Tuesday 1 Sep 2015 07:30

Protecting against cyber attack

The issue: Is the explosion of social media and the availability of personal information placed online causing more cyber fraud? And how can we work together to stop it?

Taking part in the Barclays Live Debate

BQ Live Debate: Barclays

Taking Part Barclays03Paul Whitehouse, a relationship director at Barclays, welcomed everybody and explained the bank’s interest in hosting the evening. He said: “There’s a huge digital agenda going on in Barclays at the moment. It really does feel like we are transforming, becoming a very much digitally-based organisation.

“We’re also trying to help our clients, both business and personal, to progress their own digital agendas. I go back to a time when we didn’t even have a computer on the desk. Even then, there was a lot of attempted fraud going on. But back then it was a stolen chequebook and trying to forge a signature.

“Over the decades, I’ve seen businesses move from a traditional model and reinvent themselves for the digital world today. Is that fraudster, with the chequebook and the dodgy signature which I was seeing 30-odd years ago, has he just reinvented himself to take advantage of what’s available and what’s possible today?”

Chris Gould, a partner at EY, said he was building a cyber-security practice across the firm and throughout the UK. He said: “This is really an interesting topic. Because technologies are progressing faster than people are progressing to the change. And we’re seeing an explosion now in social media. If we look at what’s coming next, with interactive technologies, we’re going to be putting more and more stuff out there about ourselves.

One thing is very clear: people that really understand the value of our information are not ourselves, but those that use it for various purposes.

So it doesn’t matter if it’s a small or large organisation, the information we put online makes us vulnerable, and I don’t think that people really think about that.”

Dr Emma Philpott, chief executive of The IASME Consortium, explained that her organisation has a cyber security standard specifically written for small companies. She said: “We try to help small companies understand about cyber security and then, when they’re doing the basics, then they get a certificate.

We helped the government write ‘cyber essentials’, which is the new, very basic, cyber security standard, and we’re one of the accrediting bodies.

“Most of my day is spent talking to small companies that usually don’t know anything about cyber security, and usually not much understanding of technology, trying to help them understand the very basics. What becomes clear is that most people, are doing almost nothing, because they just don’t know what to do, and they don’t understand that it’s very simple to take basic steps.”

Live Debate1b

Angela Irvine, of Adler Insurance Group, explained that she arranged cyber and data liability insurance for commercial and professional clients. She said: “We have an issue of trying to educate the clients to understand what risks they have with their data.

“Most businesses will insure their physical assets but, quite often, their data is actually where the value is. So, we’re going through a process of finding risk management solutions and mitigation, trying to work with cyber security consultants to offer that full solution.”

Dr Stephen Wright, the general manager at National Cyber Skills Centre, said: “The point earlier about ‘is it the guy with the cheque book fraud reinventing himself?’; it’s more than that. I think people that were involved in less sophisticated crime are reinventing themselves as cyber fraudsters. Because the tools are available free online, people can start to use them, and they can start to exploit the vulnerabilities.

“And people don’t know about the simple steps. A lot of people don’t even acknowledge they need to take some simple steps. It’s why we exist. ”

April Pearson-Myatt, of DRP, said: “We deliver a number of different solutions to clients’ communications, and digital has really come to the forefront over the last few years. We now work with very large corporates and have to comply with the ISO standard.

“In the past it’s always been a tick box – yes, let’s just say we’ve done it – but it’s not that any more. We really have to be delivering. And the very big issue for us is understanding that standard, making sure that our competitors all know that standard, so we’re all running on a level playing field. Cyber is impacting our business, and it’s impacting our competitors, and it’s really something we need to follow through with.”

Rae McClelland, a cyber security consultant with defence company 3SDL, said: “Our company was successful in bidding for a Worcestershire County Council contract, which was to deliver cyber security assistance to SMEs in Worcestershire. We’ve assisted more than 65 companies in the last year alone, ranging from one-man-bands to 50-plus staff.

“I also run the cyber apprenticeship development scheme in Worcestershire, one the first of its kind. It works with three local schools – teenagers, sixth form students – and trains them up, not just cyber security technical things, but also business. I hear a lot of the time from small businesses: ‘We don’t know where to start, so help us.’”

