There is a growing threat from cyber criminals and nation state actors for businesses of all sizes. In the last 12 months in the UK, a third of charities, half of primary schools, half of businesses, almost three-quarters of secondary schools, and almost every single higher education institute has been subject to a cyber breach or cyber attack of some kind. More than seven million online fraud and cybercrime offences took place against businesses in the same period. 

That’s according to Rod Latham, Director for Cyber Security and Digital Identity at the Department for Science, Innovation and Technology (DSIT). 

He was the first speaker at ICAEW’s annual cyber lecture, which took place on 7 October. The event aims to raise the bar on cyber security, in line with ICAEW’s public interest remit. This year, the theme was on the vulnerabilities of individuals’ online footprints, and how criminals use technology to exploit them.

As a senior civil servant, Latham is responsible for delivering the government’s plan to tackle cybercrime. “We’re out there pursuing and trying to disrupt cyber criminals, but our response cannot be a purely reactive one,” he said. “We need to be proactive, multi-layered and working across all of society.”

The Cyber Security and Resilience Bill was announced in the King’s Speech in July, to address some shortfalls in the regulations. For example, the current regulations cover only operators and not supply chains; smaller and less well protected organisations are often a route for criminals to attack larger organisations. Latham cited the example of Synnovis, a pathology laboratory that suffered a data breach, which allowed the attackers to disrupt London hospitals.

“Our new legislation will bring managed IT service providers into the scope of the existing regulations,” he said.

Alongside that, the government has designated data centres as critical national infrastructure (CNI). “That means that data centres, both physical centres themselves and operators, will have the same level of enhanced protection that other CNI has. For example, the telecommunications and energy sectors.”

The government is also working on a code of practice for cyber governance, setting out critical governance areas that directors need to be able to protect within their organisations. “We’re trying to make this easy for businesses and organisations, with relevant information gathered in one place.”

Latham also highlighted the important role that ICAEW members can play in influencing the organisations they work with to ensure that they take cyber security seriously. “You are in a unique position to influence the organisations you work with and to impress upon them the benefits and importance of cyber security.”

Ben Owen, an expert in covert operations, surveillance and online investigations who worked on the British, US and Australian versions of the TV show ‘Hunted’, then explained how cyber criminals use individuals’ digital footprints to find routes into businesses. “They're going for the people in the businesses – ie, you and your staff, whoever works in the business – because it’s the lane of least resistance.”

Businesses of all sizes are for the most part targeted for financial gain, Owen explained. For that reason, attackers are going to look for the easiest ways to get into systems, and often that involves people. “Hacking is really a human being hacking another human being’s brain. Take the technical part of it out of the way, and they’re tricking you into doing something that you wouldn’t otherwise do.”

He cited an attack on LastPass, in which an employee’s home computer was hacked. Training often revolves around the points of entry for a hack, but critically, the reconnaissance phase of the hack is often not discussed, which leaves vulnerabilities exposed. 

“A hacker doesn’t just target you for the sake of it; they’re targeting you for a reason. And they don’t just select you out of thin air. They do some online reconnaissance. And again, they do that reconnaissance on your personal digital footprints:your LinkedIn account, your Twitter/X, everything about you online.”

The more present you are online, the more you’re arming hackers, but it doesn’t take much for criminals to find a way in. Owen tells the story of a large energy company that challenged Owen’s team to break into the system through the personal footprints of executives. 

They targeted the CIO, who had tried to limit his digital footprint. Using his email address and location on LinkedIn, they used free software to find other personal details, which in turn led to all of his online accounts. In the end, they used a Google review of a restaurant to fool him with a fake discount voucher.

“Hackers are getting really good at understanding the human brain and the human element of the hack, because they want you to do that thing you wouldn’t otherwise ordinarily do,” he said. “They want you to believe that approach. And again, it goes back to reconnaissance. The more you have as an individual online, the easier you’re making it for the hacker.”

Owen also warned against insider threats; an Australian digital tech company was hacked by a Turkish gang, who hired someone to get a job at the company and hack them from within. This is sometimes driven by blackmail; another Australian business found that one of their employees had joined Adult Friend Finder using his work email. This leaves them vulnerable to blackmail. 

Businesses can protect themselves by doing digital vulnerability assessments on everyone in the business; determine what accounts you need and which you don’t. Get rid of the ones you don’t, and lock down the ones you do by using more email addresses for fewer accounts. 

Use multi-factor authentication and take a ‘tactical pause’ before acting when contacted out of the blue or asked to do something urgent. Use password managers and consider using VPNs – but do your research to ensure that the VPN provider is secure. 

“We really need to focus on your personal digital environments,” he concluded. “From there, that will make your businesses safer.”

• A recording of the event is available on the ICAEW Cyber Security Awareness Hub, along with additional resources to support you in your cyber security journey.