt some of the more common types of encryption that are used in ransomware attacks.
PRESENTER: So what are the chances of getting data back once you’ve had this sort of attack if you don’t pay?
STEPHEN: So that depends on how good your processes have been around backing up data – which is why it’s always important to make sure that the important stuff that you are backing up that you test that you can recover that backup and that it would work if you needed it. But if you do the right things and you react quickly, your chances are greatly increased. And again that comes down to the awareness, training and awareness of people. People need to understand what a ransomware-type attack might look like, and what they should do if it does happen to them.
PRESENTER: Well I imagine the temptation to just pay the ransom is quite high. What’s the problem with doing this?
ROB: Well I mean as I said before they’re not stupid about what price point they put it at. They definitely put it at a point which means that it makes it very tempting for somebody to pay. They’re not going to try and extort a two-man financial advice firm out of a couple of million pounds, because they know that’s not going to happen. But the risk of paying it is, well you’ve essentially just said that if you do this to me I will pay money. Now the question is are you, do you want to not pay and essentially have this pain to deal with once, or are you willing to pay and potentially have this two, three, four times? Because clearly the ethics of a cybercriminal are not one where you could necessarily trust the word of we promise we won’t come back and do this to you again.
PRESENTER: OK. I suppose if people didn’t have good systems in place and this happened, then they’d be tempted to pay and then put good systems in place. I imagine that’s not the way forward through Stephen.
STEPHEN: No, the way forward is to prepare to never have to think about paying.
PRESENTER: So just to be clear, so this, just to recap, what exactly does this look like for people who are watching?
ROB: So as I said typically what we’ve seen is that you’ll come in on a Monday morning, because typically these things would happen over a weekend. You’ll come in on a Monday morning, the system, the core CRM system as an example, or your finance system isn’t working and nobody can understand why. And then you’ll receive an email, and they’ll be like you may have noticed that your finance system isn’t working, and this is why, and we’ve encrypted your data. And as I say they will go through bullet points of we want to be paid in bitcoins, this is what a bitcoin is, this is how you transfer sterling into bitcoins, this is how you transfer it to us, once you’ve done that we’ll unencrypt your data – that is typically how people find out that they’ve been ransomware’d.
PRESENTER: So you mentioned the likes of Tesco’s and TalkTalk, I mean what exactly happened there and could it have been prevented perhaps?
ROB: Well often, well nearly all of them could have been prevented, and most cases I think people like to think that hacking is something like Tom Cruise in Mission Impossible, and often it’s just basic errors. You know, infrastructure not being patched up to date. TalkTalk I believe it was one of the companies they’d acquired didn’t have a very good security architecture, and that was how this teenager got into TalkTalk. It’s not necessarily a hugely complex and targeted attack driven by the Chinese or something like that; it’s often simply because basic good practice hasn’t been followed.
STEPHEN: And there is the whole world of people with malicious intent out there who are happy to share their techniques, the tools they develop often quite freely. If you go into some of the murkier parts of the online world you can buy guides to things like setting up your own dating scam, with beautifully crafted emails to use. So the bar for entry into that kind of world is getting lower.
PRESENTER: So, looking at the finance industry, how would you say advisers then are really at risk? I’ll put that question to you Rob.
ROB: I mean obviously as I said with the ransomware there’s a direct risk of the cost of them, paying to get the data back, managing the fallout afterwards. There’s the risk of ID fraud where they might transfer their own money into a back account or a customer’s money into a bank account. Up until the last few years, in 2014, the FCA said that they had five firms reported attacks. In 2015 that was 27, and in 2016 that’s gone up to 75. Now they don’t seem like big numbers, and it’s potentially partly down to the fact that firms don’t have a legal obligation to actually report data breaches and hacks to the regulator. But that’s due to change with the new data protection regulation that comes in next year.
Now, what that then means is that from a financial advice business you are now at a real risk of reputational issue, because if there is an issue, and there’s a likelihood that one of your customers is going to experience a material loss, you are going to have to report that to the regulator. That is now going to be in the public domain. There’s a very real chance that what we’re going to see is a much greater increase in the reporting of issues, and therefore much greater increase in advice firms becoming public that they’ve been hacked. We did consumer research recently, and we asked the question if you were looking at an advice firm or using an advice firm and it became public that they’d been hacked would you continue to use them? 82% of them said no. Now, to steal the words of Warren Buffett, you know, potentially the tide’s going to be going out and we might be about to find out who’s been swimming naked.
