THE WEAKEST LINK

Talking to a cybercrime specialist from Barclays yesterday I learned that 72% of their business customers had reported receiving bogus invoices by email. No surprise there; many businesses I have spoken to have received them and there were two in my own inbox when I got in to the office today. What did surprise me was the number of businesses (Most were SMEs, but not all were) that actually paid these invoices!

I am using this to underline the lesson that the weakest part of any system, and the part targeted by cyber-criminals in 90% of attacks, is a human operator. Which goes to show why human interaction with technology needs to be made failsafe and why cybercrime is becoming less a technical issue and largely a human problem.

It seemed incredible that someone would pay an invoice without checking that it was owed until I remembered a scam that happened in New York a few years ago. A likely lad put an ad in the New York Times. It read: “This is the last day to send in your $10. Box xxxxxxx”. Just that. He had pocketed $30,000 before the NYPD caught up with him.

There is an increasing need for education at all levels to help businesses to protect themselves particularly from social engineering attacks (bogus invoices, fake legal fees), staff negligence (password taped to laptop screen, failure to follow secure procedures) or malicious insider attacks. A major element of advice in our resilience and assurance projects is to “educate your staff”.