In the UK, 88% of data breaches reported to the Information Commissioner’s Office (ICO) are caused by human error. The most common mistake is sending information to the wrong person. The number one culprit? Email. So what do you do? Peter Matthews, CEO of Metro Communications, knows what to do.

CFOs should not ignore the potential impact of such breaches on a company’s finances and reputation. Research for IBM suggests that the average cost of a data breach in the UK rose to £2.7m in 2018, with health, financial and service sectors most likely to experience breaches.

Few FDs would claim to be immune to accidental data transfer via email. So, what can you do if you inadvertently send a confidential message to the wrong person?

1. Recall or ‘unsend’ it

Email services offer different ways to cancel sent messages. In Outlook it is possible to recall and then delete an email providing it hasn’t been opened by the recipient. Gmail allows you to delay messages from leaving your outbox. If a sensitive email has been sent to a fellow employee then your IT department should be able to delete it, if they are informed fast enough.

2. Contact the recipient

Get in touch with the recipient as soon as you notice the mistake and ask them to delete the email without reading or sharing it. Request that they email you to confirm they’ve done so. Log the incident in an ‘cyber accident book’.

3. Report and act quickly

Report the incident internally and ensure it’s followed through to its conclusion. An employee of SSE Energy who sent a sensitive email in error promptly reported it in accordance with the company’s policies and procedures. However, SSE’s failure to notify the commissioner in a timely manner led to a £1,000 fine and negative publicity. The regulations have since been amended so that directors, managers and company secretaries can be fined up to £500,000.

4. Inform and advise customers

Good customer service goes a long way. Boeing was mocked for failing to use its own data protection software to prevent an accidental breach which compromised the personal data of 36,000 customers. But it was applauded for informing customers about the nature of the incident, taking action to ensure files were deleted, and giving detailed advice about how customers could check their personal data wasn’t being misused.

5. Notify the regulator, if necessary

Inform the regulator within 72 hours if you believe there’s a risk to customers. Even where you don’t feel an incident is notifiable, it is still worth recording, internally. This will help you review incidents as part of a health check and if you ever have to demonstrate regulatory compliance it could prove invaluable.

Once you’ve contained the incident, revisit your strategy and consider the need for other forms of action such as staff training, policy reviews, access rights, restrictive covenants and encryption. Data classification that ‘weights’ the sensitivity of each file and document on your company’s drive and then links highly confidential information to a closed group of authorised recipients, with blocks on copying such information onto memory sticks, can be helpful. Preventative tools like this make it difficult to email the wrong data to the wrong person and they also log user behaviour, flagging up employees who try to reclassify data so they can send it out of the business.

The law doesn’t distinguish between deliberate and accidental breaches, so don’t expect a discount on fines for damaging disclosures caused by an honest mistake, and don’t be surprised to find lawyers queuing up to help those whose financial, personal or health data has been incorrectly transferred.

But let’s look at it positively. Employee error is a significant contributor to data loss, but it is easier to prevent and generally takes less time to control than a malicious hack. Indeed, many accidental incidents can be contained or even prevented by steps so simple that everyone should be taking them. However, if you’ve decided you want to take a ‘belt and breaches’ approach then it’s time to trust yourself less. Preventative measures such as data classification will ensure you send that sinking feeling to your deleted folder once and for all.

In 2017 anti-phishing technologies detected over 246 million user attempts to visit different kinds of phishing pages. Of those, over 53% were attempts to visit a financial-related website – 6 percentage points higher compared to data from 2016. This is the first time since recording phishing attempts that figures have reached over 50%, according to analysis of the financial threat landscape by Kaspersky Lab.

Financial phishing attacks are fraudulent messages which link to copycat websites that appear legitimate. They aim to gain users’ credentials for banking and credit accounts, and data to access online banking or money transfer accounts – all for the purpose of stealing the victims’ money afterwards. With 53% of phishing attacks taking this form, more than every second attack across the world is looking to steal a victims’ money.

In 2017 the share of all financial phishing categories – attacks against banks, payment systems and e-shops – grew by 1.2, 4.3, and 0.8 percentage points respectively and made up the top 3 categories in overall phishing attacks detected – for the first time.

The distribution of different types of financial phishing detected by Kaspersky Lab in 2017

Moreover, attacks related to the global internet portal category – which includes global search engines, social networks, etc. – fell from the second place in 2016 to fourth position in 2017 with a decrease in share of more than 13 percentage points. This shows that criminals show less interest in stealing these types of accounts and are now focusing on accessing money directly.

