Cyber-attacks have been headline news in the past few months, ever since a global ransomware attack crippled parts of the NHS and other organisations around the world. The ransomware, WannaCry, locked computers across the world, demanding payment for them to be unlocked.
According to assessments by the National Cyber Security Centre (NCSC), the ransomware didn’t target Britain or even the NHS specifically. However; working theories suggest it may have been a money-making scheme that got out of hand (and yielded relatively small amounts of cash considering its spread to over 200,000 victims in 150 countries). Nevertheless, statistics from the London Digital Security Centre claim that the cost of fraud to the private sector in the UK is £21.2bn annually, affecting enterprises of all sizes – not just large corporations.
Technology is embedded in our business systems and processes in ever more innovative ways. As much as one-eighth of Britain’s GDP now comes from the digital economy, and ONS statistics demonstrate that growth in the value of internet sales shows no signs of slowing down anytime soon.
As both back-office functions, and those central to developing and fulfilling customer relationships are being transformed by digital innovations, so, as you would expect, are the types and occurrences of cyber crime. Taking a broad look at the landscape from a statistical point of view:
- In 2016, cyber crime was the second most reported economic crime.
- Government figures suggest that the average cost of the worst security breaches to small businesses is £75k – £311k, increasing year on year.
- Figures from Barclaycard show that 48 per cent of SMEs fell victim to at least one cyber attack last year and 10 per cent were targeted multiple times.
- Whilst Juniper Research (2016) shows that 59% of SMEs surveyed were the victim of an attack.
- However, 27% of those SMES believe they are secure because they are too small to be of interest to cyber attackers (Juniper Research 2016).
- And only one in five small businesses ranked cyber security as a top business priority.
The ways in which companies can be targeted are multitude, however, critically, what the Barclaycard data found was that approximately half of the worst security breaches suffered by large and small organisations alike, were caused by inadvertent human error. Undertaking its own research, IBM’s Cyber Security Intelligence Index found that 95% of all security breaches involved some level of human error.
Whilst we have all been well briefed not to open phishing emails or unknown attachments, 23% of recipients open phishing (source: London Digital Security Centre) emails and 11% open attachments. Looking at it from this perspective, what may be one of the most effective strategies against cyber crime might not be restricting employee device usage for example, or over-investing in complex technological security solutions, it may well simply be regularly educating employees in the different types of attacks and how to look at out for them:
Fraudsters use malware to remotely access accounts packages to edit the account details of stored beneficiaries. When legitimate invoices or salary runs are set up to be paid, for example, what is usually a regular payment to a known beneficiary’s account will be redirected to the fraudster’s accounts. Users don’t notice that the account details of known/ regular beneficiaries have been changed when they authorise the payments, and payments are authorised having had the amount checked, rather than both the amount and the beneficiary account information. Once the money has been paid, there is very little that can be done.
Less technical than the above, but quite similar in theme. The fraudster sends an email, letter or telephones a business pretending to be from a known, regular or new supplier/customer and advising of a change of bank details. Once the payment schedule runs, payments will be made into the new account, controlled by the fraudster. This is particularly effective because UK electronic payments are based on sort code and account number details only, and it the responsibility of the person making the payment to ensure that the account details are correct. Again, once the monies have been paid, there is very little that can be done.
Cheque Overpayment Fraud
Again, quite simple in execution but actually very difficult to remedy. Fraudsters issue a cheque either unexpectedly, or for services or goods provided at a higher value than owed. They then request that the overpayment is refunded. You make the refund in good faith, on the assumption that the cheque will clear, but in fact, the cheque bounces, leaving and unpaid invoice for the original account and you more out of pocket over the fraudulent payment.
As our systems and processes are increasingly reliant on time-saving and efficient digital technologies, it’s increasingly important that employees at all levels of the organisation are aware and alert to the ways in which companies are being targeted. It is the ability to quickly, and dramatically affect cash flow which makes these types of fraud so damaging to SMEs – particularly for companies who are struggling for funding. Neither is it just large corporate entities that are at risk. Where there are weaknesses in any systems or processes, businesses of any size are just as vulnerable.