Data can be one of a firm’s most valuable assets, but are companies taking sufficient steps to ensure that it doesn’t fall into the wrong hands? With a rising number of small businesses reporting hacking, is enough being done to educate staff on best practice? And is there adequate risk management to ensure reputation isn’t damaged by avoidable negligence? Leaders joined IoD director general Simon Walker to discuss…
SIMON WALKER Welcome to the Institute of Directors for this roundtable discussion on cyber crime. Britain leads the way in online commerce – 23 per cent of retail transactions take place online. Our closest competitor, Germany, comes in at half that and the G20 average is about six per cent. And it’s not just retail. Ten per cent of Britain’s whole economy is online, again the highest in the world. But with the opportunities, so come threats.
Cyber crime can sound a bit Hollywood action movie-like. High-profile cases, like the widely covered leak of the names of those using the Ashley Madison website, sometimes give the impression that cyber crime is something that only happens to big firms.
And, similarly, the news that the North Korean government has expanded its cyber warfare unit to 6,000 troops is interesting and probably not a great development for companies operating in Seoul, but it sounds more like the beginning of a James Bond film than it does something that will affect small businesses on the other side of the world. We may like that to be the case, but it isn’t, because small and medium-sized firms are becoming targets for hackers as well. In 2013, nearly half of all SMEs said that they had been a victim of cyber crime, and I suspect the figure has risen since then.
Nothing is more valuable in the business world today than data, and small businesses hold an awful lot of that. The consequence of cyber crime can be severe. New rules from the Information Commissioner’s office mean that companies can be fined if their security isn’t up to scratch.
For most of us, the language can be quite confusing; malware, ransomware, black cats and hacktivists sound more like video game characters than imminent threats to our businesses, but I hope that by the end of this morning’s event we can have a bit more of an understanding of the kind of opportunities and threats faced by British business today.
With that in mind, I’ll hand over to head of technology, cyber and data, for Hiscox – Matthew Webb. Hiscox provides insurance for 35,000 technology companies across the UK and Ireland and leads the way in cyber insurance. Matt, over to you…
MATTHEW WEBB It’s not every day that man makes a new peril that virtually every business has an exposure to. Cyber as a risk has escalated in importance in recent years as we become more reliant upon the IT systems that we use and we hold more data.
Hiscox published a study in September called DNA of an Entrepreneur. It focused on 4,500 SMEs across Europe, with over 1,000 from the UK. Part of the study looked at cyber risk. One of the interesting things that I took from it was that – compared to our study in 2012 – the concern around cyber risk, cyber crime and hacking has quadrupled.
I’m very interested this morning to hear about your experiences with cyber, if anyone has had a breach and the risk management that’s in place.
WALKER Thank you. I’d like to start by asking how your business behaves online and how you operate in terms of data…
DARREN FELL As the fastest-growing accountancy firm for freelancers, microbusinesses and contractors, we hold so much data on our [almost 8,000] customers. We have 30 to 50 pieces of information per director of each company. Our approach has been to hire someone who thinks like a hacker. We can get all of these amazing systems and files, which we do have, but the most vulnerable point is the employees. And that is the scariest thing. We approach this with simple measures, such as disabling the USB ports on the PCs. The classic test is to leave a few USB sticks lying around outside, see who picks them up and see who actually plugs them in the PC. A hacker could drop on [to the USB] hacking software and they are in. If we lose data or we get a breach, our reputation goes with the data going out to the marketplace.
WEBB Studies have shown that if a USB stick has a company logo on it, over 80 per cent of people who find that USB stick will plug it in. If you put a CD with payroll written on the front, the open rate goes up to 100 per cent.
BERNADETTE KELLY We’re a digital acquisition marketing company, so we have a great deal of data coming through on consumers who are signing up to our affiliate programmes. We seem to gravitate to highly regulated industries like finance, banking and gaming, so we have to be very diligent with data protection by law and by ISO requirements.
I believe many SMEs think their business isn’t big enough for somebody to bother hacking, but there are other cyber dangers to worry about. If you don’t put strict barriers up for employees, they could potentially download viruses and malware. Because we thrive online – we wouldn’t have a business without it – we have to make sure that we’re protecting our business as well as the
data of the players and acquisitions that we’re driving.
JANE MICHELL It’s not just employees. Sometimes customers of our diet delivery business leave credit card numbers on our answering machine or text them to us. We’re compliant at our end and delete the data – because the moment it’s left with us, the data becomes our responsibility – but we have to tell this person that it’s the wrong thing to do.
LESLEY MOODY We develop online software systems. Our customers are accessing systems we’ve developed, so if they give away their user name and password or they’re lax about how they store it, that makes life very difficult. If we’re offering a system to a customer as a service, we need to look at our servers, our server farms and conditions for their staff as well. It’s multi-layered really.
