Tony Richardson, managing director of Octree, has responded to the government unveiling a £1.9 billion programme to protect the UK from cyber criminals up until the year 2021.
The ‘National Cyber Security Strategy’ was launched by the Chancellor, Philip Hammond on November 1 and sets out the ‘decisive action’ needed to protect the UK economy and the privacy of British citizens, meanwhile encouraging the industry to do more in preventing damaging cyber-attacks.
It comes after figures released by the Office for National Statistics (ONS) estimates that there were almost six million instances of online fraud cybercrime in the UK in the 12-month period up to the end of June 2016.
Richards, who has 28 years’ experience in the IT industry, said: “In the long term, this is about education: trying to encourage youngsters to take on ICT-type courses and then move into cyber-security in further and higher education. One of the fundamental problems is that there are fewer people studying ICT at school than there were 20 years ago.
“If the government are just going to throw money at countermeasures, it’s a futile exercise. We’ve got to look at things from an education basis, from a secondary school level.
“For businesses, security training has to be moved up the agenda. It is social engineering that leads to problems as far as ransomware is concerned, because the delivery mechanism will always be an email being delivered or a website being visited. Therefore, people need to be educated not to click on links or open attachments, and to be prepared to question suspect emails and, if necessary, escalate them.
“Ultimately, business directors are going to be liable, so I’m sure they’ll be keen to get that message across.”
“I became involved with a financial services firm after a ransomware infection, called CryptoWall, had completely compromised their systems, locking them out. This was due to their incumbent IT firm not ensuring that basic anti-malware was installed on their computers. They didn’t have a backup and their files were completely locked, so their choice was to pay a significant ransom or attempt to rebuild their data and database from paper records.
“They chose to rebuild their database, which I suspect will have been extremely costly and time-consuming. It’s not unusual for small businesses to be in a situation in which they are unaware that they are unprotected, one of the fundamental problems being that a lot of small businesses do not think that they are vulnerable to these types of attack.
“The second dangerous fraud we’ve seen recently is a whaling attack, or CEO fraud, in which an email is sent, purportedly, from the CEO or Finance Director of the company, generally to the finance department staff, asking them to make urgent money transfers otherwise risk losing some business. The email proves to be fake and the money is lost.
“It’s the social engineering element that is the biggest threat vector for businesses. We’re all part of that altruistic society, we want to help out and provide information and this is the thing that is being exploited. The fundamental problem is that people just aren’t aware of the risks.
“SMEs need to become more aware of the dangers of cybercrime and the options that they have available to them. There’s a perception that cybersecurity counter-measures are incredibly expensive, and therefore it’s better just to ignore the danger, put the head in the sand and hope not to be affected by cybercrime.
“There are ways to ensure that you and your business are taking appropriate measures without breaking the bank.”
Richardson has also expressed enthusiasm for HMRC’s plans to launch ‘Making Tax Digital’, whereby all landlords, businesses and self-employed people will be expected to pay their digital tax affairs via an online account and required to update HMRC on a quarterly basis.
This, as Richardson believes, is an opportunity to tighten cyber-security measures: “I’m a great believer in cloud computing improving security for SMEs, because cybersecurity becomes the responsibility of the software provider, which is in a better position to address those.
“Review any service-level agreements and security certifications. Bear in mind that a small business will have very little influence on negotiation on a large Software as a Service (SaaS) provider, but if you imagine how damaging a successful cyber-attack would be to a large SaaS provider, that offers some reassurance that they will be ensuring their systems are up-to-date.”
Richardson will be speaking at the UK200Group Annual Conference, held at the Ageas Bowl, Southampton, S030 3XH from November 16-18, 2016. The UK200Group is a UK-based membership association of quality-assured chartered accountancy and law firms, representing the interests of 150,000 SMEs through its members.