News & Events

Fraud and Cybercrime – Part 5

Article 5 – Manage the Threats to your Business 


Having worked with and advised many, many clients, across a wide range of Public and Private sector organisations, over the last twenty years, RedDrum have realized that most companies are really good at what they do. This could be building bridges, designing products, supplying goods, services or professional advice. However, those areas that are actually outside of what they do, but that are still absolutely vital to a company, for example, HR, IT, and business process management, are generally very poor. Let’s call these the back end processes.

It is still possible to be a very successful company despite being poor at back end processes but it is becoming more and more difficult to do so and, unfortunately, there have been cases where successful companies have been irreparably damaged when their back end processes have been exposed. These failures are not necessarily just IT based, but attacks can affect not only the bottom line but also a company’s brand.

The TalkTalk attack is a good example of this. News that their systems had been hacked led to an immediate 11% drop in their share price and long term damage to their brand. The article detailing this below is interesting reading, not just for the TalkTalk aspects.

Data Protection

It isn’t only the criminals that threaten a business, the current data protection laws, which are largely ignored by most businesses, carry astonishingly high financial penalties, for breaching them. Fines for losing a laptop or phone that hasn’t been encrypted or sending an email to the wrong person, generally seem to start at around the £50,000 mark. A sum that would severely damage a lot of businesses.

Whilst the position is unclear, following the Brexit result, it is still highly likely that the new European Directive on data protection will be adopted by the UK. This will make it mandatory to report any breach, widen the scope of data subject to the new Act and increase the level of fines.  Even with undertaking all that is suggested in these articles, it is going to be almost impossible to comply with the proposed, new legislation.

How to Protect an SME

Five steps to put a business in the best position to comply with legislation and to avoid or recover from a Cyber attack.

1) Technical aspects

Follow the advice in Article 2 of this series. A modern network, that is managed, updated and protected by a combination of a Firewall, virus protection and malware software. The days of the ‘odd job man’ IT service are long gone, regardless of the size of a company. Equally, don’t be fooled by large IT support companies that talk about monitoring systems 24 hours a day. Fundamentally, you need a named Network Administrator who is prepared to contractually take responsibility for your network.

2) Human aspects.

Again, Article 2, with particular emphasis on Policies, Policies and Policies. Are your staff trained in the usage of the company IT systems? Are they fully aware of what they can do and can’t do on the system? Can they use email for personal reasons, access Internet sites for shopping etc.? Are any of the above detailed in an Appropriate Use Document? Is such a document incorporated into the employment contracts of staff?

Do certain staff have a role to play in the Disaster Recovery Process? Are accounts staff responsible for backing up data manually. If so where is the data stored. Is it restored and checked, daily, weekly or monthly?

Has any training been provided relating to the Data Protection Acts? Is there a Data Protection Policy? Do staff know what to do in the case that an incident happens, for example the loss of a phone or laptop? Just having such a policy in place could avoid a £50,000 fine.

Above all, Managers should be made to manage their Sections or Departments and the staff within them. If a particular Department has or uses ‘mission critical data’ they should be made responsible for ensuring that is backed up, whether that be in concert with local or contracted IT staff. It is completely possible to but a back up regime in place that allows a non IT Manager, for example Accounts, to check the veracity of a backup, in a simple manner.

Every company thinks that their industry or sector is different. The reality is that they are all the same in the eyes of the law and criminals. Further, all companies need to manage simple things like Annual Leave, Sickness, Employment Contracts etc. It is amazing to see large companies that cannot even cope with the basic management aspects relating to operating as a business. All of RedDrum’s clients use one of the RedDrum Intranets to manage all of these processes and many others, in a simple and efficient manner.

3) Business process

It is an unfortunate reality that many companies lack standard, documented business processes. In most cases, procedures are followed because that is the way that they have always been done, or staff utilize different methods, either in different departments or because they just do and there is no management of the processes. In one large construction company that RedDrum advised, one member of staff was employed to ‘close down accounts’. A process that had once been required when hard disk space had been at a premium but at that stage, it didn’t only not need doing but it was a very negative thing to do, for the system, removing valuable data.

What is the risk in your business?

This will be determined by the nature of the business, the number of clients and the area of operation. Outside of Ransomware and other cyber attacks, the accounts departments are the obvious targets for attacks. International trading companies need to be particularly cautious, as do those dealing with large sums of money or large numbers of business to business clients.

This will be determined by the nature of the business, the number of clients and the area of operation. Outside of Ransomware and other cyber attacks, the accounts departments are the obvious targets for attacks. International trading companies need to be particularly cautious, as do those dealing with large sums of money or large numbers of business to business clients.

