- Security TWENTY
- Women in Security
It doesn’t matter what size of business you are – cyber-crime is a threat, a Derbyshire Police event for East Midlands business people heard this morning in Derby. The opening speaker, Temporary DI Phil Donnelly, was replying to a question from the floor at Pride Park, the home of Derby County FC.
“Everybody is a target for cyber crime,” he said. “When they are attacking you, they might not know how big a business you are.” As he added, if a cyber-criminal is sending one million spam and phishing emails – and the criminals only need a few replies to make the sending rewarding enough – the criminal does not care who the spam goes to. Donnelly added: “What you have got to think about is how important is your data, how often do I need to back it up. Not if I have to back it up; because you do have to back it up. Everybody is a target, unfortunately.”
This reprised some of the points in his hour-long talk that served as an introduction to a full day of cyber talks, that drew an audience from across the region. He admitted earlier that for many years no-one had been recording cryber-crimes. He suggested that 16pc of all crime was ‘cyber-dependent’ and that total rose to 42pc for crimes that are ‘cyber-enabled’: “That’s a massive figure.”
With a background in computing before he joined the police, and 19 years a GMP and now Derbyshire Police officer, he works for East Midlands Special Operations Unit (EMSOU) that covers five police forces – Derbyshire, Leicestershire, Nottinghamshire, Northamptonshire and Lincolnshire. He ran an investigations team for three years. He told the event – a message that chimes with other official cyber-crime prevention messages – that 80pc to 90pc of the crimes he has dealt with could have been prevented by doing what he called ‘simple cyber hygiene’ of the sort that he covered in his talk.
As for back-up of data he said: “I cannot stress this enough; please, please back up your data,” whether your personal music or pictures; or business-sensitive documents. He suggested that businesses should work out how long they could survive if their computers ceased functioning; for some, it may be weeks or months, for others much less; also depending on time, such as at payroll day. “So back your data up.” Also, test those back-ups, that the data is recoverable.
As an example of the damage that a data breach or ransomware attack can have on a business, he gave the example of an unnamed hotel that specialised in weddings; it took bookings up to three years in advance. A loss of the bookings system left the hotel not knowing when it had taken bookings for weekends; such a loss of data the business found ‘catastrophic’, Donnelly said.
As for what a business should do if it finds itself under ransomware attack – if it’s happening in front of you, pull the plug: you may be able to recover some data. If you get a message on your screen on a Monday morning demanding bitcoins, the first thing you should do is visit nomoreransom.org; to try and decrypt your system. The official advice about whether to pay a ransom demand is: don’t. Donnelly revealed that business victims of cyber-crime have been in tears on the phone to police, because their data has been retrieved.
Donnelly also covered passwords; the insider threat; and touched on the upcoming new data protection law, the GDPR (General Data Protection Regulation) due to come into force in May, the subject of a separate session at the event; and the Cyber Essentials accreditation scheme, among other things under the umbrella of the National Cyber Security Centre (NCSC).