Martyn Butcher, commercial director at Aristi, cyber security consultants, said: “What really bugs me is that it takes a breach for people to do something about it. It’s almost like saying, if I was a motorcyclist: ‘I don’t want to wear gloves because I like the feel without the gloves.’ But you have your first road accident, you tear your hands to pieces, you’re going to start wearing motorcycling gloves from that point onwards.”

Ruth Inglis, the sales and marketing manager at Titania, said: “We develop cyber security auditing software. We’ve got three different tools. One’s for network security devices, like firewalls, switchers and routers. The other one’s for workstations and servers. And we have a continuous monitoring tool as well, so that you’re always all in sync all the time, and it will alert you if anything changes.

“We’ve got clients from really small companies to multi-national ones, including government departments, especially in the US, like the FBI, the Treasury – all those departments. We’ve got a scaleable licene, so you can use it if you’re really small, or you can use it if you’re really large. We see a lot of companies you maybe wouldn’t expect to be really cyber aware using the software. And then some companies you would expect to be really cyber aware who don’t understand why they need it.

“One of my colleagues wrote an article about how the smoking ban has changed the way everybody thinks about smoking indoors. You’d never get a cigarette out now and start smoking it. And that’s the kind of change of mentality that we need [with cyber security].

Andrew Barnett, the director of global transactional fraud strategy at Barclays, said: “My day is spent trying to fight the bad guys when they come up with new attacks, to come up with solutions, system strategies, analytics, to try to beat them at their own game, and stay ahead of them.

“The losses to UK businesses, in relation to cyber fraud, is over a £1bn, the last figure I had was £1.2bn. I’m sure these guys are absolutely focused on this. While we’re sitting here having this lovely meal, they may be having the same sort of meal somewhere else, discussing how they’re going to attack everybody in the new way.

“It’s a business to them, it’s how they pay their kids’ school fees, it’s how they take their holidays. It’s not the spotty oik in the bedroom, just doing it for a bit of a laugh, it’s definitely a business. I think I’d echo Martyn’s point, around customer awareness; businesses only seem to want to spend some money doing something when it all goes horribly wrong.

“We’re digitising our services and what we offer to customers. There’s a generation that will pick this stuff up really, really quickly, but there’s a generation that won’t.

“So we hold sessions in our branches after closure. People can take their iPads into our branches and we’ll set them up for them in a secure manner. So we definitely come with the mantra that we’ll leave nobody behind in this scenario. And for me, that’s crucial. Because if we leave people behind, they’re more likely to be victims of fraud.

“And whether we give them their money back or not, that’s never a great experience, being a victim of fraud. The studies we do, whether it be a company CEO, all the way down to John on the high street, the experience is never great. However fast they get their money back, they feel violated; they feel their whole world has crashed around them.

“The more people we can educate and make understand what the risks are in what they’re doing, hopefully, the less people we’ll have who become victims of fraud.”

Peter Loomes, a director at Sandettie, said: “I’m looking at cyber security from a business change point of view. It’s a part of modern day business, so every business these days is a software business and they need to be looking at the risks around that.”

Picking up on the point about younger generations knowing more about the digital world and social networking, he added: “I actually think they’re getting a little bit gung ho with their information. They don’t value it as much as we do because they’ve grown up accepting giving it away.

“Also, it’s not about the information I give about myself, it’s about the information I give about other people and the links I have and the way I can build information around those links – very, very simply with very cheap or even free software.  

“One of my big bugbears is people are encouraged to give their information away, but not necessarily made aware of the risks around that. Banks told us the risks mitigation measures around [things like] false card readers, they’ve told us to cover our pin numbers, but I’m not sure when it comes to social media people are getting that same sort of instruction.”

Stuart Wilkes, a freelance technical writer, said he had an issue with the term ‘cyber security’: “When you start trying to talk to companies, ‘security’ immediately puts some of them off.  They’re all busy doing their business, they’ve got a lot of things going on and you come in and say: ‘We’re going to get all of these new policies and procedures in place.’ They see it as a business inhibitor rather than something that’s protecting them.
“However, if you change the terminology, if it became ‘privacy’, not ‘security’, you’d have a different conversation.”

