When it comes to technological solutions for cyber crime “there is no patch for human stupidity,” said Paul Hoare, senior manager, protect and prevent, at the National Crime Agency, presenting at PIMFA’s financial crime conference 2018.
Psychological Cyber Threats
Cyber attacks that aim to make use of psychological weaknesses “can by-pass almost any technological security”, said Hoare. He gave the example of a cyber-attack that was aimed at strategic industries in 2017 that used a profile of a young female photographer to phish for men who would click on the link. “A lot of people fell for it,” said Hoare.
While phishing is directed at a wide base of employees, “whaling” is aimed at the ‘C’ suite. “The [attackers] put in a lot of effort” said Hoare. “Be clear that board members are likely targets...They have the authority to send money out.” He added that a number of smaller companies have gone bust because the email accounts of board members were compromised and junior staff did not question an order to transfer a large sum on a Friday afternoon.
As that suggests, the attacks can be lucrative. Around 1/8th of the UK GDP is dependent on the internet, according to Hoare. Financial services industries are a particular target for organised crime because the data and profile of wealthy clients and funds are useful to criminals and because smaller firms are unlikely to have the well-policed IT systems of big banks.
Community Combating Cybercrime
To try to protect the industry as a whole, Hoare said, firms should report any breaches to the police. “There is a huge amount of under-reporting,” he said. “Big banks understand that this is a community effort, small firms need to as well.” He also recommended that all firms have a “weekly, dynamic, update on who might compromise their information security”.
There is, he said, a cyber-essentials kite mark available, which demonstrates that firms are cyber-aware. It costs £300 (though how much it might cost a firm to get its systems into shape Hoare was reluctant to say), and “could reduce insurance costs”.
Hoare was not in favour of more regulation to address growing problems like muling and money laundering. (He noted that muling was being facilitated by the ease of opening bank accounts.) What he wants to see is a self-policing and self-regulation “With regulations there is a law of unforeseen consequences...It has to be bottom-up,” he said.
Terry Wilson, of the Global Cyber Alliance, speaking at the same conference, said that some of the best cyber protection if simple and free and cited the QuadC DNS filtering, which helps prevent denial of service attacks.