The adage of “don’t download attachments from an unknown sender” has never been more pertinent. Workplace cyber attacks are rife, with more than a third (39 per cent) of UK businesses identifying some kind of security breach in the past 12 months, according to the latest survey by the National Cyber Security Centre (NCSC).
While ransomware (where victims are blocked from accessing their data or computer system until money is paid) is often perceived as the biggest cyber threat for businesses, the most common attack is actually phishing, which affects four-fifths of businesses targeted. This is where cyber criminals pose as legitimate organisations, usually via email, to gain access to a victim’s sensitive information. The price of a cyber attack can be dear; a breach resulting in an outcome such as loss of money or data typically costs a small business £4,200, and for medium and large businesses, this rises to £19,400.
To help tackle the prevalence of business-related email scams, the NCSC has launched a new, free, online security tool, which allows anyone to check an email domain’s security levels.
Announced at this year’s CyberUK conference in Newport, Wales, the email security check service primarily aims to help individuals (whether they are using a work or a personal email account) decide whether an email they have received could be malicious. It helps them assess the sender account’s vulnerability to being compromised and used for a phishing scam or spoofing (online identity theft).
The tool checks for certain vulnerabilities and whether security measures are in place. This includes anti-spoofing standards, which prevent cyber criminals from infiltrating an email domain, and privacy protocols, which ensure that emails are encrypted when in transit and remain confidential between email servers.
It adds to a list of other NCSC tools for consumers, such as its suspicious email reporting service (SERS), where anyone can forward on emails to email@example.com, and its website reporting tool, where people can submit URLs of suspicious websites, such as scam sites offering investment or cryptocurrency opportunities with fake celebrity endorsements. The NCSC then analyses them and removes them if they are found to be fraudulent. Such mechanisms helped the NCSC remove 2.7 million scams in 2021, four times the amount it removed in 2020.
This fourfold increase shows the extent to which online fraud is a growing public threat; people in the UK are now more likely to be a victim of fraud than any other crime. To stop scams at their source, the NCSC has agreed a new data-sharing agreement between government and broadband providers, which will provide organisations such as BT and Sky with crucial information, enabling them to identify and block websites more quickly.
Jeremy Fleming, director at the UK’s intelligence, cyber and security agency, GCHQ, said at Cyber UK that there must be a “shared sense of purpose” between government and industries to tackle cyber crime.
“We are working with partners across the country – private and public – to respond to incidents, warn of threats and offer tailored advice and guidance to stay safe online,” he said. “And we are supporting the adoption of measurable, data-driven standards, in government, the public sector and wider critical national infrastructure (CNI).”
Critical sectors, including local and central government and healthcare, carry a high risk of becoming cyber attack targets. Several high-profile cases in recent years (such as the attack on Redcar and Cleveland local authority in 2020) demonstrate the public sector’s vulnerability, and in many cases, the lack of preventative security measures or contingency plans in place.
Lindy Cameron, CEO at the NCSC, told Spotlight that central government needs to “lead by example” in following security procedures, and that ensuring measures are in place is as important for public sector organisations as it is for private sector ones. “We don’t believe you should be constrained by how big your organisation is or how much money you have,” she said. “It’s about making sure you’re fit for purpose and that you protect the services you provide effectively. It should be part of the cost that’s built in to providing those services in the first place, not an add-on.”
Ian Levy, technical director at the NCSC, added that government is often used as a “guinea pig” to test new security tools before the centre launches them publicly, and therefore this helps to create an incentive for other organisations to follow suit.
“Once we make sure government can [follow its own advice], this [convinces] businesses that they must be able to do it too,” he said. “It’s about changing the market incentive so that the easy thing to do is also the right thing to do. At the moment, security is too difficult for 99 per cent of people.”
CyberUK took place from 10-11 May 2022.