Anish Chauhan, managing director of Equilibrium Cyber Security Services, said: “We’re an education mission and trying to help businesses who I think are the most vulnerable, and that’s the ones that are 250 users and downwards. Those are the ones who are the most exposed and the least savvy.  

“It’s almost an age versus youth topic. We’re kind of technophobes and what’s happened is the consumerisation of IT. Products and services were only really sold to businesses that needed them. Now everyone’s got a mobile device, everyone’s got a computer, [and that] means that the things that are running on them are simplified.

“When people are using social media, there are a few buttons and we’ve shared something with the world. A few years ago you’d need a computer to do all of these things. The social bits of software don’t want to be secure because their popularity is driven by the amount of information they have. So the consumerisation of IT is a big concern, and people bringing their own devices into the network is pretty fundamental to the security concerns that most of us have.”

Andrew Barnett shared a case study: “There was a large corporate where the CEO decided the best thing he could do was a weekly blog, saying what he was doing, where he was and how well the business was doing. A fraudster picked up on this and actively followed the blog. And then the CEO went out to the United States to negotiate a contract with a new supplier, and the fraudster rang the payments centre and spoke to a payments individual, we’ll call her ‘Dolly’. And he convinced Dolly through the information that was on the blog that he was the CEO and he was in America.

“He told her: ‘Look Dolly, I’m there negotiating this deal, and I really need you to be ready to make a payment to these guys.’ He waits for the next blog, reads it intensely, fills in a bit of background information by Googling things. Then he rings, speaks to Dolly: ‘Hi, it’s me again, as you know I’m still in the States, going really well, it’s going to be a brilliant thing for our company, how fantastic, just want to make sure you’re ready because we’re going to have to execute this really quickly, otherwise we’re going to lose the business,’ etc.

“Week three, same type of scenario, speaks to Dolly. Week four, the blog says: ‘I’m back in the UK, fantastic we’ve got the business.’ So the fraudster rings Dolly and says: ‘As you know, I’m back in the UK and we need to execute a US $1.5m payment to this account number.’ And she does it. Bang! $1.5m dollars gone.

“From our perspective, as soon as we were made aware of it, we made every attempt to try and get the money back, which is our job in that scenario. And luckily we managed to get a lot of the funds back by a lot of chasing, and by getting some of our guys who are based in the US to knock on some other banks’ doors.”

April Pearson-Myatt said: “I just struggle with that, coming from a finance background. I’m just staggered that in this day and age, those sorts of things are still happening. I agree with the cyber aspect of it, but when you then compound that with pure internal financial weaknesses, that’s when it’s so, so dangerous.”

Dr Emma Philpott said: “You have to start insisting on things. So with cyber essentials, the government has mandated it in many contracts from October. And we have seen a complete change. Before it was just the security companies adding another certificate. Suddenly vehicle tracking companies, healthcare companies are actually looking at it for the first time.

“Some of them are already secure; they just didn’t bother with a certificate beforehand. Others are looking at it for the first time, and so it’s opened whole new avenues by mandating it. If it really is a security issue, and if all these billions of money are going out of our banks and our companies, then mandate it.

“It [can be] associated with giving work. So if the accountant on the corner street, if more and more of her clients are coming in saying: ‘Can you show me some evidence that you’re going to look after my information?’ She would start thinking: ‘Maybe I should get that evidence, because some people are walking out the door.’ It’s not until you start saying: ‘In these supply chains, in these contracts you have to have this,’ that awareness goes up, and people start asking of their own accord.”

Stephen Wright said: “I think mandated things and regulated things is a start. But we all know when there are rules, there are loopholes and we find ways around them. The answer for a safe world is awareness and doing the right thing.”
Peter Loomes agreed: “The more we educate people and make them aware of their personal risks, we move it from security to privacy. The more they’ll put demands on suppliers, and customer demand is more than any other demand out there.”

Anish Chauhan said: “When things are mandated, organisations sometimes do the bare minimum. I believe that there’s a risk assessment that’s being undertaken, and that risk assessment’s badly done. It’s being done by a person in an organisation who isn’t necessarily qualified to assess a risk against cyber crime – so [they might say] if that solution’s going to cost us an extra 200 grand, then I’ll take the risk.”

