SMEs battle cybercrime – can London's Digital Security Centre turn the tide
Nobody has an accurate tab on the scale of successful attacks - many SMEs keep these to themselves for fear of negative publicity - but stories drip out from time to time of real businesses in London and beyond that have been being hurt by a tide of invoice fraud, DDoS attacks, extortion demands, web incursions and relentless bank phishing.
Most of the evidence is simply by studying the level of targeting and inferring the damage it must be causing for that criminal business model to be sustainable. A telling recent example of this was an alert put out in March 2016 by Action Fraud on a surge of extortion attacks aimed at small businesses by a group calling themselves the 'RepKiller team'. The MO was pretty brazen: SMEs were told to pay a Bitcoin ransom equivalent to £300-£500 or they would be hit with unspecified cyberattacks and an automatic campaign of negative online reviews of their services.
The significance of RepKiller is the design of its extortion. Most extortion attacks are based on some kind of demonstration of the power of a criminal group to hurt the target, usually using DDoS to disrupt websites or servers. With this campaign it seems that the criminals are now so confident of achieving economic success they have dispensed with the need for shock and awe. That should be a warning light.
London Digital Security Centre
Times are challenging, then, but perhaps it's not all doom and gloom. A small but possibly significant clutch of organisations has started mobilising with the aim of giving smaller organisations a place to start re-thinking how they approach cybersecurity from the ground up. One such body is the London Digital Security Centre (LDSC), headed by a quietly-spoken Californian, Patrick Nuttall, seconded from his job working for KPMG's Cybersecurity team.
Nuttall and the LDSC started work almost a year ago after being handed two years of setup funding from public money as part of the Mayor's Office of Policing and Crime (MOPAC), reflecting a worry that the issue of SME cybercrime was starting to overwhelm the outreach capabilities of police agencies such as the National Crime Agency (NCA), Metropolitan Police and City of London Police. Police cybercrime units were designed to gather intelligence, pursue criminals and follow trails of evidence with a view to eventual prosecution. What they were never set up to do is advise enough London-based businesses on a timescale that would significantly boost prevention.
It's a job that's now in Nuttall's job description and in person he seems unfazed by the scale of what he's taken on. The fundamental problem is that SMEs need to start by assessing the strength of their current security to stand up to today's attacks but that sort of consultancy is pricey. Official advice, meanwhile, tends to be fragmented and partial. Getting beyond the most obvious level of advice can be difficult without paying the sort of money SMEs don't necessarily have.
"We are trying to emphasise the very basic steps that people can take because that is where the gap seems to be," says Nuttall who notes that SMEs in London with fewer than 20 employees make up as much as 45 percent of its GDP.
"The amount of under-reporting [of cyberattacks] is shocking," suggests Nuttall. "Where we see losses are in social engineering attacks, some quite basic, particularly invoice fraud."
The model of services offered by the LDSC is based on that pioneered by the Stirling-based Scottish Business Resilience Centre (SBRC) which covers an overlapping set of assessments:
A digital footprint report that looks at the publically-available information on a company and its senior employees that could be used by cybercriminals to launch social engineering attacks.
A simple security assessment looking for common problems such as patching state, whether systems are using default passwords, network and web server vulnerabilities, obsolete equipment and weaknesses in Wi-Fi access. Remediation advice that will support the SME with its chosen IT supplier to close gaps that were found in the security assessment. Advice on achieving ongoing security is built into this element.
Advice and templates on policy development for controlling how staff can securely use systems in terms of passwords and behaviour.
A plan to pass on threat data from sources such as the National Fraud Intelligence Bureau (NFIB) and CERT UK as SME-friendly alerts. This might be sector-specific.
A defining personality of all of these services is that they use student engineers supplied by universities such as London's Royal Holloway to carry out the technical assessments, which also explains the modest price tag of around £350 per tester, per day, running up to more comprehensive assessments for up to £3,500. This might sound pricey compared to hiring an electrician or plumber in the capital but professional pen testing companies won't get out of bed for under £5,000 or more per test it is definitely at the affordable end of the spectrum.
"It needs to use as little technical language as possible and to be specific," observes Nuttall on the advice the LDSC seeks to hand out as part of its services who is at pains to underline that the LDSC is not trying to compete with established pen-testing. "A lot of it focusses on basic IT infrastructure hardening."
Although publically funded for two years, the charge is essential to make the LDSC freestanding in the longer term. As well as finding potential customers for this service, Nuttall's job has been about developing a business model that will allow it to operate.
"We're not trying to oversell it," stresses Nuttall who goes on to point out that "at the moment we don't do remediation work ourselves." The LDSC is about assessment and prevention.
It's early days for the LDSC, which officially started operations in May 2015, but to date one of the biggest markets has been among SMEs referred to it by then police after falling prey to a cyberattack.
"We speak to them basically about how to avoid being re-victimised."
Tomorrow, the UK
It's very early days for the LDSC and Nuttall, indeed for the whole idea of helping SMEs with cybersecurity, a sector too often ignored or brushed aside by commercial organisations that can't see a way to sell security or make money from it. Taking on something as big as SME security, even within London, is daunting. Nuttall's first priority is to make the organisations self-supporting, which seems a bit tough. In a perfect world, he might have been given a year or two longer to set it up and a much larger marketing budget to advertise itself.
But the LDSC and its progenitor the Scottish Business Resilience Centre will hopefully only be the start of a much bigger national initiative spreading all corners of the land. In that sense it is blazing a trail for something that should spread well beyond London in time.
"Once we have developed our model a bit more we want to support the setup of centres in the regions. Going for the regional model we feel is more appropriate because the profile of small businesses is so different across the country."
It is going to be a long haul and in time something much bigger and bolder will certainly be needed to even begin to cope with the assaults being aimed at the capital's and the UK's SMEs. For now, the London Digital Security Centre is a start.
DDoS extortion - once reserved for the large datacentres and service providers, smaller companies that transact online are now an incredibly popular target. Typically, a named individual at the SME will be hit with a demonstration attack after which a threat is received by email threatening to disrupt connectivity web servers unless a ransom is paid within 24 or 48 hours. Cost: £800-£5,000.
Ransomware extortion - Ransomware is a form of malware infection in which a company's files are encrypted across one or more machines, plus any connected backup drives and services. Getting files back means paying up. Cost: £500-£1,000.
Phishing attacks - an attack that never seems to drop off in popularity because, frankly, it works. These days phishing has gone from an opportunist crime to a highly-targeted form of social engineering which exploits the reliance of small firms on email communications. These can impersonate known contacts, often financially related, quite convincingly.
Invoice fraud - now the most popular SME cybercrime, criminals impersonate real invoices using methods that are sometimes crude but also sometimes highly sophisticated. There are numerous forms of this type of fraud which makes generalising about it very difficult. All require money to be transferred or redirected into bank accounts which can appear to be from known suppliers of clients. The invoice fraud scam raises a major weakness with today's banking security - there is almost no guaranteed authentication that can reliably tell a real invoice from a fake one.
Data breaches - just as much a threat to SMEs as any other size of firm. But for an SME that has its date stolen the cost will be proportionately higher in terms of clean-up and possible fines by bodies such as the ICO. In 2015, PwC pus this at between £75,000 and £310,000 for larger SMEs.