EMPLOYEES are the chief source of cyber crime against companies, and healthcare data is a key target, writes Gareth Mackie
HIDDEN away in the darkest corners of the internet, well away from the familiarity of social networks and online shopping, criminals gather to sell their ill-gotten gains.
“I can buy 100,000 credit card numbers, with names and addresses, for about 10p each,” says Rashmi Knowles of information security specialist RSA over coffee in the salubrious surroundings of one of Edinburgh’s many trendy west end eateries.
But Knowles, chief security architect at RSA, part of the EMC technology group, says cyber crooks are increasingly turning to healthcare data because the profits from stolen financial information are just too low.
US health insurer Anthem recently admitted that it was the victim of a “very sophisticated cyber attack” in which hackers obtained a raft of information about current and former members.
In a chilling example of the methods criminals will use to make a fast buck, Knowles says “ransomware” could become a growing problem, where a victim is told to pay up or see their sensitive medical records made public.
Aside from hacking into a company’s databases, Knowles says a favourite mode of attack is through “phishing” – sending emails that appear to be from a trustworthy source like a bank or colleague, but infect computers with viruses or malware.
“People need to recognise that a phishing email is the only door a criminal needs to open for them to be able to infect other machines, and the human being is always the key. That’s why education is so important. But technology and processes should be able to pick that up and identity where the malware has gone so it can be stopped.”
Hackers and those going on phishing trips are just the tip of the iceberg. According to the Scottish Business Resilience Centre (SBRC), 85 per cent of company fraud is committed by past and present employees.
The threat posed by rogue staff was the topic of a conference organised in Edinburgh last week by the SBRC, an organisation backed by the Scottish Government, Police Scotland and the Scottish Fire & Rescue Service, as well as banks and other private sector industries.
Deputy director Brian Gibson says: “It’s staggering to think that, as a result of inside attacks, a typical Scottish organisation loses approximately 5 per cent of its annual revenue to fraud. That’s why the issue is so critical and needs to be addressed now, before even more businesses fall prey to criminal, or in some cases neglectful or careless, staff.”
According to a report compiled by accountant PKF Littlejohn and the Centre for Counter Fraud Studies at the University of Portsmouth, companies in the UK could be losing more than £98 billion a year to fraud, but these losses could be slashed by up to 40 per cent if firms took steps to measure and pre-empt fraud.
“That in itself should encourage business owners to take a much more proactive approach,” says Gibson.
To help companies in the battle against insider threats, the SBRC has launched a training package covering password security, social networking and the management of internal processes relating to recruitment, redundancy, whistle-blowing, counterfeiting and organised crime.
One of the most important ways to tackle fraud before it happens is for companies to know what “normal” behaviour looks like, argues Knowles. For example, an employee accessing databases they don’t normally use should immediately set virtual alarm bells ringing.
“Good security is about people, processes and technology, and a lot of it comes down to identity and looking at behaviours.”
However, once a security breach has been identified, Knowles says that many firms do not understand what will happen to their business if they take action to address the threat. For example, shutting down a server may stop a piece of malware from spreading, but it could also knock out functions that are vital to a company’s survival.
Knowles, who told the conference that firms need to create a “human firewall” to protect their data, says that EMC – which has been using training software based on video games to help staff identify threats – sees more than 20,000 outside attacks a day. “Those guys just need to be lucky once – we need to be lucky 20,000 times to stop them,” he says.
A survey by accountancy heavyweight PwC revealed that cyber security is one of the top three concerns for business leaders, and the firm last month unveiled plans to expand the size of its technology team in Scotland, where key industries such as financial services, manufacturing and the oil and gas sector regularly come under attack.
PwC cyber security partner Colin Slater says: “My experience is that cyber risks are agnostic on size, location and maturity of corporates or organisations, or indeed the sector they operate in. Every business has some level of threat whether they know it or not, and the damage – financial, reputational or both – can be swift, severe and persistent.
“Issues around data protection, in particular for financial services, health and consumer-focused sectors, are increasingly prevalent and with changes to the regulatory environment pending, they will become financially material in fines.”
But does Knowles believe we will ever be able to say we’ve beaten the cyber crooks? “I don’t think we’ll ever get to that Nirvana state where we can say that. The best you can hope for is to minimise the number of attacks and learn from them.”
The Scottish Business Resilience Centre (SBRC) believes that fraud perpetrated against companies will exceed £3 billion this year, with a “staggering” 85 per cent committed by staff.
As much as 5 per cent of annual revenues from a business can be lost to staff fraud, according to the organisation.
SBRC director Mandy Haeburn-Little says: “The vast majority of people working in organisations are professional, well motivated and honest.
“But there is growing evidence that companies are facing a continued threat from employees, both past and present, who seek to gain personally from their position of trust within a business.
“This is not the case of stealing the odd stapler – these are serious crimes involving selling stolen data or sabotaging an IT system to give a rival the competitive edge.”
She adds: “The consequences to businesses who suffer these attacks can be very damaging and it’s in everyone’s best interest that we stop being complacent and work together to stop these crimes.”