Scammers don’t just target big companies, it’s small business too! In the press you hear all the big numbers from big events – WannaCry – 250,000 computers globally and parts of the UK’s NHS, HBO’s Game of Hacks – HBO lost data and new releases, NotPetya – Maersk was one of the biggest headlines, Facebook and Google fall for Targeted $100 million Phishing attack, THE Equifax Breach, 3,000,000,000 Yahoo’s and this is just a few from 2017.

Behind these large headline grabbing events are the many micro and small businesses that are also being attacked. Its not true that hackers only go after large businesses. Scammers and Hackers throw a wide net and small businesses are falling into their traps.

For small business security is often not a high priority and many companies don’t have the skills to avoid scammers. For this reason they are often caught up in the scams and attacks and are vulnerable to loosing data, suffering financial loss or worse reputation damage.

Most cyber-attacks start with phishing, this is a technique where a hacker will try to trick you into giving away sensitive information that will allow them to break into your accounts.

Phishing attacks usually come via email, often disguised as something legitimate – the use of the Tax office is a common attack or, recently, mass attack where hackers sent out fake Uber receipts, with a link at the bottom to a bogus complaints website. These emails looked genuine, the hacker is trying to get you to click on something and when you do….. you give the hackers access to your system.

So how can you tell the fake emails from the real ones? The first thing is to be aware, know that it can happen to you and your company. It can be tricky to see, but these are the top tips.

1. Don’t click links blindly – think before you click. Use your mouse to hover over the link, this will show you the URL. If that doesn’t match up to the URL you’re expecting, then delete the email.
2. Treat emails with attachments with suspicion. Attachments are used to down load packets on to your machine. If you receive an attachment that you’re not expecting and you don’t recognise the sender, it could well be a phishing attempt. Delete.
3. Again on attachments – sometimes you can be asked to “enable macros” when you open it. Don’t, unless you know the person and it is from their business email.
4. If you’re in any doubt about the legitimacy of an email, don’t open any attachments from it or click any links. Always check with the person – using a NEW clean email or phone – replying to dodgy emails might be playing right into the phisher’s hands.

Recently, well for the past 3 years or so, there has been an increasing focus on the insurance industry to change and for users to have simplified processes. This focus is even more apparent to enable shared economy insurance and Gig worker or freelancer insurance to work. The pressure has been put on the existing players in the industry to shake up and start to work out how to build tailored insurance policies that are fit for purpose in this new shared and gig world of work. Progress? Right now, it’s just hard!

This difficulty is starting to allow new companies to come in and threaten the existing players. This is a good thing and we are seeing the industry embracing these new companies and accepting them.

This was all looking like an interesting play for the likes of Google and Facebook. That is until you hear that Facebook now have said that most of its 2 billion users could have had their data accessed improperly, giving fresh evidence of the ways the social-media giant failed to protect people’s privacy while generating billions of dollars in revenue from the information.

These companies want to do everything (books, to travel; insurance to home cleaning) and use their power over the data to exploit their users. But now we see the cost.

“What we didn’t do until recently and what we are doing now is just take a broader view looking to be more restrictive in ways data could be misused. We also didn’t build our operations fast enough — and that’s on me.”

Sheryl Sandberg, COO Facebook

Their focus is on ‘customer experience’ and sucking every business income stream into their machine. Google and Facebook use AI and machine learning to read data and monitor your usage of their technology to serve you up what they think you need and what’s profitable for them. This data usage has been abused to drive revenue to match their huge future focused valuations.

The new InsurTech / FinTech start-ups are focused on ‘customer experience’ too. This is defined by cutting down questions to a minimum, using ‘social’ data to fill in the blanks to give you a quote for insurance or a loan. These companies use customers social media, third party apps and other accounts to gain information to provide quotes and service with minimum input from the user. But what data is being used and who checks this? And do we ever read the small print?

Is this acceptable? Is complying with new data protection rules enough? Or is it time to take back your data?

When I ask data professionals about taking back your data they shrug and say it’s out there already, so what’s the point. I disagree with this and think now is the time to take a stand and we should stop accepting that companies have a free flow use to your data and just scrape and access data for on the back of providing customer experience.

For example, Facebook’s search tool to find other people, now disabled, has been used to scrape public profile information, and now Facebook have said “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” They just noticed this? This was a feature built into Facebook for customer experience.

It’s interesting that Facebooks main defence from Mark Zuckerburg is:

“We didn’t take a broad enough view of what our responsibility was and that was a huge mistake.”

These new young, keen, naïve, start-up companies who want to take over the world live in their own created bubbles – thinking everyone is like them, that they know what an ‘experience’ is and that everyone wants to know who joined, who could be a friend, who’s got a new job, who your friend is dating, etc and allowing this free use of data to create value, not for the user, but the company. This practice is in DNA of these companies, exploiting date is a core theme. It’s the route to their value.

Having worked in the very often slow and frustratingly compliant world of insurance I can say exploiting data is not at its core, risk management is. Hence the customer experience is very very poor for most insurance interaction. It is no wonder that the Insurtech focus has been on ‘experience’ as their main ‘disruption tool’. But at what cost, and shouldn’t the user want to know what data is being consumed to give their quote?

There needs to be a balance between using ‘social’ data and re-modelling the insurance. Real work needs to be done on the very fabric of the way insurance works for the shared economy and gig economy insurance to make the whole experience work. Not just the buying of insurance but the whole process – end to end. Even where the policy lasts only one night or one hour. It’s not about scraping data and using social accounts its about real work dismantling the policies and the process to give insurance focused processes and to show the customer what data is used and how this impacts risk management in the event of a claim.

