WHY COMPANIES MUST MOVE NOW TO SECURE NETWORKS AFTER M&S AND HARRODS ATTACKS

THE cyber-attacks on M&S and Harrods are stark examples of the damage that can be caused to businesses who fail to secure every aspect of IT systems, a leading expert has warned.

The wide scope and sheer cunning involved in the attacks should be a wake up call for businesses large and small, according to Roy Shelton, Group Chief Executive of Connectus Business Solutions.

He said: “Both are major brands with large budgets and IT operations but the attacks are reminders that organisations have to keep pace with the ever-evolving attack methods deployed by cyber-criminals.

“Managers within smaller businesses tend to think that they are less exposed but recent data shows that the risk is widening from data theft alone to include widespread disruption to day-to-day operations.

“Reports indicate that the retail hackers used social engineering tactics to pose as IT help desk staff or locked-out employees to gain access to internal networks by manipulating password reset systems.”

Mr Shelton says it would be a mistake to think “we are too small” pointing out that hackers want company data and to cause disruption to businesses and the wider economy.

He added: “All companies hold sensitive information relating to their customers, their supply chain partners, employees, business practices, and intellectual property.

“SMEs who are contracted to larger firms will often have access to IT systems for uploading data such as building plans, pipeline routes for utilities, site access controls, and CCTV installations.

“If any of these types of data were compromised, it could pose not just a security breach but also a potential criminal or even a terrorist event.”

Mr Shelton said hackers acquire compromised data from the Dark Web, including email addresses and personal details, and use that to pose as IT support staff.

He said: “There is still a common assumption in business that cyber-attacks are carried out by local and overseas individuals in boiler shop environments, targeting high-value organisations which makes larger companies seem like the primary targets, but there are many SMEs who have been breached.

“The average gestation period of a breach is around 16 weeks, so a threat actor could lay dormant in your IT estate capturing vast amounts of information before launching an attack.

“Many of these attacks are automated and actually carried out by bots and other levels of automation and harmful AI that scan the internet for vulnerabilities and compromised data 24/7.

“They don’t care whether you’re a global enterprise, a small business, or even a home user. If you’re exposed, you’re a potential victim.

“Ransomware doesn’t discriminate, automation has made everyone a target and it preys on the most vulnerable.”

Mr Shelton said the points of risk broadly fit into three categories:
Technology: make sure you network is protected with an up-to-date firewall and firmware, that your security settings are robust, that all your software is patched and managed, your devices such as mobile phones, printers, wireless access points, CCTV and door entry is protected
Process: ensure you have automated and manage your patch management and vulnerability scans, regular penetration testing by an external third party, physical sign off and authorisation – it is too easy to impersonate telephone numbers and emails and also very easy for AI to impersonate voice embedded video for payments and access. Make this part of your governance and controls
People: these are often referred to as our best assets, so train them and protect them from harmful phishing attacks, social media engineering and intimidation. More importantly, train them what to do in the event of a breach as most companies do not have the skills or knowledge to deal with it.
He concluded: “Above all do not be complacent and be blasé; it’s not a matter of if you could become victim – it’s now moved to when.”