What sector of UK business is perceived to be most at risk from Cybercrime?

No one particular industry stands out as being under particular threat from a cybercrime perspective.  The reality is that any business (or for that matter individual) that transfers money electronically can be the victim of cybercrime. 

People often hear the word transfer and automatically think of payments to third parties and whilst that is the case, internal payments such as payroll are equally at risk of being intercepted and diverted. Also, transfer fraud is only one element of cybercrime. 

Cyber extortion (where computer systems are locked until a payment is made) is increasingly common. The value of these attacks is on the rise because criminals know ransom demands get paid as businesses are reliant upon access to computer systems. A key element of the value within cyberpolicies is the access they provide to expert teams to assist victims in dealing with this type of activity.

How is Cybercrime perpetrated?

There are many ways to commit funds transfer fraud. It's one of the reasons it's successful and therefore growing. Fraud typically results from the sort of offensive attack people often associate with cyber activity such as the introduction of malware or hacking. By gaining access to a computer, tablet or phone, criminals can gather very specific information that allows funds to be diverted from the intended recipient to the criminal themselves. These attacks almost always require an element of human error in order to be successful. It is interesting to see how the levels of sophistication of these attacks is growing in order to cause that error.

So the threat is growing?

The number of these attacks is growing rapidly and the nature of them is changing. The fact is the most vulnerable part of any form of IT security can often be the human element. The fraudsters can go to great lengths to establish the credentials of individuals. They use public information from sources like LinkedIn as well as social media to learn about their targets. Identifying where they work, their role, job title, payroll dates, days and hour of work, customer profiles, colleague's names etc. etc.  This information combined with a breach of IT security such as access to email accounts can be very powerful and costly. I should point out that this isn't the plot line of a film script, it's a regular occurrence.

How can businesses protect themselves?

Some simple steps go a long way. Education is as important, if not more important, than technology controls. Employees and business owners, particularly those involved in making payments or ordering goods and issuing invoices should be aware of the information they are posting on line and how it might be used (either on its own or in combination with other information) to build a persona that could then be manipulated. Physical controls and checks are also important. So having two pairs of eyes on financial payments and verifying changes to payees are really valuable tools. Above all, be cautious of any payment that is being requested within a tight or unusually tight timescale.

And cyber insurance plays a role?

It can.Cyber insurance policies such as Cyber Searchlight from Arch can indemnify for certain types of fraudulent electronic transfers. Business owners should contact their insurance broker for details of how to obtain cyber insurance and the sorts of loss scenarios that can be covered.

Please click here to read further articles by Marcus Breese:
• Cyber Insurance shouldn't be a dark art
Reasons to buy Cyber 1,2,3