ICAEW.com works better with JavaScript enabled.

Cyber: CrowdStrike, new laws proposed and SCAM

Author: ICAEW Insights

Published: 31 Jul 2024

In our latest round-up of cyber news and security insights for accountants and finance professionals, we explore what happens when cyber software goes wrong, new routes to Cyber Essentials and why you need to remember SCAM.

Cyber software in the news

This month the world found out what happens when major enterprise-level cyber security software falls over, and it’s fair to say it was catastrophic.

In the early hours of Friday 19 July, a configuration update was rolled out to Windows users of CrowdStrike Falcon, software which is used by many large organisations around the world to provide protection against cyber attacks. Such updates are normally routine and pushed to PCs daily or even multiple times a day. Unfortunately, the update had a small but significant bug in its code, which resulted in fatal system errors and the infamous ‘blue screen of death’. There are numerous helpful explainers including a BBC article and this more technical examination.

While a fix was released by CrowdStrike within hours, the impact of the bug was substantial, taking a huge range of services offline and impacting airlines, banks, hospitals and many high-profile businesses, including the Mercedes F1 team. The simple issue was that, to apply the fix, every impacted PC needed to be individually rebooted following a specific set of steps, which has been a time-consuming exercise for IT professionals globally. Microsoft estimated around 8.5 million machines were affected, meaning it was most likely the worst IT outage of all time – although worth noting this is still less than 1% of all Windows machines, and that Linux and macOS were unaffected.

In our recent Insights article we’ve covered some of the learnings relating to this incident, many of which relate to supply chain risk and resilience. CrowdStrike, Microsoft and others have been at pains to emphasise it was not a cyber attack and the former has already committed to steps to avoid a repeat including more robust testing of these types of updates, and a more staggered deployment. However, criminals rarely miss a trick, and the National Cyber Security Centre (NCSC) has issued a warning that the incident is likely to result in an increased risk of cyber attacks through bogus technical support and fake software updates.

It’s important to emphasise that if your machines were not impacted, you are not at risk at all. If you are still impacted then the steps outlined by CrowdStrike and Microsoft are relatively easy to follow providing you have physical access to the affected machines, and a recovery tool has been issued for more complex setups.

King’s Speech proposes new cyber laws

Among the substantial number of new laws proposed by the new UK government in this month’s King’s Speech, the Cyber Security and Resilience Bill looks set to establish improved regulation, building on the Network and Information Systems Regulations which were inherited from the EU. These regulations have since been updated by the EU, leading to a risk that UK regulation in this space is currently falling short.

The intention is that the new regulation will help provide greater protection to critical public services and their supply chains, and would give regulators more resources and powers to investigate vulnerabilities and enforce necessary cyber security measures in the organisations that need them most. The bill also proposes that organisations will be required to increase the level of reporting of cyber incidents, particularly in relation to ransomware attacks, to give bodies such as the NCSC greater visibility of the threats faced by UK businesses and public sector organisations.

Another proposed bill, the Digital Information and Smart Data Bill, will also have implications from a cyber perspective, as it seeks to give the Information Commissioner’s Office greater powers, and make it easier for organisations to share smaller actionable data upon request – so-called ‘Smart Data’ schemes. This will require both individuals and businesses to be more alert to cyber risks, potential data breaches and the acceptance of terms permitting the sharing of personal and business data.

New route to Cyber Essentials

Cyber Essentials (CE) – the UK scheme for businesses to support and demonstrate a minimum level of cyber security protection – was launched 10 years ago at Chartered Accountants’ Hall. It has since undergone several changes to ensure it remains relevant and the latest changes open up more routes for organisations – particularly larger ones – to achieve certification.

The CE Pathways route, now launching as a proof-of-concept phase, moves away from a prescribed set of controls towards an ‘outcomes-based’ approach. This allows organisations that may have legitimate reasons for being unable to implement the standard CE controls a different way of demonstrating compliance, providing the same ultimate risks are addressed through technical and testable controls.

NCSC is currently seeking organisations to take part in the proof of concept and has provided more details on its website.

Don’t be scammed, remember SCAM

According to a 2024 UK Finance report, scammers stole more than £1bn through payment fraud. Fears relating to fraud are a significant source of worry for many finance professionals – we are, after all, supposed to be the ones who are good at looking after money – so mental health charity caba has developed the SCAM acronym to help you determine if requests are genuine or not.

Is the Sender who they say they are? Are they Chasing you? Are they wanting you to take an unusual Action? Does their communication have any Mistakes? These are the key questions to ask yourself when receiving a call, text or email out of the blue pertaining to be an individual or organisation you know. As seen from the recent incident at Arup, even communications that appear to be from within your organisation should be validated. Simple efforts to cross-reference and ‘test’ the individual making the request can be enough to identify the fraud before any information or money is provided.

Of course, it isn’t just scams that can cause issues for small businesses. Increasingly, the Chinese state-sponsored threat group APT40 is exploiting the trend for more hybrid and home working by attacking small-office and home-office (SoHo) devices. An advisory issued by the Australian Cyber Security Centre, in conjunction with NCSC and other bodies from US, Canada, New Zealand, Germany and Japan, notes how APT40 is exploiting known vulnerabilities in widely used software to compromise unpatched or end-of-life SoHo devices and use these to launch other attacks masquerading as legitimate home user traffic.

The critical message here is to ensure that all devices you use, both at home and at work, are maintained with the latest updates and when connecting into office systems from a home network, ensuring that VPNs or other encryption tools are deployed so that the exchange of information over the public internet is kept secure. At home, make sure that your internet router’s firewall is enabled and configured to protect your home devices effectively.

And as ever, the NCSC’s 10 steps to cyber security also helps organisations adopt important security measures to prevent and minimise the impact of cyber-attacks. 

Want to learn more about cyber security?

Visit the ICAEW cyber security webpages.

Got an interesting cyber story for us? Email techfac@icaew.com

Stay up to date with AI

The 2024 ICAEW annual member conference focuses on technology, leadership and sustainability. Three sessions focus on AI, covering productivity, ethics and skills.

ICAEW Annual Conference 2024 takes place on 4 October and is looking to the future of economy, focusing on sustainability, leadership and technology.
  1. ICAEW celebrates inclusion success
  2. Generation game: keeping accountancy in the family
  3. Corporates hold true to Wates Principles in governance reports
  4. Government enters crisis control mode to curb public spending
  5. Improving prostate cancer diagnosis with accounting skills
  1. Warning: Letter said to be from HMRC is a fraud
  2. Tax news in brief 21 August 2024
  3. Animal breeders in HMRC’s sights
  4. Taxpayers should check HICBC for 2022/23
  5. Claims for investors’ relief may not be valid

Recommended content

Resources
Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.
Technology

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Read more
Resources
Artificial intelligence
Artificial intelligence

Discover more about the impact of artificial intelligence and the opportunities it presents for the accountancy profession. Access articles, reports and webinars from ICAEW and resources from tech experts.

Browse resources
Cyber: CrowdStrike, new laws proposed and SCAM
  • Article
  • 31 Jul 2024
The ABCD+ of technology: cyber security
  • Article
  • 31 Jul 2024
AI ‘will turbocharge cybercrime and fraud’
  • Article
  • 26 Jun 2024
Cyber round-up: June 2024
  • Article
  • 26 Jun 2024
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record