Author Mark Richards
Online identity theft is continuing to increase – but this year has also brought two serious cyber-attacks on large organisations worldwide. Now people are starting to ask a very worrying question: could I lose my job to a cyber-attack because the company I work for has not prepared properly?
Last Friday we wrote about wearable technology and the impact it might have on the health sector. That article briefly touched on ‘internet blackmail and theft’ which, we said, ‘is sadly becoming a recognised career choice in some parts of the world.’
We have seen that all too clearly this year. Beginning on May 12th, the WannaCry ransomware attack affected Britain’s NHS and large organisations around the world. Within 24 hours over 230,000 computers in more than 150 countries had been hit.
On a more personal level, identity theft – the deliberate use of someone else’s identity to obtain a financial advantage – continues to be a growing problem. According to a report just published by Cifas (the UK’s anti-fraud organisation), there were 89,000 cases of ID theft in the first six months of the year, which they describe as reaching ‘epidemic levels.’ It may well be the case that the real figures are higher given that some people are too embarrassed to report the theft – or may even be unaware of what’s happened. The numbers were 5% up on last year, with 500 cases of ID theft now being reported every day.
I remember when I had my first bump in my first car. “It’s inevitable,” my dad said. “Everyone has a car crash at some time in their life. You’re OK. And the car can be repaired.” Are we now approaching a stage where we turn round to our children and say, “It’s inevitable? Everyone has their identity stolen at some time in their life.”
We have written previously about steps you can take to protect yourself against identity theft but it bears repeating: the name of your dog followed by your birthday is not an adequate password. And I suspect that in the not too distant future firstname.lastname@example.org will not be a very secure e-mail address either. Maybe we can all learn something from Bitcoin, the increasingly popular crypto-currency. A Bitcoin wallet address is typically 25 to 35 digits long and consists of letters and numbers. 1ExAmpLe0FaB1tco1NAdReS5V5TsGamF6hd may not quite as easy to memorise, but I would suggest it is rather more secure than Molly24.
The impact of WannaCry and NotPetya
Increasingly though, we will find ourselves just at risk from personal attacks via identity theft: the companies that pay our wages are increasingly coming under attack. It was not just the NHS that was hit by WannaCry – early reports suggested that other big organisations affected included several US hospitals, FedEx and Nissan. But that was just the beginning of the problems. A month after WannaCry an attack called Petya originated in the Ukraine: subsequently modified, renamed NotPetya, and targeted globally, the attack did millions of pounds worth of damage.
According to a report in the Guardian, Reckitt Benckiser – maker of Nurofen and Dettol among other products – suffered a £100m hit due to disruption of production and missed deliveries in several countries. Even worse damage was suffered by the Danish shipping line Maersk, with estimated losses of $300m thanks to the virus – and a subsequent knock on effect on the worldwide shipping industry.
The article quoted Anthony Dagostino, head of global cyber-risk at Willis Tower Watson, as saying that the attacks were taking a significant toll on businesses. “We have crossed the threshold into new territory regarding damages sustained,” he said. “No longer is it limited to compromises of data and privacy, with expenses being limited to remedial work. We are now seeing disruption to supply chains and production, the material loss of income and physical damage.”
Worrying signs in the UK
Phew! Thank goodness we live in a country where cyber-security is taken so seriously.
Maybe you should think again…
Two-thirds of UK company directors have had no training at all for a cyber-attack. The Cyber Governance Health Check – a recent survey carried out by the National Security Centre – found that 54% of the FTSE 100 companies who responded identified cyber-hacking as a major threat to their company. Incredibly, one company in ten (you should probably sell their shares) had no plans to deal with it and two-thirds of the companies said their directors had ‘no training in how to respond to a cyber-attack.’
The internet has been a wonderful thing for many companies. It has opened up the whole world as a market, with companies – especially in the knowledge economy – no longer bound by geography. But it is a two-way street. By the same token, all UK businesses are now a ‘market’ for the rest of the world – and there is a large section of the world which no longer plays by the rules.
The Cyber Health Check was on FTSE-100 companies – who almost certainly have specific IT departments. But the majority of people in the UK work for SMEs – small and medium sized enterprises. Typically, those are companies that do not have a specialised IT department or IT director and where – all too often – online security is reactive rather than proactive.
So cyber-security becomes the job of the company directors – and if they have had no training, the impact of an attack could be devastating. Companies like Reckitt and Maersk are big enough to stand the hit: the company you work for may not be. It is entirely possible that the successor to WannaCry and NotPetya could put some IT-dependant UK companies out of business.
So next time you go for a job interview and it reaches the ‘is there anything you’d like to ask us?’ stage, a very good response might be, ‘Yes, what steps have you taken to guard against a cyber-attack?’
What you are looking for are regular security audits, a pro-active approach, continuing staff education and – above all – a company that isn’t fazed by the question. If, on the other hand, you see sweat appear on the interviewer’s forehead as he mumbles, ‘Ah, yes, well, all in hand. No need to worry…’ then it may be time to politely decline, and take your CV somewhere else.