PRESENTER: Well let’s look at this EU general data protection regulation, because I imagine a lot of people now in the UK are thinking well we’re going to be out of the EU in a couple of years, Brexit’s really happening, so we don’t really need to worry about this regulation anymore. Stephen, is that the case?
STEPHEN: No, not at all. The GDPR will matter regardless of Brexit. If you think about, we’re in the two-year run in period for GDPR anyway, and that starts on the 25th of May next year. There’s going to be a period where we remain a member state in the EU, so it will be the law. But already the government has made it perfectly clear firstly back in October and more recently in February that they intend to implement the GDPR in full in the UK. And part of the reason for that is because of the value and importance in the unhindered movement of data around Europe.
PRESENTER: Because Stephen, as you said, the reputational damage can be tremendous. If clients hear that you’ve been hacked they’re not going to necessarily use them. So has it been a problem that a lot of companies may have been hacked but they haven’t reported it for this very reason, and might we see a lot more hacking after people are forced to report it?
ROB: I think without a shadow of a doubt. A lot of people are going to have a difficult decision to make. They are going to have to report things. We’ve certainly seen customers where they have experienced attacks, they’ve reported them to us, and they’ve had to make the decision as to whether they go to the regulator. And not always they have done. But it’s going to be very clear going forwards that if there is a high chance that the customer may be a victim onwards that you have to report it. And I think there’s also, there’s new rules coming in as well that the consumer themselves can actually come after you if it’s happened.
STEPHEN: Yes, GDPR isn’t necessarily going to cause more attacks to happen, or more personal data breaches to occur, but there will be an increase in the numbers that we know about, because pretty much now you don’t need to report. Under GDPR there will be a requirement to report if it poses a risk to the rights and freedoms of individuals. And if that risk is a high risk you also have to tell the people who’ve been affected by it as well. So there is going to be more out there. And as Rob said as well as the fines that come under GDPR, it always allows for people to take their own action against organisations that have suffered a breach, and not just for financial loss as well.
PRESENTER: So if people don’t report it then they are going to be looking at fines and like you said even lawsuits. So it’s something that they’re going to have to do moving forwards.
STEPHEN: They will have to report any, the more significant breaches that happen.
ROB: Within 72 hours.
STEPHEN: Yes, that’s the big changes. You have 72 hours in which to do that. So you have to tell the regulator first, and then if there is a high risk to the rights and freedoms of people you also have to tell them as well without undue delay, which of course is going to be open to quite a lot of debate what undue delay actually means.
ROB: And the fine for not doing it, is it 2% of global revenue potentially?
STEPHEN: Yes, so there’s lots of different fines that you can be subject to under GDPR, and although lots of the material you see are the higher more scary figures of up to 4% of global turnover, you can actually get fined for just not doing the basics right in GDPR.
PRESENTER: OK. So it’s definitely something that companies really need to be aware of. So is there a checklist that they can work towards when this comes in?
STEPHEN: Yes, there’s quite a lot of helpful information out there. We provide some through our website around this. But as with the cyber stuff there’s a lot to be done, but you can do a lot of things just to get yourself in a good position. So understand properly what personal data you have and that you need for your business. Know where it is and what you’re doing with it. Because when you collect it in one of the big changes is you have to be much clearer with people why you’re getting that data from them, and what you intend to do with it and who you’re going to share it with. And probably just as importantly how long you’re going to do that for.
So you need to know all of that before you start collecting people’s data. And then once you have, once you’ve done that, is to then understand where your higher risk areas are in terms of the new law that’s coming in. And then start to put things in place now, look at the contracts that you have for example. So any contracts that you have that involve personal data, you need to know.
PRESENTER: Well let’s look at that a little bit closer, because I imagine like most things prevention is better than cure, especially when it comes to this situation. So I just want to take you back to something you said earlier Rob, when you were saying people can be targeted. They’ll just guess an email address, and for a lot of companies out there they put first name dot second name. That’s pretty standard, or just the first initial and the surname, and that’s pretty easy to guess, and also you mentioned LinkedIn and these sort of social media profiles, and a lot of people have these as well. So what kind of, what problems are associated with this, and what should people be doing to protect themselves?
ROB: Yes, I mean obviously that information can be used back against you in the form of an attack. Now we’re not suggesting people shouldn’t use LinkedIn and people certainly shouldn’t use email. The important thing is around the basics. And it’s something that needs to be driven from the top down. This isn’t just something we’re saying, this is also something that the FCA is saying. At the FT cyber-summit last year the FCA were very clear that this is something that has to be done from the top down. And the basics are things like before you even get into technology - because often cybersecurity isn’t an IT problem, it’s a people problem - you need to make sure that your staff have gone through security awareness training, you know, that you’ve given them the pointers on what to look out for a fishing email.
