Growing Gloucestershire

Business Cyber / Digital Threats

21st June 2017

Mark Godsland MSyIMG Total Security Risk Associates Ltd

Presenting on behalf of CIMA

“It’s all now a question of TIME!”

Agenda

• Introduction

• “Time”

• Current Cyber activity's, crime figures and cost to the County

• Typical Cyber Activities

• “Attack Vectors” to look out for

• “Cyber” Digital Risk Insurance

• GDPR 25th May 2018

• Where to get help and advice / NCSC / Cyber Essentials

• Gloucestershire Safer Cyber Forum

• What you can do for yourself

• What you can take away for your business

21/6/17

21/6/17

Your time is up!...... (Almost)

One Minute to Midnight

WANNACRY & Attack Types

21/6/17

Nationally:

One in four businesses reported a cyber-breach or attack in the past 12 months – Source Cyber Security Breaches Survey 2016, DCMSybercrevealed in

There were an estimated 3.6 million cases+ of fraud and two million computer misuse offences in a year.

– Source British Crime Survey: January 2017

Regionally:

74% of SME’s had a “Breach” valuing between £75-311k

– Source SW Regional Cyber Crime Unit: March 2017

In Gloucestershire:

“An average of £250,000+ worth of recorded financial loss per month from Gloucestershire, related specifically to cyber-crime”

– Source Gloucestershire Constabulary:

National, Regional and Local Cybercrime and Fraud

Cyber criminals are targeting British businesses by imitating nation state-style attacks, the NCA warns.

21/6/17

Source NCA / NCSC Report March 2017 (The Threat to UK Business 2016-17 ) + UK Cyber Security Strategy 2016

The Government will meet its responsibilities and lead the national response. But businesses, organisations and individual citizens have a responsibility to take reasonable steps to protect themselves online and ensure they are resilient and able to continue operating in the event of an incident.

Typical ‘Cyber’ Activities

21/6/17 8

“Attack Vectors” (Type of attack) to look out for

Phishing / Spear Phishing

Whaling (CEO Fraud)

Ransomware

D-DOS (Multiple Bots)

Malware

Cyber (Digital) impact on Business and the “need” for Insurance

What cyber related issues are likely to impact a business?

• Virus or hacking attacks which stop customer transactions• Corruption or damage of data• Ransomware or similar extortion via their IT platforms or website• Loss of customer, supplier or critical process data• Consequent liability to a third party, including associated litigation, fines, costs, awards and damages• Subsequent damage to reputation as a result of the attack• Loss of gross profit or gross revenue

Insurance is a key resource businesses can use to help manage their own risk.

However, SME decision-makers often don’t realise the need to take out additional cover for the major risks they face.

Too many businesses – 43% – have not reviewed their business insurance for over a year.

Underinsurance is considered a concern among SMEs, according to almost nine out of 10 brokers.

What can happen to a company without sufficient cyber security insurance?

Around 40% of SMEs in the South West would go out of business if faced with an uninsured £50,000 claim, versus a national average of 28%.

What should an SME do today to make sure it has the best protection against cyber threats?

1. SMEs must ensure they review their insurance annually.

2. Speak to a broker as part of their review to discuss any emerging risks that they should be aware of. Broker advice is free for SMEs and BIBA provides a useful directory to help them find a suitable broker here: www.biba.org.uk/find-insurance/

3. Strongly consider the impact of technological risk to their business, notably cyber cover. Many SMEs will have no cover.

Source: SMEWEB 8/5/17

General Data Protection Regulation (GDPR) – 25th May 2018

Ultimately, the arrival of GDPR will put the

control of personal data back into the hands

of the individual, allowing a number of rights

including access to their data and the ability

to withdraw it.

It also means that organisations cannot

simply gather data without good reason and

must prove that they are doing all they can to

protect the data they do hold.

GDPR also specifies that organisations have

to appoint a specific data protection officer,

who is distinct from a risk officer and all IT

functions that currently exist. It’s a role that

has to sit outside of IT and outside of the

boardroom to have the independence to

ensure the business adheres to the

regulation.

It is vital businesses understand the

importance and the responsibility tied to

these new regulations.

Source Independent May 2017

Where to get Help / Report

Where to get Help & Advice

• Cyber Essentials

• British Retail Consortium (Cyber Security Tool Kit)

• National Cyber Security Centre (10 Steps to Cyber Security)

• Get Safe On Line or Cyber Aware

• Gloucestershire Safer Cyber Forum

Reporting

• To your local Police on 999(If in action) or 101 if historical.

• Action Fraud http://www.actionfraud.police.uk/report_fraud

• Gloucestershire Safer Cyber Forum – Anonymous

GDPR

• Information Commissioners Office

21/6/16

Cyber Essentials

When questioned about the single worst breach suffered, half of all organisations attributed the cause to

inadvertent human error.

What to do?

21/6/17

If the information to the left is to complicated, do this as a bare minimum to protect your business as recommended by the NCSC.

• Install the latest software and app updates

• Use strong and separate passwords for your key accounts

• Provide staff training with access to simple, freely-available cyber security training

• Back-up essential data at regular intervals(several)

• Conduct a cyber security risk assessment for your business

• Seek accreditation through the Government – endorsed “Cyber Essentials Scheme”

• Never disclose security details such as passwords or PIN’s

• Don’t assume an email, text or call is authentic

Gloucestershire Safer Cyber Forum

What to do for yourselves – Basic Digital Hygiene & “Take 5”

You

• PIN protect your Phone / Tablet

• If you have to use public Wi-Fi, use a VPN or use 4G signal

• Turn off the Phones Wi-Fi and Bluetooth unless required

• Use strong passwords to protect your information

Your Home

• Don’t log on as an Administrator – use the limited / standard accounts

• Change the Router name , Admin password and Router PIN( Don’t give it to everyone who visits, use the WPS key)

• Ensure automatic updating of Operating Systems

Social Media

• Do you really need to share “EVERYTHING”

• Don’t post personal information, especially, DOB, National Insurance # , Passport, Address, where you are on holiday etc.

21/6/17

What to “Take Away” from this presentation for your business

Businesses, organisations and individual citizens have a responsibility to take reasonable steps to protect themselves online and ensure they are resilient and able to continue operating in the event of an incident.

What you loose:

Product DataIPCRMEmployee informationFinancial RecordsCard Data

What you risk:

DisruptionContinuityReputationTrustComplianceCommercial advantage

Thanks for listening / questions?

Mark Godsland MSyI: Ad Cert ED & CP

Independent Crime and Digital Risk Resilience Advisor

Director

MG Total Security Risk Associates Ltd

mark.godsland@outlook.com

@MGTSRAssoc

LinkedIn

(+44) 07484 193447

+ Community and Business Engagement Officer for the London Digital Security Centre

G First LEP Ambassador