The standout session at the ACT Cash Management Conference 2016 was the ‘Cybersecurity risks - are the banks doing enough?’ The discussion was lead by ACT’s James Lockyer, Mike Loginov, CEO, Ascot Barclay Cyber Security and Gary Starling, Head of Professional Services, Visual Risk. It turned out to be a session not on whether banks are doing enough, but about ‘Are you corporates doing enough to combat cyber security risks?’ And the answer this question was and is NO. Most of the audience clearly didn’t really understand how serious the current situation is. 

Profoundly scary

It was a truly, profoundly scary session. There was much to be worried about, including:

• major organisations have been videoed with passwords on their white board, etc.
• hackers are typically inside or studying the company for over six months before the actual attack happens 
• unattended visitor books offer an opportunity to photograph and understand your company and your visitor patterns, and which enables hackers to construct social engineering attacks around this knowledge
• Bring Your Own Equipment (BYOE) policy: Mike feels that it should be really called BYOD (D = Disaster). Organisations should partition information on iPad or laptop with special s/w. PLUS have written into your your employement contracts that when staff leave the company a button can be pressed that ’self distructs’ the key information on the device. However, companies need to accept that there will be compromises to be made to make this acceptable to all parties.
• what most of the hackers are targetting is not credit card details because credit card info is cheap on the ‘dark web’ ($5-10/card with full details and PIN no.), it is the Personal Identification Information (PII) that the criminals are after. One group of people will harvest the information and sell it to a another group who will exploit it. This will be done on the basis of long-term objectives to build a picture of where the vulnerabilities are in a firm or organisation and how they be can be used in an attack. SO BE CAREFUL WHAT INFORMATION YOU PUT ON THE SOCIAL MEDIA, such as Facebook 
• remember that your company’s cybersecurity may be watertight, but what about your suppliers and other companies you deal with?
• ask yourself what is the most valuable information that your company has? Work this out and then ask: how secure is it really? is our cybersecurity policy really protecting this? how can it be hacked?
• the issue is no longer protection against viruses, the issue now is: How do we protect our company against these targetted attacks?
• be aware that the telephone is a very dangerous device, e.g. mimicing members of staff and asking for the processing centre staff to make a payment at key moments, e.g. when the centre staff are busy at changeover betwen shifts, when a call goes over the standard time, etc. 
• hackers study organisations and their employees habits and ways of working, so that they “know the organisation better than the organisation itself” and know exactly when, how and who to attack/facus on. It is a planned operation
• hacking is an industry with ROI targets, just like legal companies
• on any system, the assumption should be that it has been hacked somehow, somewhere
• the authorities and police forces don’t have enough resources, so the chances of being caught are ‘remote’.
• most companies don’t have a plan as to how to react to minimise the impactwhen they are hacked.

The good news

However, there was some good news: 

• neither Loginov and Starling knew of any TMS being hacked ……. so far. 
• there are systems that can be installed to highlight unusual behaviour and activities that can show that hackers are already present in your systems.
• best way of preventing hacks is to educate your staff what is happening, and get them to help the company to take control and fight back whilst not forgetting the basics of audit trails, encryption, etc.
• follow the GCHQ cyber hygien code to minimise hacker impact, e.g. use just one 18 character password for everything which contains a mixture of letters, numbers and special symbols

* * *

CTMfile take: 100% watertight cybersecurity is probably not possible. At least you can do the basics right - this applies to all staff from the most junior to the most senior management, use the latest techniques, have a plan as to what to do when you are hacked, and regularly updating your cybersecurity policy.