With data breaches of major tech. firms—your Googles and your Facebooks, for example—eating up all of the news coverage throughout the year, it’s easy for owners and employees of smaller to medium-sized enterprises (SMEs) to grow complacent. ‘They wouldn’t bother to attack little old me’, you might be thinking, but security through obscurity is no security at all. To illustrate this, let’s take a look back into the Mitigate vaults at the case of Advanced Electrical Varnishes Ltd (AEV), a Wirral-based manufacturing firm who suffered a cyber breach in 2014.
AEV ‘specialis[e] in the manufacture and supply of superior Varnishes, Resins, Compounds and insulating products, designed for Electrical and Electronic Industries worldwide.’ They have a main office in Birkenhead and branches in Spain, Italy and Malaysia, although it’s the UK branch that we are interested in today.
One of AEV’s systems had become infected with malware. As a result, when the financial controller logged into the company’s banking service, the malware amended the displayed application to include an additional information entry area, which asked for the full PIN of the company account. Normally, the bank would never ask for this information, but the financial controller had no reason to feel suspicious and entered the PIN.
After only three minutes, $30,000 had been sent to an account in Ukraine and €100,000 to another in Cyprus. It took four months and the assistance of a number of Members of Parliament for AEV to recover the money from their bank, which had been insisting that by entering the PIN in contravention of the bank’s advice the employee had breaches the terms and conditions.
That this story did not have a more unhappy ending is thanks to both the persistence of its director Jonathan Kemp and all those who helped with the campaign to pressure the bank to reimburse the money, as well as the expert assistance provided to AEV in the attack’s aftermath by Mitigate, with Mr Kemp describing it as his ‘lifeline’.
The unsettling thing is that this could have happened to anybody, any employee, any company. Human error is responsible for the vast majority of cyber security incidents, and the solution can only be education and training for your staff to teach them how to detect and respond to malicious software such as the amended banking application. In addition, technical controls are a necessity in order to ensure that even if an employee is taken in, their impact on the business can be limited. For example, requiring that payments above a certain level by validated by another director.
Mitigate comes with a suite of Cyber Essentials-, ISO-27001 and GDPR-compliant default policies and e-learning training for employees on a range of security topics, including BYOD, helping to ensure that your employees are informed and know how to keep both themselves and your company safe from cyber attacks, no matter your size—for more information, get in touch at 0333 323 3981 or [email protected] today.