In recent years, cyber-security risks have been sustainably fruitful for criminals. This is primarily because efforts on the part of businesses and authorities to counter these threats haven’t been effective.

James Bore, cyber-security expert and Managing Director of Bores Ltd, says: “We’ve not made a significant difference to the current criminal threats, so there’s no reason for criminals to change their tactics. We’ll be looking at more instances of ransomware and of it becoming more sophisticated. Criminals will just continue developing and deploying these threats because they keep on making money.” 

Ransomware as a service – a commercial offering available to criminals – is a growing phenomenon. Cyber fraud also remains a huge threat, ranging from invoice fraud, where someone sells something they don’t have, to CEO fraud, where someone pretends to be the CEO either via email or deep fake audio or video calls.

“Those are the most common ones. They’re not going to go away and there’s unlikely to be anything really transformative because if you look at the criminal side as a marketplace, they’ve got a very solid market. There’s no reason for them to change tactics,” says Bore, who is author of cyber-security anthology The Cyber Circuit.

Four-fifths of reported fraud are cyber-enabled, according to the National Fraud Intelligence Bureau. With only about 1% of police funding going into counter fraud, it’s clear to see why businesses need to take steps to protect themselves.

“We’ve got some protections in place, but frankly companies don’t invest as much effort into security. It’s not about the money. Companies tend to buy products rather than actually looking at their processes, procedures and training. Organisations are very heavy on security technology, but the technology doesn’t help protect them against certain threats because criminals just adapt to the technology,” Bore says.

As seen in high-profile attacks such as the recent Harvey Nichols breach, once criminals get into a system, they often take customer data and use that for further cyber attacks. So the impact of these attacks can be wider than the immediate damage caused.

People are still your weakest link

It’s not so much about shiny new cyber technology to counter threats, but rather about better staff training and better authentication. “It’s about the very basics of cyber security and information security, which get overlooked. It’s about the baseline security hygiene,” Bore says.

Organisations and individuals need to consider not just their security technology, but the physical vulnerabilities, too. Penetration testing, where experts assess the physical security of buildings and staff, is an area that companies need to think about on an equal footing with their technology.

“People will click on the hyperlinks that allow malware in or let unknown people in the front door. It’s widely accepted now that as part of a security regime you need to understand how your network is vulnerable to physical threats,” says Rick Mounfield, Director of Optimal Risk.

Organisations need to assess and monitor the vulnerabilities in their security officers, reception desk, delivery bay and office floors, too.

“People will break into buildings by social engineering to steal equipment. Corporate espionage and hostile state actors will use all means to break into your business premises because it’s easier to plug something in or access server rooms inside buildings that are not aware of that physical risk, although they might be very aware of cyber risk. The converged approach to security is tying together the same vulnerabilities,” Mounfield says.

Insider threat is another consideration; people might obtain employment with the sole aim of stealing your intellectual property. Generally, these kinds of insiders tend to have vulnerabilities such as gambling addictions and other financial debts that can be manipulated or blackmailed to coerce people to commit crimes for a third party as a proxy.

Create a security culture

Company chiefs need to take security culture as seriously as health and safety. They must have a clear and accessible policy on security culture that is regularly reviewed, monitored and updated as well as offering staff continuous training.

“If a CEO were to sign off the security policy, not just for the digital assets, but for behaviours of access, control and challenging people in the workplace, then you’re going to deter criminals because criminals risk assess the likelihood of being caught, too,” Mounfield says.

Creating a work environment where everybody feels empowered or obligated to challenge unusual activity is vital for tighter security.

Managers should also avoid a culture of punishing staff for accidental breaches. If an employee accidentally clicks on a hyperlink and they worry they might be punished, they’re less likely to report it. Encourage immediate reporting without any kind of shame attached to it. 

Phishing emails nowadays are so sophisticated thanks to AI tools that there are few spelling mistakes, as in the past. The sooner security staff know about such incidents, the quicker they can deal with them.

“Organisations need to sit down and take a good hard look at what they're doing and what they understand about security,” Bore says. “One of the problems is that there is a lot of bad advice out there which focuses on these sophisticated, advanced threats, which are not where the problem lies.”