Cybercrime: not just a bedtime story

David Pope advises Compliance Managers about how to deal effectively with data security issues, in general, and cybercrime threats, in particular.

About the author
David Pope is entity and client protection manager at CILEx Regulation.

One of those special moments for any parent is reading a book to their child before bedtime. Currently, my son and I are enjoying the tales of Asterix the Gaul fighting against the might of Julius Caesar and the Roman Empire. Asterix and his friends have a magic potion that gives them their superhuman strength, and so are able to overcome any challenges put in their way. But whilst a magic potion obviously helps,

Asterix is always required to display his cunning and resourcefulness, as not every challenge can be overcome by just brute strength. So, what has the story of Asterix to do with an approach to dealing with cybercrime you may well ask?

Well, often, Compliance Managers seek their own magic potions: cybercrime is sometimes seen just as an IT issue that can be dealt with by one solution: the use of software and technology. Like a magic potion, if you have enough of it, surely it must protect you? Sound anti-cybercrime policies and procedures Now clearly the use of technology, such as fire walls, and anti-virus and anti-spyware software, is vitally important to have in place, and we would always suggest the following:

• Update to the latest operating systems.
• Install anti-virus and anti-spyware software.
• Set strong passwords; change routinely; never share with anyone; and don’t write them down.
• Make periodic back-ups of documents and data stored in your hard drive, keep back-up devices safe and, ideally, encrypted.

However, cybercriminals are prepared to be cunning in their approach to gathering confidential information. So, like Asterix, a Compliance Manager is required to show their own resourcefulness in protecting their firm, and that involves all staff in the firm.

The individuals in a firm can be both the strength and the weakness in any firm’s approach to tackling cybercrime, which demonstrates how important it is for a Compliance Manager to have the correct processes and procedures in place to support staff and how important training is in any firm’s strategy.

Criminals will always be looking for that moment when, potentially, a firm’s guard is down: that is why Fridays are targeted for those involved in property transactions. Criminals know that a firm will be under pressure to make sure a transaction completes, and therefore there may be an opportunity to gain an advantage. This will be the moment when the unexpected e-mail lands in an inbox changing bank details.

Staff training on data security matters

So, a Compliance Manager who helps their staff to be alert to threats at all times is very important. Make sure that the question: ‘Does this feel correct?’ is always asked in connection with any use of technology, and this will help staff become a key defence in your firm.

Like Asterix and the magic potion, it is not sufficient for you just to have policies in place: you must put them into effect and train your staff on what they should be doing. Make sure that a regular review features in your risk-planning register. There are some simple things you and your staff can do:

• Always lock the screen or log out of your computer when you leave your work station, even if it is: ‘Just for a minute’.
• Don’t assume that an e-mail is authentic and to be trusted;
• Never open e-mail attachments or click on links sent to you from unknown sources.
• When uploading and downloading files (particularly sensitive documents), only use trusted sites.
• Only send bank account details by post and never by e-mail.
• Ensure that strong passwords are used and passwords are changed regularly.

Then, as a Compliance Manager, make sure that you:

• Provide regular and appropriate training for all members of staff on how to spot cybercrime, different types of cybercrime, and what to do in the event of an attack.
• Limit web browsing to work-speci fic sites if practicably possible.
• Ensure that you have the correct policies (ie, e-mail, social media, data protection, and internet usage), procedures and plans, including business continuity and cyber-incident response, in place.

When working out of the office, remember:

• Be careful when logging into public Wi-Fi connections as fake hotspots can be created by cunning cybercriminals.
• Don’t use private computers for work purposes.
• Be careful when using other devices such as memory sticks.

You should also ensure that your clients help to avoid the risk of an attack. Make sure that you provide advice within your client care information and on your website. This could cover the following issues:

• The nature of communications that they will receive from you.
• That you will never send out your bank details by e-mail.
• That you will not change your bank details during the course of their transaction.
• That they should contact you immediately if they have any suspicions.
• Remind your client of these security measures regularly by a prominent notice on your e-mail footer, your website and on any letters sent to the client.

Whilst one hopes that a cyberattack will not happen, the reality is that it could and may well. A report published by the National Cyber Security Centre and the National Crime Agency noted that 188 high-level cyberattacks had been made in the last three months of 2016.¹

So, whilst you may not be able to prevent a cyberattack, you should do everything possible to mitigate the risk of a cyberattack being successful. Even those firms involved in providing protection, test their own staff response to an attack.

CILEx Regulation encourages its entities to embrace the various resources that are available to help protect them from attack. Some of these are set out in the two papers on cybercrime and cybercrime resources within the ‘Risk Management’ section of the CILEx Regulation website.² 

Hopefully, all this will mean that, like Asterix and his friends, you can repel all attacks and have plenty of time for that bedtime story. Good night!

1 The cyber threat to UK business: 2016/2017 report, available at: http://tinyurl.com/lyxgewr
2 Visit: http://www.cilexregulation.org.uk/risk-management