ESTHER McMORRIS A lot of it sits in behaviour. Our organisation – a consultancy business specialising in project management – has 30-40 consultants who take their laptops into the FTSE companies they work in. You can put rules in place but, ultimately, it comes down to behaviour. We see a lot of client data so it’s [a question of] how do you manage that and how do you make sure that there’s no risk that leaks out through us?
WALKER Because presumably, if someone is trying to attack a big FTSE company, a good way of doing it could be through you?
McMORRIS It could be. Clients work in different ways. Some mandate that we use their laptops and we use their technology. We have our own rules and processes in place to stop that [data breach] from happening, such as what happens if a laptop goes missing or gets left on a train. We need to make sure that security is really tight.
FELL We built a massive accounting system six years ago and we’ve taken the big step of deciding to rebuild the whole thing again. Why? Because if you start again with the latest technologies, you’re building for security and you’re filling all the gaps.
Banks, for example, are working on systems that are probably 30 years old… legacy systems that they keep patching, but it’s easy for them to suffer major cyber crime and hide it than actually rebuild the whole system.
WALKER How much does it cost to rebuild a system?
FELL We’re spending about £1.5m a year on our team. We’ve got a team of 45 developers, QA [quality assurance] people, product owners and an eight-man UX [user experience] design team. We did it, not for security per se, but to build faster and add more products. After a number of years you end up with what they call a monolithic code block. So at a certain point, if you’re brave, rebuild the whole thing, and while you’re at it, put the system administrator – who thinks like a hacker – on it, and plug every single gap while you can.
WEBB When the original system was designed, how high on the agenda was the risk management around security and how high on the agenda is it now that you’re redesigning it?
FELL Having launched one start-up before [email marketing company Pure360] it was super-high on the agenda. It was an enterprise Java system, which is what the banks program in, so super-secure in its own right… But it’s completely integral now.
KELLY I was a victim – personally – of hacking through my bank in America, quite a few years ago before people were more aware. I got a very official-looking email and provided the information that they requested. I didn’t think about it until I went to the cashpoint the following day and there was no money in there. I remember thinking how stupid I could have been to share that information so blindly but then I became very diligent, learning everything I could about all the different types of ways that people could access your finances and identification theft, which is another major concern.
WALKER I’m really struck about how much more sophisticated hacking emails have got. They used to be full of misspelling but now I’m sure I’ve deleted quite a lot of stuff that I suspect was actually genuine rather than take the risk.
FELL My identity was used by fraudsters taking out a £1,000 loan from Wonga. A few years ago, Wonga announced they did the credit assessment via social media values. It was horrible, I spent a lot of time on a fraud hotline set up by the police.
ALISON HOWELL I noticed a Twitter account with my name and photograph but it wasn’t my account. It disappeared a day or two later but it was a wake-up call that someone could have been tweeting as me. My hairdresser told me of a situation at a company he worked for – an ex-employee hacked passwords and stole client data from the database. The consequences of that were quite large.
MOODY We advise companies on that side of things. It’s getting them to actually think about the things that they need. Even some large companies five or six years ago weren’t interested in Software as a Service (SaaS) because they wanted to hold data internally. Now, by using our experts to look after that side, back up or monitoring system usage, it releases their stretched IT team to do the server management side inside the business.
WALKER At one stage I had 23 different passwords and the more complicated they got – exclamation marks, upper and lower case – I couldn’t cope. I ended up writing them down…
MOODY We’ve developed systems within our software so people can ask for their password or a new password, but the way in which they contact us, and the information we require, means that we can be 100 per cent certain it is that person who is asking for that password. It is an automated system but it’s secure and encrypted, because it’s not just the actual data [you have to secure], it’s the data that’s travelling across the internet that must be encrypted as well.
WALKER What else have your businesses put in place to protect yourselves?
McMORRIS We train and educate [our employees] to understand the impact of the data that they are carrying around. We’ve tightened up our hosting. Many SMEs build a new website and worry more about the shade of orange than the security. Sometimes it takes a little breach to step up and get your right processes in place internally. If you’re using third-party servers, look at the company that’s providing those servers – in the UK or Europe, are they ISO 27001-certified or in the US, are they safe harbour servers?
HOWELL We try to protect ourselves that way too. As a walking-holiday company, we use a lot of cloud-based software for our data, so we check to make sure that they’re European-held servers.
MOODY Even in Europe there are certain countries where we would prefer not to host, purely because of the political situations. It may be cheaper, but it’s not worth it.
McMORRIS I think most of us round this table are SMEs and don’t have a huge amount of IT resource, so it then falls to third-party management. Who’s managing your IT and how do you know they’ve got the right measures in place? I think a lot of it sits with supplier management.
FELL I’ve got a big team, but you still need external opinion. It’s called a pen test – a penetration test – where you hire a consultant to be as nasty as they want. If my internal guy has missed a few things he’ll kick himself but that’s the idea. We usually do a pen test every quarter but if you don’t have an internal team, a pen test is cost-effective. Get them to hit everything they possibly can.
