Key points
- The NCA recently stopped a major cybercrime marketplace: a prolific DDoS-for-hire service.
- As threats rise, the new government highlighted cybercrime as a priority in July’s King’s Speech.
- By fostering a cyber security culture, crisis planning and practicing good hygiene, smaller firms can protect themselves.
If you’re working in a professional services firm, you face unique challenges when it comes to protecting data. Even small to medium-sized firms tend to handle large amounts of highly confidential and sensitive client data, plus you have the additional hurdle of limited inhouse digital support or budget.
The good news is innovative solutions are coming to market frequently, and, particularly as technology advances, there are increasing numbers of options to choose from.
NCA use innovative measures to thwart cyber attack
A recent example of innovation in cyber security operations is the National Crime Agency’s (NCA) announcement that it infiltrated and stopped the world’s most prolific DDoS-for-hire service (distributed denial of service).
Digitalstress.su was a criminal marketplace responsible for tens of thousands of attacks every week around the world. It offered DDoS attacks, a kind of cyber-attack designed to overwhelm websites or servers, forcing them offline or causing significant slowdowns.
DDoS attacks don’t obtain unauthorised access to a company’s infrastructure or data like many typical ‘hacks’. Instead, they can be used to take a business offline during a critical sales period or event, by online activists as a form of political protest and, most often, as smokescreens to distract IT teams away from a larger attack.
Any business with sensitive data could be vulnerable to a cyber attack
The NCA innovatively dismantled digitalstress.su by disabling its functionality, creating a mirror site to capture user details and accessing communication channels used for DDoS attacks.
This case highlights the complex nature of today’s cyber threats but also demonstrates how innovative law enforcement techniques are being used to combat cybercriminal services.
How can I protect my firm?
You might be wondering if DDoS or other cyber-attacks only target larger organisations or the Big Four.
Not according to cyber security experts.
Dave Harvey, Director, Cyber Response Services at KPMG, says the frequency of DDoS attacks has increased in recent years as the tools to execute them have become more accessible, although they often aren’t reported as heavily as data exfiltration incidents.
Dave Harvey, Director, Cyber Response Services, KPMG
“Any business holding confidential and financially sensitive data could be a target. Smaller professional services firms that depend on booking clients through their website or hold a significant amount of valuable data, but don’t have robust security measures or resources, are particularly vulnerable” he says.
Firms may also face phishing and ransomware attacks. In fact, Harveysays most businesses will have faced some kind of threat in today’s landscape. The trick, he says, is to ensure the first time you’re responding to a cyber breach isn’t the first time that you’ve thought about what actions you’d need to take. Preparation and practice are key.
“Fostering a cyber security culture is important from the outset. Ultimately, your first line of defence are your people. The best way to protect yourself is to make sure they are aware of threats, can spot unusual activity and know how to respond,” he says.
Cyber safety trifecta includes audits, training and scenario testing
Harvey encourages smaller firms to prioritise cyber safety with annual audits, regular training and scenario testing.
“Instead of considering a yearly audit or mandatory training as a tick box exercise, we recommend scenario planning with your finance, HR, IT and leadership teams,” Harvey says.
“This type of training is more impactful because it’s developed from real scenarios that people connect with. How can they learn from their mistakes? Who is the response team? Do you need to pull in any external advisors when you discover a breach? Do we have viable backups of our data? These are all important questions you should have answers to.”
Embrace cyber safety tools
Another important area of focus is the supply chain. If you outsource cyber security, audit your supplier and ensure they fulfill their obligations by regularly checking penetration test results.
Experts also recommend basic cyber security hygiene steps, including setting up two-factor authentication, updating all software, regularly backing up data and having robust email security in place.
Phil McGovern, Managing Director, MPA Financial Management
Phil McGovern, Managing Director at MPA Financial Management, says his firm started using end-to-end encryption platform Mailock in 2023 to better secure client communications via email. It searched for a user-friendly solution that met National Security Agency (NSA) standards and was easy to implement.
“The positive feedback from our clients has been overwhelming,” McGovern says. “They appreciate the enhanced security measures we’ve adopted, and we take pride in our commitment to providing the highest standard of service and protection. Mailock has not only strengthened our data security but also reinforced the trust our clients place in us.”
Artificial intelligence (AI) is another area cyber security innovation firms could explore, with increasing numbers of anomaly detection tools entering the market.
Remember, for an SME, just one data breach could be devastating. The above measures can go a long way in ensuring businesses, and the data they hold, are adequately protected in today’s corporate world.
Learn about avoiding fraud at the upcoming IFA International Conference Online, which will include a session titled Why do people break the rules? Risks, Red Flags, and Best Practices for Businesses by solicitor Arun Chauhan, Founder of Tenet.