Suggested business processes?

A) Adopt encrypted email for all accounts and senior staff. Encrypted email is just what it says. You cannot read or access the email without knowing the encryption code. This defeats many if not all of the cyber attacks, if deployed in the correct manner. Clients or suppliers that interface with staff that use encrypted email, obviously have to have the code to be able to access this email. They can then read the email via a site provided by the email supplier. The code should never be supplied digitally, but always by letter.

B) Follow the above but without the encryption aspect. Supply the customer or supplier a code, or with a piece of information, again by letter or telephone, that you will require them to quote, should they ever wish to change any of their account details, for example, bank details.

Either of these options would have saved companies that RedDrum have worked with at least £250,000.

C) Ensure that there are written procedures relating to requests for payment, from whoever they originate, including the Chief Executive, with thresholds on amounts and time limitations. No right minded Chief Executive makes a payment request on a Friday afternoon, when he is going to be out of contact.

D) Treat any request, however innocuous, to change dates, times, locations or mechanisms of payments as suspicious. Any such suspicious request should be referred to the appropriate Manager who should not sanction payment until he or she is completely satisfied that the request is genuine. Enshrine this in your contracts with your customers/suppliers, making them liable for any losses, should you make any payments after following these procedures.

E) Train staff in what to look for. Cyber criminals have absolutely no nerves whatsoever and are not frightened of getting involved in email conversations with accounts staff, about payment, when they have got themselves in a position to do so, masquerading as a supplier. If payment is being chased, then ask for the code or information supplied under ‘B’ above. It may be legitimate but equally, it may not be.

Generally speaking, cybercrime emails are generally written in very poor English. This is because the criminals may not have English as a first language. Words may not be appropriately capitalized, punctuation may be poor and sentence construction may be unusual. Ensure that staff are made aware of these facts and that there is always a route for a member of staff to refer an email to a Manager.

This is an actual example of a series of 3 emails between a criminal (John) and an employee at a company (Hannah). Note that there are grammatical mistakes in each of the emails from John, though they are quite well written. At all times, Hannah clearly thinks that she is speaking to the appropriate supplier, not a criminal. John is quite happy to chase payment, even though he is a criminal.

Email 1, John to Hannah.

Dear Hannah
I want to update our banking details for payment for this invoice, If 
payment has not been paid yet could i kindly resend amended invoice 
with current banking details.
Many thanks Hannah

Email 2, Hannah to John.

Hi John
It’s very likely we will be paying this invoice at the end of this week.
If you would like to change bank details please  send new invoice.
Thank you

Email 3, John to Hannah.

Dear Hannah
Good morning, Please find attached the invoice with the banking details for payment. Kindly notify me when payment has been made.
Many thanks Hannah

4) Use the IT system to its maximum capacity

DMany IT systems are very similar to icebergs, only the bare minimum is used. Further, very little consideration is given to what individual members of staff actually need to do, in their day to day jobs. As mentioned earlier, it is the norm for all staff to be given a company email account and an international communications centre, regardless of what they actually do.

IT systems can be used to enforce policies, for example, where data is stored. Email accounts can be configured to only allow those users that interface with external parties, to send or receive external email. There is nothing wrong with users that only have an internal role, only being allowed to send email internally. Even who they can send to, can be restricted. Various sending and receiving options are available in modern email systems.

Internet access should be strictly controlled, via the firewall. IT business systems are for business purposes only. Staff need to be strictly controlled by a combination of policies, business processes, management and IT systems. Failure to do so, is an open invitation to cybercriminals.

5) Utilise ‘Cloud’ based Systems

The cloud is now widely accepted as an excellent option, for business systems. Essentially the cloud is just a warehouse full of computers, which are joined to other warehouses full of computers, based in other locations. For example, Microsoft, have numerous warehouses, based around the world and guarantee that up to three warehouses can be destroyed and that your data/servers, would still be safe. It is very difficult and probably impossible for a privately owned company to be able to replicate this sort of redundancy. The question then becomes one of connectivity.

Currently, the best bet is to spread the risk and have a mixture of local and cloud based systems, depending upon the requirements of a particular company. However, there are some simple things that can be done to reduce the risk of cybercrime. We have talked, many times of managing a network, which would include a strong password policy, for example, changing passwords every month, using a 12-character password. Further, and particularly in relation to email, Microsoft 365 should be used without an email client, such as Outlook. The online, cloud based version of Outlook should be used. This minimises the risk of a criminal being able to gain access to a computer and then just watching the email flow into Outlook.