State-sponsored cyber attacks

In early May, a payroll system that was managed by an external contractor and used by the UK Ministry of Defence (MoD) was hacked, and personal information including the names and bank details of past and present servicemen and women was leaked. 

The MoD responded by taking the affected system offline and confirmed that no operational data was obtained. The separation of the payroll system from other MoD systems likely helped to prevent the attackers gaining access to other systems, thereby containing the problem.

The attack is suspected to have been carried out by actors backed by China, and this is not the first time China has been accused of carrying out malicious activity against the UK. The threat from China and other hostile states is widely recognised. 

Organisations of all kinds (private, public and third sector) and all sizes (small, medium and large) hold data that may be of interest to hostile states. This includes personal data and data that provides insight into behaviours and preference, such as medical data, education and work experience, biometric data, retail and consumer data and internet activity. 

Any organisation can be a target, so accountants should be vigilant to the threat and have in place basic controls as outlined in the NCSC 10 steps to cyber security to protect themselves. 

Organisations are relying more and more on vendors and third-party service providers. The MoD attack highlights the fact that no matter how robust an organisation’s internal security controls, its cyber security is only as strong as its weakest link, and facing an attack is a matter of when and not if. Understanding how third parties affect your cyber security – including any access they may have to your systems and data – is key, as is visibility into how they manage their cyber risks. Having an effective incident response plan is also fundamental to being able to effectively recover from incidents.

Another deepfake attack

Deepfakes continue to pose a threat to businesses in regard to economic crime. Corporates have been targeted. In early May, the head of WPP was the target of a scam that leveraged publicly available information including pictures, video and audio, and generative AI to clone the CEO’s voice and create video. This was used to set up a Microsoft Teams meeting that appeared to be of him and another senior executive. The CEO appears to ask the target to set up a new business, with the perpetrator looking to solicit money. The attack was unsuccessful but illustrates the potential dangers when AI deepfakes are used to communicate with employees.

This attack follows on from an earlier one in February where a company worker in Hong Kong was tricked into paying out £20m to fraudsters in a deepfake video call where they believed senior officers in the company had requested them to transfer money to various bank accounts. The company in question was this month revealed to British engineering firm Arup.

Accountants are an attractive target for cyber criminals due to the role they play in authorising and making payments, executing financial transactions such as deals and acquisitions, and advising on investment decisions. Deepfakes can be used to not only trick staff in their own organisations, but their clients and suppliers as well.

While some deepfake detection tools exist they are not always effective, and it is critical for staff to be vigilant. They should be educated on the threat, as well as how to identify potential deepfakes and what steps to take if they think they are dealing with a deepfake. 

Simple actions such as implementing robust verification procedures – e.g. requiring multiple approvals and authorisations for payments, encouraging staff to question requests that appear unusual or suspicious and to check separately with relevant people before taking actions – can be highly effective in preventing attacks. 

Ransomware guidance

According to recently published Guidance for organisations considering payment in ransomware incidents, ransomware continues to be the key cyber threat facing UK organisations. Many organisations struggle with knowing how to respond to a ransomware attack, including whether to pay a ransom. The 2024 Cyber security breaches survey reflects this uncertainty and reports that two in 10 of respondents (20%) and under a quarter in charities (23%) do not know what their organisation’s policy on this is.

This guidance was issued jointly by the National Cyber Security Centre (NCSC), the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA). It aims to “help organisations faced with ransomware demands minimise disruption and the cost of an incident” by reducing the number and amounts of ransomware payments, thereby limiting the profitability of ransomware attacks. 

It was developed in response to parliamentary recommendations by the Joint Committee on the National Security Strategy (JCNSS), which called for more detailed, accessible guidance “on how best to avoid the payment of ransoms after an attack”.

The NCSC has reiterated its views confirming that both it and its law enforcement partners strongly discourage ransom payment, as it does not guarantee the remediation of an incident, but instead incentivises criminals to continue their activities. 

The guidance sets out recommendations to help organisations and relevant third parties make informed decisions, including considerations around assessing the business impact, involving technical experts, and reporting requirements, and should be a helpful reference for accountants in determining how they respond to ransomware attacks.

Want to learn more about cyber security?

Visit the ICAEW cyber security webpages.

Got an interesting cyber story for us? Email techfac@icaew.com