WALKER How could our members access a pen test?
FELL There are lots of security companies out there. They can be as cheap as £1,000 and go up into the tens of thousands of pounds. It’s a hacker-like thinking person who is trying to break into the website and look at vulnerabilities. At first, they will look at passwords. It’s surprising how many businesses don’t make secure their password sets. I once read that a five-character password takes one minute for a hacker to hack. If you add a number it’s 10 minutes. If you make it 17 alphanumeric [characters] with symbols, it takes them 18 years.
MOODY Some of our customers insist, when they’re looking at taking out a contract with us, that we build into that contract annual penetration testing.
WEBB While we’re on the subject of risk management can I ask for your thoughts around the government initiatives to assist companies? In 2011, we saw the launch of the national Cyber Security Strategy, and part of that was Cyber Essentials aimed towards SMEs – a framework to work towards to give customers confidence that you take cyber security seriously.
Howell I came across Cyber Essentials while preparing for today. I filled in a simple, straightforward checklist. I think in the future consumers are going to be more interested in protection of
their data – financial information and personal information.
WEBB Are the government doing enough? There was huge investment – around £850m – and they did really push Cyber Essentials in the circles that I operate in but it’s really geared towards SMEs. Is the message getting out?
McMORRIS It might be part of a start-up’s strategy but even after operating for 10 years I don’t have the time to do an ISO [International Organization for Standardization]. You have to go the whole hog but for all of us wanting to do it the reality of the day-to-day takes over: winning a new sale, a client issue and so on. We have it lightly rooted and it would be great to have it firmly rooted in your governance. Client data is important for us, so we make sure we have measures in place, but we wouldn’t go down that ISO path just because it’s too onerous and too tick-boxy, and I’m not really sure whether it gets us any further to where we are now.
MICHELL We have a consultant coming in to go over all of this stuff with us. As we’re getting bigger and bigger, we may be going through a few processes where we could come under scrutiny (for all the right reasons, not the wrong ones.) We don’t have the internal resource or expertise and there’s always something else to do, so we thought we’ll outsource it.
McMORRIS What the government hasn’t done is get something that you can adjust for smaller companies. If your data comes out, Darren, that’s critical because it’s people’s accounts, whereas some of the data we have is neither here nor there.
WALKER Is it getting worse? Where will we end up in five years?
KELLY People are too trusting of an unsecured WiFI network, which is insane because the information that’s passing through is so easily hacked. So let’s say someone is travelling for business and they need to access their emails; they search for WiFi and see an open network. Without thinking, they join the network and start checking their emails. Now the hackers have access to their email systems and all the confidential information that is being transmitted. If they log into their mobile banking, that is another channel for hackers to exploit. When people think of cyber crime and cyber attacks, they tend to think of desktop and not really about the impact that mobile devices have on cyber safety. That’s something we look at very carefully because a vast majority of acquisition that we’re driving for our clients is though mobile devices and that continues to go up each year. We try to educate our clients on mobile security and the steps they can take to prevent hacks.
McMORRIS Many small businesses will agree they need to change their behaviour but go away and forget about it. Oddly, it needs high-profile hacking incidents for people to pay attention.
MOODY We’ve changed the way in which we design our software so that data that we, or our customers, are collecting isn’t stored all in one table, it’s stored in several different tables. It just makes it that bit harder if someone is able to access. If they hack in, they’re not just going to go into the system, into one area, and pick up everything and go. Again, it’s things like encrypting data as it’s travelling from a server across to an individual device.
FELL You want to super-encrypt all your databases, but now HMRC has an API [application profile interface] you need to drop data through when you’re doing returns. The database cannot actually be encrypted. So if you want to go extremely secure and encrypt all of that valuable data, then you have to de-encrypt it, sending it out over the connection to HMRC or Companies House. So now, because all of these interconnect with all the systems, API is the big word and you build what’s called your ecosystem, so you have your receipt-scanning software over there that connects via the API and your other piece of software that connects. It’s these APIs that, probably, are the next vulnerability. They’re passing data between other trusted providers.
WALKER For readers who won’t have given this a moment’s thought, what’s your advice on a first step they should take?
MICHELL Like anything when running a business, you cannot be an expert in every area. Not many people around this table design their own website, they might not run their own social media. Ask an expert to do it for you, because I think it’s slightly unrealistic for SMEs to think they can manage it in-house.
MOODY Be selective in who you go to, find someone who isn’t interested purely in just providing your web presence, but is interested in working with and supporting you.
Howell Start with the everyday basics: strong passwords, changed regularly, and train your team on processes.
KELLY We do regular risk assessments to make sure people are changing passwords and employees are not downloading things that they shouldn’t. Regular risk assessments can bring up things you’ve missed previously, hence we’re very diligent.
WALKER And of course, get insured. Let me ask Matthew if he could sum up where we are on all this…
Click here to read Matthew Webb’s summing up (advertorial)