The message couldn’t be starker: the world is under a massive cyber attack. So says Jeremy King, International Director of the PCI (Payment Card Industry) Security Standards Council and he is well equipped to say so. Travelling around the world and talking to companies across the UK, Europe, US and Africa, he hears the same story: companies are the targets of cyber attacks. “The criminals are very well organised, they are global and they share details about how to attack,” he says.

“There has been a massive rise in cyber crime, starting from e-commerce to phishing, malware and ransomware.”

The biggest problem, according to King, is that CEOs either believe that their company would never be a target, or consider cyber security to be a mere IT matter, without realising that everyone who has access to their systems is a possible weak spot. Only one person has to press the wrong button for an attack to begin. “Companies need the right security practises and processes, but above all the employees need the right tools and training. People still have terrible passwords like ‘password1’ or ‘123456’ and the criminals know this. We also put too much information about ourselves on social media, so we make it easy for the criminals to attack.”

 

High-profile attacks

 

There have certainly been some high profile attacks out there. Last year there was a security breach on the e-commerce platform Magento, while in May this year there was a global WannaCry attack, infecting more than 230,000 computers in over 150 countries. The UK’s National Health Service, Spain’s Telefónica and Deutsche Bahn were just some of those affected, before it was halted by an English web security researcher, who discovered a kill switch. “What happened was that malware came in and encrypted everything,” says King.

"The problem is that CEOs believe that their company won't be targeted, or consider cyber security to be a mere IT matter."

“In the financial world we’ve been using encryption for years, but now the criminals have realised what we have been doing and unfortunately turned it against us. Furthermore, the invention of Bitcoin has helped: it’s hard to trace and easy to use.” It is also becoming increasingly apparent that targets are often not involved with payment data – for example, the NHS – which means they would have been less aware of the potential threat of an attack.

 

Combating fraud

 

One way for companies to combat fraud is to adopt and implement the PCI-DSS (Data Security Standard) and to understand the issues involved. “How many people have access to your website?” King asks. “How many have access to payment data? Where does that data go? Restricting access to employees that don’t need everything on the system might be a start.”

"81% of hackers leverage either stolen and/or weak passwords. The criminals are well organised, but they not necessarily super-sophisticated."

Implementing the absolutely basic steps would have a huge impact, for example 81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords. The criminals are well organised, but they are not necessarily super-sophisticated and as King reiterates, we have been making it too easy for them. But beyond the basics there is much more a company can do: improving network security, installing firewalls, limiting system access and protecting data by using encryption. From May next year the UK will adopt the EU’s General Data Protection Regulation (GDPR): this will not be affected by Brexit and is intended to strengthen and unify data protection for all individuals in the EU.

 

Protecting smaller businesses

 

Of course, while most of the above affects big business, small businesses can be targets of cybercrime too. “There are one million small merchants in the UK that accept payments and they don’t have the level of expertise that larger companies with IT departments do,” says King. “The PCI Security Standards Council is simplifying our advice and instructions: we have resources available on PCISSC.org that are specifically aimed at smaller businesses and we are linking up with other organisations such as the British Independent Retailers Association to raise awareness that these tools are available.”

What every company, large or small should do, is to establish an incident response plan and then stress test it. “It might fall apart in five minutes but at least you can do something about it,” says King. “It is the best way to reduce the impact of the breach – along with training the CEO in what to say.”