Cyber-crime can cause you to be harmed personally, or harm your business, and if you are a small business you can be sunk, Rebecca Lawrence, chief executive, Mayors Office Policing And Crime (Mopac) told attendees at an LDSC (London Digital Security Centre) meeting in City Hall yesterday
The event was very much a call for cooperation with LDSC – ranging from the input of industry, academia, the police – and the public, to become members, to provide resources – from financial to time and expertise - as well as report cyber-crime so that it can be accurately monitored and responded to.
“We will not be able to police our way out of this, but policing has a role,” said Lawrence, adding, “This is volume crime that you can't investigate your way out of. “ Against this background, and a huge willingness to help, there was not a single structure, hence the formation of LDSC by Mopac, the Met Police and City of London Police, described by Lawrence as a concept with more players joining that can create model for this city (London) and beyond, and it is currently seeking more partners. Currently the LDSC is just 12 staff, henc e the emphasis on working with others.
Rajesh Agrawal , deputy mayor for business, continued the theme noting how cyber-crime, “affects all of us whether large or small business, but large businesses have more resources to protect themselves.”
Argrawal has a Fintech background and started out in the UK as an IT manager, hence has an understanding of the importance of cyber-security. He explained that there are more than a million SMEs in London, employing about half the London workforce, and both staff and customer data and money can be stolen by cyber-crime. “We need to explain why they are at risk, and how they can protect against attacks, and what measures they can take,” said Argrawal. [later it was pointed out that there are 5.4 million across the country].
Argrawal added that the Mayor's manifesto included plans to develop a cyber-security policy, and as a result its first chief digital officer has now been appointed (Theo Blackwell who later addressed the meeting). “London is currently ranked the number one place to do business and we need to replicate that in digital business,” concluded Argrawal.
John Unsworth, chief executive for the LDSC then took to the stage with an appeal for help, including any critiques on how his organisation, working through partnerships, could better deliver on its remit of keeping businesses and particularly SMEs, safe online.
Three priority areas were identified – in the community (taking digital security to the high street) as well as digital security clinics and affordable and appropriate products for an SME.
Because small businesses may lack information and not want to look foolish, it needs to be made easier for people to ask questions and get them answered, and digital consultation clinics help.
But the LDSC is also promoting its membership scheme to develop a continuous relationship with business, not a none-off, one action, but a series of actions which can be monitored to develop a body of evidence of the problems and what works. Assistance includes helping small businesses know what products are available to help and what they cost, and helping them to triage their needs, so they are told: “based on your needs, this is what you should have. Sometimes they don't need to spend more, just put in more time and effort,” says Unsworth.
The LDSC's preferred method of working is to avoid, ‘reinventing the wheel', but to add value to existing networks, taking guidance from the NCSC, National Police Chiefs Council, the Cyber Protect Prrogramme etc.
It also wants to help ensure there is a coordinated and consistent service delivered via the Met Police service, from the various Boroughs' cyber teams, and those at the city of London police, and by engaging with business, get a true picture of the level of problem faced. The role of business is particularly important as only O.1 percent of all police resources are dedicated to cyber protection, though it equals all other crime.
“Information is great but action is better,” said Unsworth, adding, “We need to show how to fix a problem, focus on solutions, tangible action, and how to implement those actions – not just push information out. These businesses are not trawling for this information – so we need to do something different. Like holding digital security clinics in high street – which we have done in eight boroughs in the Met, and City, reaching 400 businesses, who get 15 minutes, listened to by police office who can explain how more likely they are to be a victim of online crime.”
Ways to achieve this include describing the shift in focus from physical to digital crime, but explain that its necessarily social media and websites, but also your online banking etc. Ideally the LDSC wants companies to conduct cyber risk assessment – audit what you've, got. Not in a formal way, but how the company works. “You then map this against what good looks like and say, here are a number of steps that will make you safer. “
Of businesses engaged with by the LDSC, 79 percent have less than 49 staff, most have no dedicated IT, and security is an add-on, but they often don't know what to ask if they commission and external company, often opting for the cheapest option. And when say a website goes down and it's too late, you have situations such as a charity which lost everything due to a lack of back up.
A lot of businesses doing a lot unsafely, and its our fault for not showing them how to do it safely and assuming they'll all teach themselves.
Some 77 percent of businesses do not have DMAC, so the LDSC provides a free toolkits to implement DMAC – there is time and effort to set up but no cost, and LDSC helps by showing people how to do it, where to get information. If a company can't afford to run the latest operating systems, they will be encouraged to prioritise machines for things that hold the most sensitive information.
For all that the organisation is action oriented, it appreciates the value of data and is building a digital security index – by borough. How do they differ. And update it to see if it changes – including taking action to encourage that change. That approach applies to members too.
For companies that become members, there are various products and services provided, plus they are enrolled in a programme to see ‘Where we are now.' First their security posture is assessed to evaluate current risk. Then an acction plan – MAP – is put together. Then there is a review of where they up to. They get a security score card with external look at their security, and assess how close they are to Cyber Essentials. There are gradings for people, platform and processes – and every member is given an action plan including key recommendations of what they can do for free and then talk them thorough the process.
Advice is given from other advisors, they get a fee training package and they see how ready they are for Cyber Essentials.
Then they are tested to see how well they have learnt, including phishing exercises, smishing exercises, social engineering, and recovery rehearsals.
Then they are reviewed again later, and their score should change.
Unsworth concluded, If your organisation would like to help make a difference, the LDSC would welcome your input.
Recent research by the centre demonstrates the scale of the SME problem:
1. 69 percent are running outdated software on their network
2. 74 percent do not have policies regarding use of bring your own device (BYOD)
3. 24.59 percent do not have anti-virus programmes on their machines
4. 69 percent do not use encryption software
5. 84.54 percent do not use digital signatures
6. 76.58 percent do not use DMARC (Domain-based Message Authentication, Reporting and Conformance, an email authentication, policy and reporting protocol).
As a result, the London Digital Security Centre has issued its best practice advice on digital security for SMEs which includes:
1. Install the latest software and app updates; they contain vital security upgrades which help protect against viruses and hackers
2. Use strong and separate passwords for your key accounts, including email and online banking and use three random words to make a strong and memorable password
3. Provide staff with access to simple, freely-available cyber security training
4. Back up essential data at regular intervals
5. Conduct a cyber security risk assessment for your business
6. Seek accreditation through the Government-endorsed ‘Cyber Essentials' scheme
7. Never disclose security details such as passwords or PINs
8. Don't assume an email, text or call is authentic; just because someone knows your basic details, it doesn't mean they are genuine
9. Ensure that administration accounts are not used for routine activities such as browsing and emailing
10. Deploy DMARC and SPF (Sender Policy Framework, validates a message's email domain).