Stuart Wilkes said: “Once you put that regulation in, that you will be personally, financially liable for losing this data, these companies will come knocking down the door for the certification, for the training, for the solutions.”

Martyn Butcher said: “The policing of it all is the challenge, if you’ve got the mandatory stuff in place, you’ve got to do what you say you’re going to do. You’ve got to fine people and you need to advertise the fact.”

Rae McClelland said: “If we do end up mandating things, I think it’s got to be scaleable, it’s got to be enforced and checked upon. But who’s going to do that, who’s going to finance that? That’s what a lot of my clients ask me. They’re overwhelmed by what they’re facing and by what they’re being increasingly challenged to face by their customers.”

Andrew Barnett agreed: “We [Barclays] do customer awareness sessions – we talk about cyber, but also the more basic stuff, invoicing, the whole spectrum. I gave a case scenario today, and I try and bring all of those sessions alive, as do my colleagues who do them with CEOs of companies, governments and local authorities.

“And then we challenge them – this happened to this company, could it happen to you? You see a number sitting there feeling confident, and a number scribbling rather quickly. That to me is the way to get it over – give live examples of what’s happened, and the impact on that company, and challenge them: ‘It could happen to you.’”

Andrew explained that banks share a lot of information on cyber security: “We share accounts that have had fraudulent funds paid into them. We share bad IP addresses amongst us, we share bad devices. We do work together on these things and we work with law enforcement on the larger cases, because they’ll only take on the larger cases.

“The ‘digital driving license’ at Barclays is open to everybody and does some excellent stuff around giving overall views of cyber in general: how to use websites, what some of these technical terms mean, and trying to explain them in layman’s terms. If you get over 6,000 points you can become a digital eagle, you’ll get a cyber certificate. Internally we have competitions between teams, between departments around who can get the highest points, and it becomes quite an interactive way to engage people.”

Stuart Wilkes said: “Social media is huge. Facebook, Twitter, LinkedIn, Youtube, Pinterest, Instagram, blogs, forums, etc. The challenge is that social media companies, who’ve been phenomenally successful, have failed by not communicating what they’re actually providing. They’re selling to us on functionality; they’re not telling us that we’re the product. We’re giving this information away free based on what it’s going to do. They’ve not told us: ‘We’re going to use all this information to sell you advertising.’”

Ruth Inglis agreed: “It’s like Gmail, they read every single email that comes in, it’s written in their privacy policy – it’s pretty easy to find. If you say in an email: ‘I’m going to my friend’s wedding next weekend,’ the next thing you know you’ve got an advert for a wedding dress. They own that information because it’s a free service.”

Stephen Wright said: “We teach how to use social marketing safely, how not to give too much away, how not to put your employees at risk. There’s an awareness raising course which is giving examples so people can relate them to the world they’re familiar with, so they understand where these risks are coming from. It’s finding that way to empathetically engage with people and get them to see where that risk exists.”

Rae McClelland said: “I probably work with more young people than everybody else in the room put together. Every week we have 20 young people from local schools coming to see us. I am amazed at how astute and interested and engaged they are with the subject. I think it just takes that little bit of fire for them to actually be engaged [and] interested in learning about privacy and actually caring about these things. These young people are digital natives, that’s what they’re known as.”

Peter Loomes said: “I’m going to go back to education, education, education. It’s up to the IT industry and the cyber industry to put away the fear, uncertainty and doubt and look at how people interact with the internet, what they want to do, what they want to achieve. We need to educate them more effectively around doing that.”

Stuart Wilkes said: “I do think there are two actions we should take. I think in business we should mandate in one form or another, so it’s going to give business consumers a level of trust their data is secure as it can be. On the personal side it does come back to education – but I think it should be in the National Curriculum, so the next generation as they move into the workforce will just take it on naturally.”

Chris Gould said: “It’s education, but it’s more about cultural change and that comes with reinforcement of behaviour. We can talk about education, but we need to reinforce that with something that makes it worthwhile for individuals. If we want to be on a level playing field, businesses need to share information with each other about the things that they see. I think, when you do that, you end up in a much better position.”

Dr Emma Philpott said: “A lot of it has started happening. It’s going to take time, but I’ve talked to all sorts of schools, and they have people that go in and talk about cyber security and online bullying from really young ages. There’s an organisation called E-Safety, they are brilliant. They aim it at the children and then often have a session for the parents and they give really good advice. So much has happened, but it’s only just started happening in the last couple of years and it all takes time.”

