It is no longer a question of if a business will be attacked, but when – and how.
There are still many old style fraudsters who forge cheques, submit false invoices for fictional services or seek a “dear friend” who will help them repatriate several million pounds but these are just a reminder of bygone days when a fraud looked like, well, a fraud.
In recent times a fraud is more likely to look like a genuine email from the managing director asking a member of the accounts team to make a payment to what looks like a supplier.
Closer inspection may reveal that the proposed destination of the cash is not quite what it seems.
Perhaps the language is more polite than one would expect from the MD, maybe the email address of the sender isn’t exactly right – although it looks right at first glance.
Any communication regarding the movement of cash should now be subjected to an additional level of scrutiny. Many businesses have already updated their procedures.
Some will not send cash in response to an email request. Many will make a call to the parties involved to check that everything is genuine and that a payment request originates from who it purports to be from.
There has also been a massive escalation of malicious attacks, usually harmless looking emails that invite the recipient to click on what looks like a harmless link.
Clicking the link unleashes a virus that will attack the recipient’s systems, potentially causing major harm to the business.
There are now many hundreds of thousands of cases of computer misuse, hacking and malicious virus attacks reported each year.
Whilst these threats might be conveyed digitally, many need to fool a human being at some point to be effective. Every organisation should therefore run regular training for employees on how to spot fraudulent or malicious activity.
Insurers will increasingly expect this kind of training as a condition of cover. In the current climate, it is arguably negligent to not train staff properly in this regard.
The IoD conducted a survey of business leaders in December 2015 which showed that just under half provided training in cyber security for their staff.
Given the potential for commercial and reputational damage that can result from the cascading effect of a cyber attack, this is an alarmingly low figure. It shows a high degree of misplaced complacency.
Cyber security is a business “hygiene” issue. Suppliers, customers and staff are entitled to expect that a business has the necessary measures and procedures in place.
There is also a rapidly growing market for defined cyber threat insurance.
This used to be carried by a minority of companies but is now something that needs to be in place for the vast majority of businesses, especially bearing in mind that only around one per cent of respondents in the IoD survey thought their business wholly unreliant on the inter- net.
Alongside greater awareness of the threat, the other primary defensive tool in the armoury is software, with good firewalls and analytics that can pick up the bulk of fraudulent or malicious activity
There is no simple solution to the malice and dishonesty that exist in the digital world.
The price of staying ahead of these threats is eternal vigilance, insurance and up-to-date software.
By Jonathan Oxley