Paul Boam is speaking about his father, a fireman for 25 years. “When he stays at a hotel, the first thing he does is drop his bag and walks out, via the fire escape. He’s checking it works. At home, before he goes to bed at night he makes sure there’s a key in every door so they would be no delay in getting out. He’s fastidious about alarms, about having the right kind of fire extinguisher. It’s because, in his job, he’s seen some terrible things …”
‘I don’t want that to happen to me’
Boam, a security consultant, is reflecting on the advice he gives to companies about how they can protect their assets from being targeted by a con, a cyber attack or, indeed, an artful blend of the two – and how he leads his own life online and in the physical world.
“You can’t go through the mayhem that has been caused to some of the people that we work with and not bring the experience home with you and think: ‘You know what? I don’t want that to happen to me’.”
He has a clear message for chief executives and company boards; the answer does not lie in technology. Yes, technology can help protect companies but it is as much about culture: how executives lead their work and personal lives, the practical measures that a company takes to protect its assets, and how confidence can be instilled in employees to challenge any attempt – overt or covert – to circumvent those measures.
The number of recent high-profile hacks of company data – among them Target and Ashley Madison in America and Talk Talk here – has encouraged a belief that cyber security is a black and white issue; that the threat is technological, the solution is technology and it is all down to the IT department. Wrong, says Boam, who is technical director for the Stirling-based firm Net-Defence. Technology can provide a layer or layers of security, but companies are vulnerable in a myriad of ways and human behaviour is often the most significant.
Impersonating chief executives
Last July, a global healthcare company lost £18.5m when a fraudster telephoned its finance department in Scotland and requested money to be transferred to accounts in Hong Kong, China and Tunisia. The financial controller believed the man to be a senior member of staff and exchanged several calls with him as well as emails.
The scam involved a combination of social engineering, based on what Boam describes as ‘open source intelligence’ – information available on the internet and social media – and digital manipulation; spoofing the executive’s email address, something which Boam says is easy to achieve.
According to the FBI, impersonating the email accounts of chief executives has cost businesses around the globe more than $2bn in a little over two years. The FBI has seen a sharp increase in ‘business email crime’, a simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected globally. The average loss is $120,000 but some companies have been tricked into sending as much as $90m to offshore accounts.
“It is about your business’s culture and it has to be led from the top,” says Boam. “You can’t pay lip service to it because if you do you will be compromised in some way. It involves a combination of people, processes and technology. Irrespective of where they reside, they can lead to a multitude of risks. It doesn’t necessarily have to be in relation to cyber; that’s just one way that the risk might manifest itself. The chief executive and people at executive level have to take ownership of all the risks and not just consider it to be an IT problem.
CEO’s least engaged in cyber security
“If we speak to a business, have a conversation around risk and security, and they say: ‘You need to talk to the IT director’, then we know we have a challenge. It’s not about technology; it’s about people. Management systems are at the core of the most effective security. If they are embedded at a senior level, at corporate governance level, they work. The further they move down, away from corporate governance, the less chance they have for success. Boards need to truly understand the risks they face.”
A report by IBM earlier this year revealed a disconnect between technology leaders in companies – chief information officers, for example – and the rest of the executive team. It found that chief marketing officers, chief financial officers, chief human resources officers and even chief executives were among the least engaged when it came to cybersecurity threat management activities. “These executives often feel as though cybersecurity preparations didn’t include them in a functional approach,” according to the report.
“CEOs were the most sceptical of all when asked whether the cybersecurity strategy of their enterprise was ‘well-established’.” The report warned: “As to the wisdom of such a stance, the number of CEOs that have lost their jobs — or quit voluntarily — after a major data breach speaks for itself. CEOs cannot afford to be complacent about security, and that means everyone in the ‘C-suite’ has a role to play. If there’s a disconnect, the CEO must send a clear signal that all parties are to work out their differences — or in some cases their indifference — to own up to their responsibilities and help lead the organisation toward a healthier cybersecurity.”
Not all about technology
But underlining Boam’s point that it is not all just about technology, earlier this month, the Scottish Business Resilience Centre (SBRC) highlighted a report by the City of London Police National Intelligence Bureau. Fraudsters have recently taken to targeting affluent residential areas, mainly in London but according to the SBRC the threat is valid across the UK, and criminals have been stealing post to identify senior executives within companies and organisations.
“Once the fraudster has stolen the mail, open source research is conducted to identify if the victim works within a suitable position to ultimately become a target. The fraudster uses social engineering to gather information on them and their employer and then contacts the organisation, purporting to be the victim, to carry out mandate and payment diversion fraud on the company,” it said.
Boam says awareness of the risks, taking responsibility from the top down and giving employees the confidence to challenge what could turn out to be breaches of security are key to securing a company’s assets. But even being proactive does not always bring with it good news. Boam related one case in which a company called in Net-Defence to consult on its security. A routine check of its server logs revealed it had unwittingly been the victim of a data scam for the past five years.