0370 1500 100

How to beat cyber criminals

Our Regulatory and Criminal Investigations team has a long history of defending those accused of fraud and has handled some of the biggest cases ever prosecuted in the UK. More recently its services have extended into internal corporate investigations and advising on potential risks faced by businesses.

The increasing use of online services and the computerisation of businesses in general pose significant risks for the unprepared, and recent crime statistics should make everyone sit up and evaluate their practices.

Valentine’s Day 2017 saw the Queen open the National Cyber Security Centre (NCSC), a part of GCHQ, at Victoria in London. Businesses were critical of the protections offered by GCHQ saying that the organisation was too secretive so the NCSC is seen as being more public facing and accessible. This is part of the Government’s £1.9bn investment in cyber-security to take place over the next five years with the intention of protecting and responding to high-end attacks on government, business and individuals.

This follows recent reports that Britain’s security has been threatened by 188 high-level ‘cyber attacks’ since November 2016. The wider figures are staggering in that the UK’s security services have reportedly blocked 34,550 potential attacks on Government departments and members of the public in the last six months. This is an average of around 200 per day and the NCSC is intended to make the UK the hardest target to infiltrate. Members of the private sector have been seconded to the NCSC in order to help identify threats. The NSCS is also looking to use its activities to protect the Government as a blueprint to extend to industry on a national scale with results being published to enhance the collaboration between the public and the private sector to tackle the wider problem.

Mindful of how cyber-crime is now being prioritised at a national level, the recently published Crime Survey for England and Wales 2016, for the first time, has measured the impact of cyber-crime in relation to fraud and computer misuse offences. Astonishingly there were found to be 3.6 million cases of fraud and a further 2 million cases of computer misuse between June 2015 and June 2016. This is a frightening prospect when one considers the amount of undetected or unreported crimes of this nature. It is believed that only 13.2% of incidents were reported to the Police or Action Fraud. A recent BBC report by Dominic Casciani suggests that the overall level of crime has been generally falling for the past 25 years in the industrialised world but whilst the incidence of more traditional crimes such as burglary and theft have fallen, criminal gangs are looking for new opportunities by exploiting gaps in online and banking security. In a BBC broadcast Sir Tom Winsor, the Chief Inspector of Constabulary for England and Wales, said that the amount of fraud taking place is probably in “epidemic proportions” and individual police forces have been required to work extremely hard with capabilities and specialisms which are “quite skeletal”. This is a highly specialised and expensive area and there is a real danger of demand significantly outstripping supply in terms of dealing with the volume of work in the cyber-crime area. It remains to be seen, therefore, how the opening of the NCSC and the intended collaborative approach in tackling these problems will work in practice.

Getting cyber aware

It is often a lack of knowledge, inadequate security or a combination of both that precipitates an attempted online fraud or other form of cyber-attack. There is an abundance of ways in which businesses can be targeted from outside and within, with the following becoming particularly common threats:

‘Mandate’ fraud, where employees are tricked into changing a direct debit or standing order by pretending to be a supplier.

‘CEO’ fraud, otherwise known as a ‘Whaling Attack’, is where the employee is tricked into making a payment by means of an email purporting to be from a senior manager. Action Fraud has reported an increase in the number of these attacks on medical practices in recent months.

Extortion - files on a computer or network are rendered inaccessible by ransomware until a release fee is paid. Hacking is one of the main issues facing businesses where private and often commercially sensitive company information is obtained through the hacking of a company’s server, an employee’s computer or even access through email or social media.

Retail fraud is the most regularly reported online crime affecting businesses with refund and label fraud being the most prevalent along with the obtaining of goods with no intention of paying for them.

Measures need to be devised to prevent, detect and respond to such potential security threats. It may be that outside expertise needs to be considered in this regard. As a bare minimum, experts suggest that businesses take the following steps to try to combat this threat:

Introduce structured, regular and updated employee education and awareness training. All employees need to understand their individual roles in keeping the business secure. It is no longer just the remit of the IT department.

Install internet security software on all systems including mobile devices. An attack can be made via a company’s ‘mainframe’ or individual employee’s mobile phones and tablets where these are linked to the company’s main system.

Introduce regular security updates for all operating systems, applications, mobile and browser software.

Police a strict and enforced password policy for all employees and contractors.

If you are unsure or have no measures in place then getsafeonline.org is a very useful site with advice for individuals and businesses about cyber-security and awareness with headings including hardware and devices, information security, online security and safety, rules, guidelines and procedures, software, ways you work and personal commentary. Should you or your business be the victim of a cyber-attack then it is recommended that you engage with the authorities as soon as possible. The cyber divisions of the National Crime Agency can be contacted directly on 0370 496 7622.

Published: 16 May 2017

Focus on Manufacturing - Edition 5

Sign up for updates from Irwin Mitchell

Key Contact

John Davies