The data also shows that Mac users are in increasing danger. Contrary to popular belief about the security of Mac devices, 31.38% of phishing attacks in 2016 against users of the platform were aimed at stealing financial data. The share peaked in 2017, reaching 55.6%.

“The increased focus of cyber criminals to conduct financial phishing attacks means users need to remain extra vigilant. To get to grips with our money, fraudsters are constantly looking for new methods and techniques to catch us out. We need to be just as much determined to not let them succeed, by constantly investing in cyber literacy,” said Nadezhda Demidova, lead web content analyst at Kaspersky Lab.

In order to protect themselves from phishing, Kaspersky Lab experts advise users to take the following measures:

• Always check the legitimacy of the website when paying online. This includes https connections and the domain name belonging to the organization that you think you are paying.
• Use a proven security solution with behavior-based anti-phishing technologies. This will make it possible to identify even the most recent phishing scams which haven’t yet been added to anti-phishing databases.

(Source: Kaspersky Lab)

Here Charlie Abrahams, Senior Vice President of MarkMonitor, a brand of Clarivate Analytics, discusses with Finance Monthly the problems behind cybercrime, in particular phishing and fraud.

While internet commerce has enjoyed exponential growth over the past 15 years, it has also created a significant opportunity for bad actors to indulge in cybercrime. It not only affects a brand’s revenue stream, but more importantly its reputation. As a result, organisations are investing in brand protection technology and processes – not just to prevent brand abuse and counterfeiting, but also prevent other forms of cybercrime. Keeping your intellectual property safe requires a multi-layered approach, regardless of the size of the business or the type of information you hold.

While it’s true that cyber criminals are targeting all industries, the financial services industry is particularly at risk. Firms within this sector have many high-value assets that make them an attractive target for cyber criminals — including significant intellectual property relating to their business processes and transactions, Las Vegas Immigration Lawyer and the financial records and customer data. Financial services companies stand to lose a lot more than money should cyber criminals be successful. Brand reputation would suffer, customer trust would be irrevocably damaged, and there may well be wider consequences such as fines from financial regulation bodies, especially with the deadline for compliance with the new European Union General Data Protection Regulation (GDPR) fast approaching. As a result, the financial services segment is one of the biggest buyers of enterprise security technology.

However, all that investment in enterprise security technology does not offer any protection for one of the most popular methods that is being used to take advantage by cyber criminals - phishing. The reason is that phishing attacks don’t target the enterprise, but directly their consumers, and this is where brand protection technology comes in. Phishing has been around in some form for the past few decades and are essentially emails — sent from what appears to be a legitimate source — asking for personal information, such as login details, passwords, payment card details, etc.

Over the years, phishers have evolved in the way they carry out their cyberattacks. They are creating phishing websites to collect passwords, conduct identity theft schemes and carry out online advertising scams. Despite being a relatively low-tech method of cyberattack, it remains one of the most effective. Research conducted by a German university found that 78% of respondents admitted to opening unknown emails and clicking the links within, despite also claiming that they were aware of the dangers of phishing. This shows there is still work to be done in raising awareness around how to avoid being caught out by these cyber criminals.

Given the continually threatening nature of phishing, protecting and proactively defending organisations has never been more important within the financial services industry.

The first crucial step for businesses is to be fully prepared and adopt a ‘when’ rather than an ‘if’ approach, with the aim of preventing the attacks in advance. Organisations can set up early warning systems alerting them of new domain registrations — that may misleadingly read like their brand name and may target that brand to host malicious content — before it impacts their customers, for example.

Fraudulent activity can also be detected using the right intelligence, as well as proactively monitoring and analysing key intelligence sources to detect phishing and malware activity across email and other digital channels. Fintech businesses need to shut down or restrict access to phishing sites, and should consider partnering with an anti-fraud (brand protection) vendor to share their phishing alerts with Internet Service Providers (ISPs), browsers, email providers and security vendors, helping them block malicious sites at the Internet gateway.

Lastly, all businesses — not just those within the fintech sector — should draw up an online brand protection strategy, which outlines the actions that should be taken in the instance of any particular cyberattack, including phishing. A brand protection strategy essentially means that you’re covered and ready to counter any of these infringement acts should they ever happen. Without a strategy, businesses are likely to either make snap decisions that might harm the brand, or spend precious time considering the multiple options available, by which time the damage has been done.

In this day and age, companies, regardless of the industry in which they operate, simply cannot afford to leave themselves vulnerable to phishing attacks. The risks are simply too great, and as public awareness of such cyberattacks continues to increase, the reputational damage that comes as a result is only likely to get worse. Therefore, brands must be more proactive in fighting the cyber threat, while each business should be backed up by a comprehensive brand protection strategy.