Angela Irvine said: “From an insurance point of view, we need to educate our clients and prospective clients of the risks they’ve got involving their data. We need to make sure that people are aware of what they can do to protect themselves, not just with the insurance product but with everything else that’s available to them. From a social media point of view, make sure that our corporate clients and our SME clients have a social media policy in their staff handbook, so that there’s some control of what employees are putting on Linkdin, Facebook and Twitter.”

Stephen Wright said: “We don’t go down the street and shout our address and that we’re going on holiday for the next week. But in the cyber world there are people still doing that. I’d build on the monetary aspects within business and there is a place for some legislation around that, but it’s only a small part of the solution. There is stuff going on in schools but for those who don’t have children, for the grey-haired people, that level of education is not getting into their homes.”

April Pearson-Myatt said: “From a corporate point of view I think that organisations have that responsibility, and I’d like to see more organisations working with young kids and bringing them into the corporate environment so they can see first-hand how it works. From the legislation point of view, it has to come in, there has to be some definite standards in there.”

Ruth Inglis said: “The FBI is using GPS signals on phones to combine with people inputting pin numbers on cash machines to make sure it really is you. Could we use check-ins on social media to pinpoint people and make sure they are in Rome, if they just said they’d been to the local pub and their card’s been used in Rome? Instead of thinking that all that information that’s been stored is the enemy because there’s nothing we can do about it, let’s utilise that information to help us. The banks need to tell people when fraud has happened to them and not just cover it up for fear of reputational damage. That move would have a massive impact because people would know that it is happening to them.”

Concluding the evening, Andrew Barnett thanked all guests and said: “I agree education is something we have to do. The sceptic in me, having been in security fraud, means we can lead people to water but we can’t make them drink. There will always be people that never listen. We need to protect people from themselves, we need to have cloud security systems in place. We should mandate that when you set up social media, the security setting is the maximum. If you want to amend it and tell the whole world everything, well so be it on you.

“People are genuinely lazy, if you set something up and it’s got the maximum settings, they’re generally not going to bother to change it. But at the moment, Facebook and Twitter is completely the opposite, they set it at the lowest and then you’ve got to raise it. We need to create people who are smart sceptics so that they’re sceptical of the things which people tend to trust too much in the modern age.”

Referring to Ruth Inglis’ point about “the force for good”, Andrew agreed, and said: “Unstructured data and proximity are two things that we, as an organisation, are looking at, to help you on a financial journey. Not annoying you on holiday and blocking your card just because you’ve decided to visit somewhere and the last transaction you made was in Tesco’s, and why would you suddenly be in New York. We can use that data in stopping more fraud, but also allowing more of our customers’ genuine transactions to go through without interrupting that journey.”

Live Debate1a

Discovering fraud and limiting exposure to risk

In terms of actually uncovering fraud, businesses are most likely to ultimately detect it themselves. CIFAS (Credit Industry Fraud Avoidance System – The UK’s Fraud Prevention Service) stated that of all the cases recorded on their Internal Fraud Database in 2013, around 60% were discovered by organisations’ internal controls, processes and audit procedures.

Employees are one of the best fraud risk management tools available, and their instincts combined with technology can be an excellent fraud management control. Regular training sessions can help build your staff’s intuitions about where fraud could be taking place, and this is where Barclays can offer support. It is also important to remember that the majority of staff will not engage in fraudulent behaviour, and can be a valuable ally in uncovering fraud.

Businesses could set up a whistle-blowing line to report suspicious behaviour, while consultation with operational staff can also allow businesses to uncover process weaknesses, and how controls might be circumvented. Where a fraud is actually uncovered – whether actual, attempted or an operational loss – it is important to review the control framework, understand where the weakness existed, and work to close the gap, or quantify the risk, accept a level of fraud and mitigate unacceptable risk by adding additional controls.

By being aware of some of the risk factors and taking steps to prevent them, corporates can help to protect their profitability and stability.

Worcestershire Cricket Club, County Ground, New Road, Worcester, WR2 4QQ.
Tel: 01905 337922