Time Stamped Show Notes:
8s: Guy Phoenix who has led a very interesting business life and there will be a book. There will be a separate podcast about Guy and his working life including stints in South Africa, Japan, British Virgin Islands. Today we are talking about cyber security.
1mins 12s: Tell me about your businesses. I have several businesses: predominantly IT support services, website and digital marketing businesses and cyber security businesses.
1mins 46s: Should the businesses of Harrogate be concerned about cyber-attacks? Absolutely. If you are a small-medium sized business, you should be very concerned. This is because about 3 years ago, the worldwide cyber attackers switched from attacking large companies to small-medium ones. Larger companies grew aware of the attacks and put up significant defences which made it harder. Also because some SME’s don’t think they’re a target for this and they don’t have the same resources.
3mins 44s: How could these attacks close businesses down? There are hundreds of ways of attacking a business. The most successful way a business gets hacked is through a phishing email. This is an email that comes through with an attachment or link, and someone in the company clicks on it. When this happens, best case scenario is that the company is hit with some ransomware and they’ll be demanding bit-coin ransom from you which could set you back £400-500. This software is designed to spread through your network, and it could be on all of the computers, even the server, and the costs of that mount up if you choose to pay the ransom.
5mins 3s: Worst case? You get someone who’s patient. You click on a link and nothing happens. Actually, you’ve provided access to a hacker who will watch your emails, your transactions for weeks or months, and learn. They will figure out the most persuasive way that they can send you an email or do something to your systems to bring about their desired outcome – normally getting a tonne of money out of you. Or, they could log on one evening, change some of your accounting settings so when your regular supplier invoices get paid, they get paid into someone else’s bank account and you won’t find out for weeks until someone calls you up saying they haven’t been paid.
6mins 22s: Does much of this depend upon the hacker being able to access your online banking or is it the details that are being sent to your customers? It’s the latter. Banks have incredibly sophisticated systems. Hackers will focus on trying to ascertain what those credentials are to access the bank account, or convince a customer or supplier that they’re you and get you to transfer money to them.
7mins 28s: Do you have some examples? This is exactly the kind of thing that can happen to you: one of our customers in the British Virgin Islands came to us and said “we’ve been notified by a law firm in the UK that we’ve instructed them to transfer money but we’ve spotted that it’s not correct so we aren’t going to do it”. They had taken our cyber security training which is how they’d been able to spot it in the first place. The request was for $4 million and that would’ve been on them to do that. It turned out the law firm in the UK had been hacked and they’d decided this was the best way to get money. We traced the hacker to Nigeria which is hard to take further when you cross jurisdiction.
9mins 13s: Another example which ended far less happily: one of our customers in the British Virgin Islands had a client in Dubai. They put us in touch with that client as they had a problem. He had received an instruction from a firm in Mauritius to transfer $9 million which he had done. His systems had been hacked about 8 weeks before and they had been watching. We traced it back to Nigeria. This doesn’t just happen in Nigeria, it’s all over the world. That client is now out of business because of that.
10mins 45s: Surely businesses in Harrogate could just purchase cyber insurance and that would cover everything? I’ve read some of the policies and I have a number of concerns with them. A lot of the policies to me look like they are all encompassing and there are 2 problems with that.
- If they are all encompassing, they would start seeing a lot of claims. They would have to pay out a lot so they would tighten their policies and policy prices would go up.
- The people taking out the policies will be thinking “great, I don’t have to do anything about cyber security now because I’m insured”.
If you have a nice car or house, just because you have insurance, doesn’t mean you don’t lock it up. If you are ever hit, the insurance claims would ask about anti-virus etc and if you can’t evidence that then they won’t pay out your claim so you’d lose twice.
12mins 42s: Is anti-virus enough? No. You must have anti-virus at least. We would first look at the inside threat which would be your employees – they could click that link, for example. We would then look at monitoring and managing your network traffic. We have software that can see everything coming in and going out of your network and the moment it sees something, it tells us and we act on it.
13mins 57s: If businesses use the Cloud, does that give us more protection? I think it gives you an extra level of risk because you’re depending on an external third party to provide the service. You could mitigate that risk but if you really wanted to give yourself full protection, you would simply have an on-premises server locked up with all the relevant cyber security measures put in place. Then restrict what access is available from the wider internet.
14mins 54s: Installing these things would be more GDPR compliant? GDPR certainly plays a part. The major element of GDPR is if you suffer a data breach from a hacker. I think the ICO (Information Commissions Office) would be asking what measures you’d taken and were they reasonable and sensible.
15mins 39s: Harrogate businesses were attacked by cyber in 2015, I think it was Betty’s Taylor’s customers and 100,000 customers had their data taken. There’s an article in the Harrogate Advertiser. An email address may not seem like much but the ICO takes any breaches seriously and the email address is still gold to the hacker. If they have an email address, they have a start. A hacker will do something called social engineering. They will take a look at your Facebook page, LinkedIn, etc. In my experience, in 20% of cases, just from looking at your Facebook page, they’ll be able to make a good guess at your password.
17mins 29s: What is the cost of cyber security? We have online cyber security training for staff for £35 and you’ll get a certificate at the end if you pass. The monitoring software is just £16 a licence. It is affordable and takes you a magnitude higher in terms of your cyber security awareness and combating the threat. I am an SME myself and I use this software myself.