Cyber Scotland Week has kicked off with a number of government-backed seminars and workshops taking place all over the country to spotlight cyber security. ‘Cyber’ has been a buzz word in the insurance industry for a number of years and has always been of interest to me. There has been so much written and said on the subject, it would be easy to think you’ve heard it all.
So as I attended what felt like my five hundredth cybercrime conference at the tail-end of last year, I couldn’t help but feel that it was going to be a bit wasted on me. However, one of the guest speakers at the event would prove me wrong: Cal Leeming. As a bit of background, Cal notoriously became the youngest person to have ever been convicted of hacking under the Computer Misuse Act, at the age of 12. Now reformed and in his 30s, he spends his time establishing startup businesses, providing cybersecurity training to both the public and private sector, and of course, giving keynote speeches at conferences.
Right from the start of his talk, I sensed this wasn’t going to be the same old rote-by-numbers spiel. Cal told the audience that he would be asking six of us to join him on stage later in the show. We were then informed that with the list of attendees confirmed weeks in advance of the event (Cal had taken the opportunity to do some homework on us) and that the six audience members joining him on stage had actually been pre-selected. At this point, a minor fear kicked in:
What information had I shared online in recent weeks? For that matter, what information had I shared online in the last 20 years? What could be deduced from it? Do I know as much about cyber risk as I think I do?
Thankfully, I was not one of the chosen six who would later be presented with a list of personal information that Cal Leeming had easily obtained online. This was obviously just a bit of fun and nothing was disclosed to the audience without approval from the unfortunate data subjects. But the point had been well and truly made. Cal had not hacked any of this information in the technical sense; everything obtained had been wilfully shared online, and when pieced together, certain assumptions could be made. Sometimes these assumptions were inaccurate, but for the most part, they were spot-on.
So let’s put this into perspective. Businesses in the UK are now more likely to fall victim to cybercrime than any other form of crime, with the overwhelming majority of incidents directly linked to human error. The latest IT security systems offer no protection against shoddy security practices such as weak passwords or accidentally emailing the wrong recipient. Modern hacking methods used by criminals are advanced and often targeted. Just because we didn’t all send that Nigerian Prince our bank details in 2003, doesn’t mean that we can’t be outwitted by professional fraudsters today.
Cybercriminals will often use the innate human response system, as well as preying on fear and pathos, to their advantage in order to get what they want.
An email or telephone call purporting to be from a figure of authority, such as a company director or large client - applied with a sense of urgency - will often be enough to coerce a regular employee into parting with sensitive information, and in some cases, even transferring funds. And it’s not just simple social engineering that we need to be wary of. If a single employee’s login details are compromised or they happen to be deceived by a convincing phishing email, the entire company computer system could be made completely inaccessible through a Ransomware Attack, rendering the ability to trade impossible for most businesses.
Alarmingly, it doesn't take a computer mastermind to launch a Ransomware Attack. Copies of pre-made Ransomware packages are readily available to purchase on the dark web. Even if the would-be criminal lacks the know-how to actually orchestrate an attack, there are plenty of ‘contractors’ on the dark web who can be hired to happily carry out the dirty work.
Despite all of this, which is just the tip of the iceberg, most of us are in denial or are ignorant about our exposure to cybercrime and how easily we can fall prey to it. A recent insurance industry-wide survey found that only 18% of businesses purchase cyber insurance. With many cyber insurance companies also offering free risk management and training suites to customers, the exposure felt by many businesses could be easily and significantly reduced.
Cyber Scotland Week will hopefully raise awareness amongst individuals and commercial entities to cyber threats, you can find out more about their events here.
Accepting that we are exposed to such a threat is the first step in protecting ourselves, as underestimating or even dismissing the threat will bring consequences sooner or later. If you have any questions about cyber insurance, please get in touch with us here.