Cyber attacks are above the radar. They are making front page news, the government is taking them seriously, and almost every movie now features the use of hacking to steal data or funds. Unlike the movies though, most hacks aren’t sensational heists or system-wide ransomware attacks: they simply exploit a lack of employee awareness and too much trust in emails, or the lack of even most basic security within a business. The cyber scams we see are often simple purely because they don’t need to be sophisticated to work.
Different businesses face different cyber risks. If your company value is in your intellectual property, for example, it would be advisable for you to think about how that is protected first, or if you produce particular products, your ability to continue to do so is critical. However, across all of the businesses we deal with, we see cyber frauds targeting payments and funds more than anything else, with sensitive data being a close second.
The first 24 hours following a financial fraud case is the golden period in which to act, the quicker the better. First, let your bank know what’s happened to stop money moving. Then you will want to employ someone to undertake a short, fast investigation to work out where your funds may have moved to and what data may have been lost. When we investigate financial crimes for clients, we use legal orders to request information from banks and technology companies, and rapid investigations to tie an attack to an individual or group if possible. If data has been lost, the sooner we can get an accurate picture of the amount and type of data that has been accessed, the sooner customers and clients can be reassured. Prevention, though, is better than cure.
Entrepreneurial businesses often struggle more than larger companies to manage their internal risks, not least because employees tend to wear a lot of hats. These businesses thrive on being more agile, but founders still need to do the basics. For example, it shouldn’t be possible for one person to empty the business bank account without another key person being involved. The business strategy for managing cyber risks should be proportionate to the scale of the company and its owners appetite for risk.
It’s important to strike a balance: if you try to lock everything down, you could potentially be left without a functioning business. Where there are too many security measures in place, employees often find ways to bypass them, which can end up leaving your business even more exposed than it was before. It’s difficult for founders to be experts in cyber security and fraud when they have so many other pressures on their time, but they do need to know what questions to ask and be ready to respond quickly if – and, more likely, when – something happens.
The ever-expanding alphabet soup of regulations – whether it’s GDPR, NISD or the ePrivacy Directive – are there to try to protect businesses, but ultimately the onus is on business owners to be prepared and to act quickly in the event of a cyber attack. If a business’ cyber security strategy is robust, a blockbuster scale breach need not have blockbuster scale consequences.