The UK’s cyber security and crime agencies are calling for the early reporting of cyber incidents in order to combat a growing cyber threat for business.
According to a joint report from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), the cyber threat to UK businesses continues to grow. Between October 2016 and the end of 2017, the NCSC recorded 34 significant cyber attacks and 762 fewer serious incidents. According to the report, The Cyber Threat to UK Business Industry 2017-2018, the cyber threat is growing in both scale and complexity. UK businesses face an increasing threat from ransomware, data breaches and supply chain weaknesses, it warns.
In particular, the report warns of a growing risk from crypto jacking – where an individual’s computer processing power is used to mine crypto currency without the user’s consent. The increased use of cloud technology to store sensitive information could result in personal information being breached, it says.
The NCSC and NCA also warned about the growing sophistication of CEO and business email compromise (BEC) fraud, which they say is one of the fastest growing, lowest cost, highest return cyber crime operations. A recent trend has seen BEC used to obtain sensitive commercial data and intellectual property which could be sold on the dark web.
There have been a string of BEC attacks on the art industry, where art galleries and dealers have been targeted by invoice scams after cyber attackers infiltrated their emails.
The report also highlights the case of Dublin Zoo, which was hit by a BEC scam in 2017. The criminals stole USD 600,000 after they intercepted legitimate supplier invoices and requested that funds be sent to a fraudulent account.
Mandate fraud is a growing problem. This type of fraud - where criminals convince an organisation to change a direct debit, standing order or bank transfer mandate - cost UK business GBP 32 million in 2017, and is now the third most common way to defraud a company.
Given the size and complexity of cyber crime, the NCSC and NCA are calling for “full and early reporting” of cyber crime. The early involvement of specialist agencies is key to mitigating the impact of an attack, they say.
For example, the prompt reporting of a cyber attack by a UK-based telecoms company enabled the NCA to seize evidence and trace those responsible, as well as alert and provide mitigation to other potential victims. The cyber attack – in which criminals stole data on individuals due for phone upgrades – cost the telecoms company approximately GBP 500,000.
The General Data Protection Regulation (GDPR), which will be enforced from 25 May 2018, will require a data breach to be reported to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of the organisation becoming aware of the breach. NCSC says that it expects to see an increase in the number of reported cyber incidents as a result.
In the context of GDPR, the NCSC advises companies to have completed risk assessments and put appropriate security measures in place. It says they will also need to detect incidents quickly and to have planned and practised how to respond in the event of an incident occurring.
Business continuity plans must be tested, and a media relations person should be ready to react to any fallout of a cyber incident, it says.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org.
YOU MAY ALSO BE INTERESTED IN