It’s pretty unlikely that your CEO is going to send you an email with an invoice and say I’m not going to raise a PO, transfer £90,000 into that bank account. But those things have to be pointed out to people. And people need to feel that they can actually escalate things, you know, that we want them to escalate things that they think might be an ongoing issue or is a risk of an issue. And then it’s just best practice that is being pushed by all of the vendors for as long as the internet has existed of using software that can receive security updates. Make sure that you do install the patches that the vendors push out. 10% of our customers are currently using browsers that cannot receive a security update. So they’re going all over the internet and clicking on things, and if that web page is being owned there’s a pretty good chance that their laptop or their desktop has now been owned.
These aren’t crazily complicated things that you’d need to have in place to prevent cyber-attacks. But the reality is the old adage, burglar walking down the street and if he can see a burglar alarm he’s not going to do that. But the way people are running their businesses and generally just not looking after their own internal infrastructure from a basic level. They’re pretty much going on holiday, leaving the back door open and putting a sign up and leaving the family jewels at the door.
PRESENTER: Well, Stephen, I imagine what’s quite damaging is a lot of people have this sort of mentality that it won’t happen to me. I mean is that a problem?
STEPHEN: Yes, that is a problem. Despite the fact that the statistics show that there’s pretty much a good chance it is going to happen to you. And I know there’s lots of scare stories out there, and there are some quite frightening statistics, and I do think some people are a bit caught up with just not knowing that they should do. But there are lots of things that you can do to protect yourself, some very basic things. So the thing about making sure that your people have the right training and awareness, and not just bland standard cyber-awareness type training, is to try and bring it to life for people so it’s a bit more relevant to their organisation, it’s a bit more relevant to their role.
An example I like to give is if you tell receptionists at the front desk of a company that foreign intelligence services are trying to hack into servers to steal your intellectual property, it’s not going to mean that much to them. If you tell them that the police have reported that there are people in the area who are trying to get into offices to steal phones and purses and wallets and things, they’ll be onto it in an instant because they can relate to it. And for people that security is important they have to be able to relate to that in some way; otherwise they won’t see their role in it.
PRESENTER: Well cybercrime has actually been around for a long time, but it’s only really becoming mainstream now, so how important is it to raise awareness both inside and outside the boardroom?
STEPHEN: Really important. As Rob has said it needs to start at the top. You’ve got to have the right culture. And so the board needs to properly understand what the cyber-threats are to their business, and what’s being done about it. And that needs to be much more meaningful than having a risk in a risk register that just says we’re at risk of cyber-attack, because that doesn’t really tell them anything. It doesn’t help them make decisions around it. And it’s related to the training and awareness thing. You’ve got to focus it on the people that you’re talking to. And there’s no point if you’re a very small business of a couple of people worrying about being attacked for foreign intelligence services; you’re more likely to be attacked by random fishing emails that will appear in someone’s inbox.
PRESENTER: Well you mentioned earlier data security, so let’s focus on that for a moment now. How should people really approach this?
ROB: I think as Stephen said earlier on, first and foremost people need to understand what data they have, and what the importance of that is not only to their business, but also to whoever the data is about if it’s about individuals. You need to understand where it is, who has access to it, and what it’s being used for. And then off the basis of that essentially just minimise down what data you hold and who has access to it, and that they have the right access to it. Once again it’s not like we’re suggesting a crazy complicated approach, generally it is just common sense. If you have data there, and especially if it’s about your customers and its personal information, you need to look after that very carefully, because the ramifications can be quite significant.
PRESENTER: Well the FCA have even put together guidelines on how to store customers’ data, you know, what do they advise?
ROB: As I said it needs to be held in an appropriate place where it has the appropriate security around it. Access should be on a needs-only basis, that you take appropriate backups. Backups are going off site, that backups are encrypted. You know essentially good practice that’s been driven out from the technology industry for a long period of time.
PRESENTER: What about small things like even how people approach passwords? Should this be something that they have to change very regularly? Because a lot of people don’t do that purely because it’s hard to remember multiple passwords, and then this becomes an issue.
STEPHEN: So it’s back to the point about focusing on the things that are really important that you care about. So your work password or your bank password should be very strong. And if you do it in the right way you don’t need to change it a lot. So if you’re allowed to have a simple thing like a word then you probably should change it quite frequently. If you have some kind of pass phrase that includes some numbers and some characters, then you don’t need to change it as often because it’s much harder for that to then be guessed or broken. But if you, for things where you know that there’s a risk that someone could see it or get it, then you should change them more often.
