2.5 Million in 11 Days
£2.5 million: is the sum businesses in the Highlands lost through cyber-crime in one eleven-day window from the 19th to the 30th July 2017, according to Police Scotland.
Around £500,000 of this total was stolen in a single case when the Highland Hospice care home became the victim of a banking scam. Investigators have so far recovered some ‘tens of thousands’ of the money stolen. Chief Executive Kenny Steele condemned the attacks: “People are horrified that a hospice could be attacked like this. It is abhorrent. They fully understand what has happened and we are acutely aware the money was donated to us to deliver the care services.
“That is why it is really sickening. Often in cases like this the victims almost blame themselves, but we would like to say that nobody has to be a victim of crime. It doesn’t matter how it happened or whether we were at fault or not, it is just sickening it happened at all.”
The Growing Threat
15 million: This is the number of malware items released worldwide every day in 2015, a number which is only likely to have increased in subsequent years. This figure forms the foundation of a survey of Scottish SMEs in the face of the threat of cyber-crime. The Information Security: Perceptions & Resilience report was published in 2016 by the University of Glasgow’s School of Computing Science and the Scottish Business Resilience Centre.
The majority of companies questioned were small businesses: 63% of those surveyed employed less than 30 people. Yet the smaller size of Scottish firms does not decrease what’s at stake – the Highland Hospice may only be a single unit, but it lost half a million pounds.
Heads in The Sand?
46%: is the number of respondents to the survey that had ‘no idea’ how to detect a cyber-breach once it had occurred. The report noted that most staff were aware of ‘basic security practice’, but many were unaware of the, “need for a full suite of protection tools and measures”. These insights are striking, particularly as report also found that 45% of the ‘best’ i.e. most sophisticated methods of phishing – such as targeted spear phishing – now succeed. As the methods of cyber-crime become more effective, more advanced defence tools are required to fight them.
Nearly 50% of respondents to the survey regarded controlling access to smartphones as ‘extremely important’, but only 20% of respondents classed updating their operating systems as ‘extremely important’. Despite the fact that out-of-date versions of Windows XP were the main access points for the spread of WannaCry, which ravaged 11 of Scotland’s 14 NHS Trusts. This vulnerability is likely the reason behind the more recent cyber-attack, launched against NHS Lanarkshire, only last weekend. The board looks after 650,000 individuals across three hospitals, but was forced to suspend non-immediate care for part of last weekend.
Too Close for Comfort
34: There were 34 reported ransomware attacks in Scotland in the past year, an investigation by The Scotsman revealed. 13 of these were attacks were launched against NHS boards during the WannaCry attack, which demanded £230 per infected terminal for the release of patient’s information. The malware which struck NHS Lanarkshire last weekend did not demand payment, but instead knocked out telephone systems and staff directories. These attacks illustrate that Scotland’s cyber-landscape is a level playing field: larger organisations, which could be expected to be more-heavily fortified than smaller-businesses, are equally, if not even more, vulnerable.
51%: According to a new report issued by IT security magazine SC Media, more than half of critical infrastructure organisations – police forces, fire and rescue services, NHS Trusts, energy and transport organisations – have ‘ignored’ the risk that ‘short and stealthy’ DDoS attacks present. The data was compiled from a survey issued by Corero Network Security to 338 critical infrastructure organisations in the UK. The survey also found that 42% of NHS Trusts had not completed the UK Government’s 10 Steps to Cyber Security programme issued 5 years ago.
What We Don’t Know
39,339: This is the number of cyber-crimes reported to the police forces of England and Wales in the last 12 months, an increase of 50% over the previous year.
Police in England and Wales have been required to flag cyber-crime when it is reported since 2015, but no equivalent rule exists in Scotland. These rises in England and Wales are an increase of 87% over figures from 2015/16, with around 85% of reported cyber-crimes going unsolved.
The Scottish Government and Police Scotland say they are working on systems to classify cyber-crimes, but until those are in place, we can only assume figures in Scotland are rising at the same rate.
900: Nearly 900 people were convicted in Scotland’s courts last year under the Communications Act in 2015-16, 719 of which under section 127 (1), the sending of harmful messages. Only one person was convicted last year of the Computer Misuse Act (1990), which covers spreading malicious software and unlawful access to machines. Laws concerning fraud and the selling of illegal goods are covered in non-online laws – they do not have their own digital counterparts.
Risk management firm IT Governance has compiled a thoroughly interesting list of all recorded individual cyber-security incidents, worldwide, for this August. According to the report, August was ‘a pretty quiet month’ relatively speaking, with only 4.6 million recorded breaches, in comparison to over 140 million recorded in July. But many of the attacks are very high-profile, ranging from leaks of details of HBO’s flagship fantasy show Game of Thrones, to a voting machine company’s exposure of 1.8 million Illinois residents’ personal data post-Election.
Fast, inexpensive measures are readily adaptable to even small businesses. Cyber Essentials and Cyber Essentials Plus are official UK Government schemes aimed at providing basic protections for firms large and small. The training schemes, which only take a few days for smaller firms, upgrade and then test companies’ strengths in the face of cyber-attacks. Firms are then awarded a certificate upon successful completion.
Other preventative measures such as patching can help immensely. Experts have claimed that if the NHS’s systems have been kept up to date, WannaCry’s spread through its networks would have been severely curtailed.
The cyber threat to Scotland’s businesses – and economy – is a deep and growing crevasse. Understanding the scope of the danger is the first step in combatting it. But businesses – and government must be willing to act on that understanding, or they will leave themselves vulnerable to an increasingly sophisticated variety of attackers.
Stuart Mackinnon of the Federation of Small Businesses said to DIGIT: “Cyber-crime is a growing threat for Scottish small firms. While our members can access cyber insurance products and advice, all Scottish businesses should ensure their systems are secure. Firms should approach Business Gateway and the Scottish Business Resilience Centre to get good advice – and most operators should look into the Cyber Essentials accreditation programme.”
To stay on top of Scotland’s business landscape and the growing global threat of cyber-crime, watch out for DIGIT’s ongoing cyber-security coverage.