2018 has kicked off not so well with the outing of basic flaws in the worlds core technology. Spectre and Meltdown show new threats to companies building complex machines and systems to run our lives and upon which we are encouraged to become more and more dependent.

The issues allowing Spectre and Meltdown are built into the basic design of the systems, meaning that these vulnerabilities bypass our software security measures. It is not just desktops or your laptop or only at work, it’s the whole system – mobile, cloud, IoT, servers, tablets…all technology.

Why were these now seemingly basic flaws not noticed years ago?

Our computer systems are growing in complexity and with more and more layers and interaction, the complexity is outstripping our ability to fully understand how it all works. The systems are built to rules and standards that have not been security tested as a whole. Add this to that, put in one of those, add some software, connect to a router, voice enabled and with none of these devices and systems being tested for security from the ground up in design. They are all built to the same standards and using standard components

As we use this complex technology and leave it online, connected into new and old systems, they are providing a tempting target for hackers. This target will be further complicated and expanded with the growth of the Internet of Things (IoT), as we build capabilities into all our devices, tools, home appliances, cloths and garden furniture, all in the name of making our lives easier. With this ‘ease’ comes ever more complexity and as it turns out higher risks.

Market researcher IHS Technology estimates the number of devices using IoT technology will reach 53 billion by 2020, and this is early days – just like the spread of electric power in the 1800’s, the spread of IoT and AI is only just starting.

With this growth so goes the exponential growth in cyber-attacks. Not only attacks of a more traditional nature but now we are to contend with attacks that cannot not be fully detected as the ‘security hole’ being exploited was built into the base design of the computers and systems.

This is the basis of the Meltdown and Spectre attacks which come from combining unrelated design features that were thought to be well understood. Computer science 101 if you like. The attack was not via one individual system or but through the interaction between them, the complexity that humans think they know, but don’t. Its outside our capabilities or understanding.

It’s a bit like Move 39……

The move occurred in a Go match between AlphaGo and Lee Sedol, one of the world’s top players, in 2016. As he approached the match series he was confident. He lost the first match, but he thought he knew why. In the second match we got to move 39 played by AlphaGo. The move perplexed not only Lee but all the commentators saying they would not have played the move, many thought it was a mistake. This was outside the collective expert’s knowledge. It was highly unlikely that any human would have played the move.

However, it was this move that caused the loss of the game. In review afterwards Lee Sedol said that he now has a new understanding of the game of Go through these matches with AlphaGo and respect of the machine. After playing, and losing to Alpha Go, he went on to win more and more games with this new understanding.

Go, a game played by millions, and for centuries, has been given new insights by a machine. This same reasoning should be applied to our security world, developing new mathematical models that will understand the complexity and show us Move 39 before it hits us hard.

Machines see the world differently to us. A machine, like AlphaGo, can see many more moves than any human. New machines need to look at our complex world and model our security in partnership with humans.

When the founders of MIC Global first met in 1999 they were focused on understanding the emerging cyber threats that were starting to swirl around the internet and internet based businesses. They became busy building insurance products to help businesses manage these risks.

Since then they have seen the sophistication and number of attacks grow massively with numbers of affected accounts per attack grow to staggering levels. Back in 2000 it would have been almost unbelievable that a single attack could affect over 3 Billion accounts as the 2013 Yahoo case has now finally highlighted. It is also still hard to understand why it took Yahoo so long actually discover the attack. They are meant to have employed the best brains after all.

However, if we look at how our homes and businesses have changed over the past 20 years perhaps we can start to understand this. These changes have drifted into our lives through small incremental steps that have almost gone un-noticed and yet have managed to deliver mind boggling change. How can we or anyone keep up?

Is this the underlying issue that we don’t deal with, keeping up with these small changes and never adding up the true impact?

The sum total of these changes today has completely turned upside down and inside out the way many people run their lives and how small businesses communicate and do business.

We Google everything; Facebook our lives; Uber ourselves home; Stay on airbeds in stranger’s homes; You Tube anything; WhatsApp instead of phoning; Open Online accounts for everything from banking to accountancy to TV to car hire, Have Virtual Assistance for all things useful that we have hired a person for in 1999; Booking a cleaner online and being worried about every review; As for cars, Self-driving cars and trucks are here. The list is endless, and people say its only just started.

Today, as in 1999, we are being asked to ‘Trust’ these new companies as they build the new economies around us. However, the levels of security the companies offer us don’t seem to have changed much.

When we read the scary reports about cyber-attacks nothing much changes in terms of the advice we are given about what we are meant to do to secure our online world; Strong Passwords; Back up everything; Anti-virus software; Firewalls. And finally, Don’t Clink on a Link Unless You Know Where its From – TRUST Nothing, yet trust the new company?

This was the advice 20 years ago and it’s not changed despite everything about the internet getting more complicated and its penetration into our lives going exponential.

Why has nothing seemed to have changed?

A recent survey by Netwrix pointed to the most common reason people and businesses are not so sure about their ability to combat information security threats, these being 1. Lack of budget 2. Lack of time 3. Insufficient training. Or, in other words, we are only human, and we are the weakest link, we are the ones who do nothing.

But if businesses do nothing then, as we hear every day, the consequences can be catastrophic, not just for your business but also for the people you do business for and with.