What I used to do when I commuted every day on my iPhone was I would change the PIN code every two or three days, just because I was on a train, it was before you could just use your thumbprint, and so there was a good chance that people could see me putting my PIN code in, and what I didn’t want was someone to then target me, get it and be able to get in. So you’ve got those two extremes, and you need to find a balance in there of what works for you and for the thing that you’re trying to protect.
ROB: The key thing with this security control is that if it’s difficult for people to bring into their lives that control will fail. So if you make people have really complex passwords that you have to change every 30 days, it’s probably going to take them 20 days to remember it. So that’s when you end up with people putting things down on post-its. We joke about it but it happens. It definitely happens. But if you take something like a passphrase, maybe it’s the first line of your favourite song, like Stephen said with uppercase characters, a few numbers, a few special characters, that is a very strong password and it’s very easy to remember, and because of the strength you’re not having to change it every 30 days. It can probably stay there for six months.
PRESENTER: And how about when it comes to things like recording client conversations that sort of thing, I mean MIFID II has recently made some regulations about that, so what should people be aware of in that space?
ROB: Well they have to treat it exactly the same as the normal what we call PII data, so personally identifiable information about customers. It has to be treated in exactly the same way, because essentially it’s going to hold personal information. If an advisor is talking to a customer about their portfolio, that’s pretty sensitive information. So when they’re recording it they have to make sure that they’re applying those same rules that it’s been stored in an appropriate place, it’s been backed up appropriately, and only those people who should have access to it have got access to it, and have got the permissions that they need to do their job and no more.
PRESENTER: And when it comes to cyber-attacks being successful, how often is it actually human error that makes it successful rather than actually the tech or what’s in place?
STEPHEN: It’s pretty much human all the time. If you think about some of the more technical attacks that happen it’s because something hasn’t been set up in the right way, it’s not been patched on time, those kinds of things. But generally most of the attacks do have a human element to them. And so the Verizon data breaches investigation report that came out, they say that 95% of successful fishing attacks are then followed by a software install. So that gives an idea of the scale of the thing. Again back down to educating people. And it’s not just telling people what a bad thing looks like, you also need to help them understand what they need to do if they interact with that bad thing.
So if someone does click on a link and suddenly realises that it’s perhaps not as good as they thought it was, is to tell someone quickly. And again this comes back to the culture of the organisation. If they work for a company that has a very dictatorial approach, people get shouted at and told off for the simplest of things, people will feel nervous about reporting. And the longer you leave the thing the more chance there is that it will spread and get worse.
PRESENTER: Well how do companies know what to do? I mean what sort of advice is out there to help them?
ROB: Well there’s lots of advice out there on the internet. We’ve recently been working on a white paper together that we’ve specifically targeted towards financial advisers. Very much around the top-down approach, learning and getting the basics in place. But also about making sure that you do have at least a basic plan of if something were to happen, step by step what is it that we would need to do? And from your perspective?
STEPHEN: Yes, it’s important that everyone knows what to do if something actually does go wrong. That’s the key thing really. From the person who first sees it or perhaps does it, to the people that they will then talk to, so that there is a plan. And ideally you would test that plan as well, so you’re not just waiting for a serious incident to happen before you test it. And depending on the size of your organisation it doesn’t need to be that big a test. But some of the larger more complex organisations should be running full and proper tests.
PRESENTER: Well as I said before obviously prevention is better than cure, but looking at the cure if the worst happens and there is a breach how should companies react?
STEPHEN: Get good help. One thing you should plan to do before something happens is make sure that you do, you can recover any lost information, so that your business can continue, which is a side issue to how you then deal with reporting it to the various regulators who might be involved. But know who you’re going to go to for help, that’s the thing.
PRESENTER: Yes absolutely, and what would you say Rob?
ROB: Yes similar, make sure you know who to go to. We’re actually in the process of launching a cyber-security helpline for our customers for that exact reason, just to give them at least a point of call where they can come to and say we think this has happened, and we can help them triage it. And then help, point them in the right direction of experts, people like NCC who are there for when the bad thing does happen. You are going to need assistance in making sure that you handle it correctly, because an incident that’s handled correctly will turn out far better than an incident that’s not handled correctly because you start, as I said you’ve got the regulator, you have to start thinking about your insurance, you have to start thinking about our comms to customers if that’s appropriate. You’re soon taking somebody way out of their comfort zone, and I think just having that contact of somebody that they can at least get initial advice on is pretty important.
PRESENTER: Well Rob, Stephen, thank you so much.
ROB: No, worries, thank you very much.
STEPHEN: Thank you.