This is a write up of a live interview with Ed Ainsworth on Share Radio. Listen to the interview recording here.
We read a lot of stories about cases such as TalkTalk and other companies when they come to light but a huge number don’t.
Most attacks don’t actually come to light. There are globally 19 million attacks a year. A lot of them are low level attacks that companies don’t even know have happened and only find out later during an audit. I have seen estimates of a total cost of attacks of £575 billion a year.
Clearly people get worried about this if they run companies but weirdly they then don’t do anything about it?
Some companies do and some companies don’t. I think the challenge is that it’s a difficult purchase and it’s difficult to know what to do. We work with companies on what services and solutions they can buy, help them structure what they need to do and where they get the highest return from. And one of the challenges companies are facing is that it’s difficult to know what to do – there is no common standard for cyber security, the quality is variable and you often don’t know if it’s working.
So do you basically go in when they already worked out what they want to protect or what the problem is or do you actually need to help them and find that they don’t know where the risks are?
Yes that’s one of the challenges. Most companies haven’t sat down and thought about what are the actual risks because they are very different if you are a consumer facing organisation, if you are a bank, and it’s different if you have a lot of databases and client records. It’s different if you keep financial information or if you don’t keep financial information – so almost the first step is the process that works through what attacks am I vulnerable for, what should I do and therefore how do I protect myself?
So what are the things that surprise businesses the most?
The story in the FT is always interesting and so is the TalkTalk example – the kind of big high profile cases, but it’s actually the low level cases that are happening all the time. The things that are just most common are people getting your credit card information from the Wi-Fi while you are at a station. You mentioned emails earlier on – that’s very common. We’ve seen law firms on a Friday when they are doing a lot of exchanges just get send an email saying “We’ve changed the bank details from this account to another account” – the email looks completely genuine but the money for the transaction is immediately lost. And as well as just simple clicking on attachments. So a lot of the issues are about how you protect yourself from those low level risks.
In the case of the first one when you have someone grabbing information from someone else’s credit card – who’s problem is that?
It just depends on the situation. Normally, the bank refunds it, but in certain corporate situations they don’t. So maybe if you have done your corporate banking and you have given your bank details away – that’s harder if you’ve made the transaction and sent it through.
One problem here seems to be that quite often people are approached by what turned out to be thieves, hackers, cyber criminals – however you want to describe them, as someone who tries to help them. This actually happened to a friend of mine who was a TalkTalk customer and she had what she thought was a routine call from the company saying that she might have heard about the problems and that they needed her to make some changes to her security settings. She is an intelligent woman and she was just about to do it when her son said he thought it was weird.
I think that’s right. And a lot of the work we recommend with corporates to start with is just on training and awareness and that applies to people personally – don’t give information out over the phone, you should call them. Most, if not all reputable organisations will always let you call them back and check the number on the internet. Make sure you are 100% sure you know who you are talking to and even if someone sounds very nice and genuine when they call you and ask particularly for your bank details or credit card details, you shouldn’t give them away.
Life isn’t simple in businesses is it, because decisions have to be made at a certain level of management, then solutions have to be procured. So just talk me through some of the issues that managers who are asked to find a solution face – and of course it might be an expensive one that doesn’t even work.
I think first of all if you want to work through the solutions and what are the risks – so looking at the assets you’ve got at risk, whether they are databases or systems and where are they? Are they assets that you hold or are they externally hosted? And some of the might be hidden. It might be a call recording system in a call center that you need to protect. Then you actually have to work out what happens if there is a cyber attack on these systems and what’s the cost of it. In some cases it might be quite high, in some cases it’s not very high. If you think about TalkTalk, their cost was very high because they had to go and inform everyone that there has been a breach. And that’s, if you have 5 million people and it’s pound or two to inform them, how it gets very expensive.
It’s quite complicated too because many functions are outsourced to some degree so the problem is that the data may be in the Cloud, it may be held on a server somewhere not on your premises – so you might think it’s not really your responsibility.
I think that’s exactly the point – outsourcing can be very good and some outsourced data providers are really good and have probably invested in this area more than any other company would.
Do you ever encourage people to bring stuff back in house?
The answer is always – it depends. For something like data storage it’s very expensive to do it because you have to think about the physical security and cyber security. Typically having a really good outsource contract is usually better but in other cases it might be better to do it in house.