by Gareth Biggerstaff, be-IT I have to begin this article with a caveat, namely that I’m starting from a position of relative ignorance. I am an IT recruiter, not a techie, and although I’ve accumulated a fair bit of knowledge about the computing world over the last few decades, I couldn’t begin to come up with whatever it is that prevents cyber attacks. Remembering passwords is hard enough. That said, I have been in a senior position in business for quite some time and I know it doesn’t take much to damage a business that has been carefully nurtured over the years to make money and give a lot of people a living. And, to return to the security challenges resulting from my frequent mental groping for passwords, I know that cyber crime is a key issue for my and all other businesses. It’s scary to be honest. The latest news is that LinkedIn is being used by criminal gangs “to impersonate bosses and demand cash transfers.” This may seem like small beer compared to hacking into a major telecoms company, but in reality it appears that large sums are involved and the criminals are happy to take on global behemoths like Google and Facebook which, together, were scammed out of more than $100M earlier this year by a 48 year old Lithuanian. The report on this in the Times tells us that, “According to the US Justice Department, he forged email addresses, invoices and corporate stamps to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.” The crooks are able to send emails that look as if they have come from an authentic email address. You’d think that Facebook and Google were big and tech-savvy enough to prevent this sort of thing, but apparently not. Even at the level of Be-IT, not on the same scale (yet!) to Google, criminals are prepared to chance their arm. We’ve had similar attempts made to get finance staff to transfer money after they received an email purporting to come from me. Fortunately, the idea of my giving money away rang alarm bells (yes, I know) and we were not conned, but I’m by no means complacent that some day we won’t be a victim. One-off hits, whether of Be-IT or Facebook, are not likely to destroy the western world’s economic foundations. Even if $100K is a rounding error on a rounding error on Facebook’s petty cash tin, it’s not going to bring the company down. But criminals don’t need to do that. Like most businesses (which is, in effect, what they are), a long-tail of “clients” is better than hoping that you’ll land a jackpot once a year. Consider the recent (May 2017) WannaCry malware, which demanded $300 in Bitcoin if users wanted to get their data back. It’s the cumulative amounts that make such crime worthwhile. $300 may be peanuts for saving your data, but then remember there were 57,000 organisations affected. You do the maths. The fact that cyber crime is big business is well known. What does rather cause me to despair is that we – and by we I mean business leaders, whether of SMEs like Be-IT, giants like Telefonica and even state governments* – don’t seem to know what to do about it. To return to the WannaCry episode… At the time, there were lots of different theories as to who was responsible. Edwin Snowden, perhaps unsurprisingly, blamed the NSA. Others blamed North Korea or the Russians. Then the hero of the hour, Marcus Hutchins, who is credited with slowing down the WannaCry attack by discovering a “killswitch,” was arrested in the USA, accused of involvement in the creation and dissemination of the banking Trojan virus Kronos (we should stress he’s denied any wrongdoing). Just how are business leaders supposed to know what they need to protect if we don’t even know where the threat is coming from? Every week it seems there is yet another piece of research that shows companies are not keeping up with the bad guys. The day after I began drafting this blog, another report specifically focused on the threat to small businesses in Scotland. The costs are financial and reputational, but it is so difficult to ensure we’re protected. We have to be lucky all the time: the cyber-criminals only have to be lucky once. However, having said all this, I’m well aware that there are many simple things that can be done to protect businesses. Yet for some reason, despite all the publicity, it appears that as a country we are determined to make life easy for those who wish to do us harm online. For example, is seems that the vast majority of NHS trusts in the country have recently been using Windows XP, creating an open goal for the criminals. Equally worryingly, the navy’s Type 45 destroyers, famed for their ability to detect a cricket ball sized object at many miles, intercept and destroy it, are reported (albeit with denials by the authorities) to run a form of Windows XP. Given the horrendous problems with these ships’ propulsion systems it’s hardly surprising that worries exist elsewhere. Does either of these stories make you feel more secure, or are they “fake news?” We’ll not know until the NHS is seriously hacked again or the navy suffers some disaster. I am (just about) sure that someone will be doing something about these issues, but in the meantime, let’s be honest, are we not just all simply muddling along? Small wonder the cyber criminals flourish… Gareth Biggerstaff, CEO, Be-IT * I have written before of a friend who attended a conference in London where the government’s head of cyber security said, only half-jokingly, “you just have to admire the criminals!” To be fair, he also said they were working very hard to stop them, but the point he was making was that said criminals are, as noted above, large-scale businesses with fantastic technology that makes them a lot of money. This is reflected in a key problem for GCHQ in recruiting techies to combat the criminals: they don’t pay enough money….