With new statistics showing that more than 43 per cent of businesses suffered a cyber breach or attack in the past 12 months, it is more important than ever that companies take the threat of cybercrime seriously. In fact, the latest figures suggest that while consumer-targeted attacks might be falling as consumers’ security improves, cyber criminals are now shifting their attention to the potentially more profitable enterprise sector, where some companies have been slow to recognise the real risk that cybercrime poses.
In this article, Finance Director Rob Ross and IT Director Richard Litchfield, from independent logistics operator Europa Worldwide Group, discuss why the threat is so significant and provide insights into how, as a leading operator in the sector, they are working to combat the increasing issue of cybercrime.
A costly problem
“By failing to prepare, you are preparing to fail” is a well-known quote, often used in business situations to emphasise the importance of being prepared and thinking ahead. Yet while a financial business plan is considered essential by most business leaders, a business continuity or response plan often carries far much less weight. A decision which Finance Director Rob Ross says could cost many operations dearly.
Analysis by management consultants Oliver Wyman recently suggested that in the logistics industry specifically, cybercrime could result in damages amounting to 6 billion Euro by 2020. Rob said, “While this is a worrying figure, I think it’s wholly probable, based on our experiences. According to Government statistics, the average cost of a cyberattack to a large business is over £9,000, with some costing significantly more. When global shipping Maersk was hit by a cyberattack last year, the cost was put at around $300 million.
“The sort of figures we’re talking about are obviously substantial – whether that’s as a result of extorsion or blackmail, legal costs, loss of revenue from systems failing, reputational damage or falling for a simple scam.
Daily cybercrime attempts
“Most of the scams we are targeted with involve asking for money. Research shows that the most common breaches or cyberattacks are as a result of fraudulent emails or impersonating the organisation online rather than malware attacks and our experience certainly fits with that. Phishing is a particularly significant problem. We deal with daily social media messages and emails about invoices for fake goods, complaints about missing (read: non-existent) consignments and requests for payments.
“I have received emails purporting to come from other senior members of the management team, our suppliers and other employees, all asking for payments to be made to specific bank accounts – often for seemingly legitimate reasons. It’s not just over email either. The sales teams take calls from people requesting logistics services who, when we do the due diligence, simply don’t exist. Either they don’t work for the company they have supposedly called from, or the person is real, but never actually made the call.
“Many email-based scams involve an email address that has been changed very slightly, for example changing an ‘a’ to an ‘o’ or adding an ‘s’ onto the end of an email address, which means we have to be vigilant all the time. This introduces another factor on top of the potential financial loss – that of productivity. Staying one step ahead of the fraudsters is time consuming and has introduced another element into administrative roles which simply didn’t exist 10-20 years ago.”
Staying one step ahead
“We have regular training sessions (which include regular presentations from our bank) and are constantly reviewing our processes based on what we’re facing, but as with everything there is a balance to be found. The business still has to run efficiently and profitably – and putting too many procedures in place stops the flow and can actually be detrimental.
“At Europa we want to remain agile even whilst we are growing rapidly. Reacting fast and effectively to whatever happens across the whole business is a key focus. As a finance department, we are at the front line of these particular money-related demands, but any area of a business could be targeted for exploitation by criminals.”
A business-wide responsibility
While email scamming is the primary method of cyberattacks, it is by no means the only way in which a company is vulnerable. In logistics especially, with multiple partners operating in different countries, cybercriminals will search for and exploit the weakest link in the supply chain. Buoyed by the kudos and technical satisfaction which comes from a successful hack, they are constantly developing tools with which to attack organisations, with little or no regard for size or value. IT Director, Richard Litchfield is continually improving security to prevent penetration, but says it’s an ongoing battle.
“The global nature of cybercrime, its fast-moving pace and the sheer magnitude of the issue means the situation changes daily as more threats are developed. We carry out regular penetration testing and every time a threat is perceived we re-examine the procedures we have in place, but it’s a continuous process. So much so that we are looking at employing a full-time member of staff to take responsibility across the business.
“It’s not just the online risk. To combat that we could install a better firewall, improve our defences, but at the end of the day, as Rob said, the business still has to function effectively, so we need a balance. For me, much of that comes from education and awareness.
Raising cybercrime awareness
“We can lock down our networks even further and prevent people from adding their own devices but that’s not helping them to do their jobs or be productive. Far better to invest in training and education, so that everyone knows how to work securely, how to recognise a threat and perhaps most importantly – why it matters.
“This type of awareness can be a great weapon in the fight against cyber criminals and is often the first step, giving businesses a whole army of people looking out for chinks in the armour. Taking this sort of considered view also allows the problem to be addressed as a company-wide issue, looking at the impact across the business rather than on a departmental basis.
“Obviously, the threat of an attack doesn’t just come from external sources and we are acutely aware that these same employees can pose a risk as well. Disgruntled or simply unscrupulous employees can be bribed to give access to systems – but good education should at least prevent them being duped through ignorance.”