ICAEW.com works better with JavaScript enabled.

Cyber: your personal accounts could be arming cyber criminals

Author: ICAEW Insights

Published: 18 Oct 2024

Cyber Security Awareness Month: Attendees at ICAEW’s annual cyber lecture learned about the government’s moves to tackle cybercrime, and how personal digital footprints can leave businesses vulnerable.

There is a growing threat from cyber criminals and nation state actors for businesses of all sizes. In the last 12 months in the UK, a third of charities, half of primary schools, half of businesses, almost three-quarters of secondary schools, and almost every single higher education institute has been subject to a cyber breach or cyber attack of some kind. More than seven million online fraud and cybercrime offences took place against businesses in the same period. 

That’s according to Rod Latham, Director for Cyber Security and Digital Identity at the Department for Science, Innovation and Technology (DSIT). 

He was the first speaker at ICAEW’s annual cyber lecture, which took place on 7 October. The event aims to raise the bar on cyber security, in line with ICAEW’s public interest remit. This year, the theme was on the vulnerabilities of individuals’ online footprints, and how criminals use technology to exploit them.

As a senior civil servant, Latham is responsible for delivering the government’s plan to tackle cybercrime. “We’re out there pursuing and trying to disrupt cyber criminals, but our response cannot be a purely reactive one,” he said. “We need to be proactive, multi-layered and working across all of society.”

The Cyber Security and Resilience Bill was announced in the King’s Speech in July, to address some shortfalls in the regulations. For example, the current regulations cover only operators and not supply chains; smaller and less well protected organisations are often a route for criminals to attack larger organisations. Latham cited the example of Synnovis, a pathology laboratory that suffered a data breach, which allowed the attackers to disrupt London hospitals.

“Our new legislation will bring managed IT service providers into the scope of the existing regulations,” he said.

Alongside that, the government has designated data centres as critical national infrastructure (CNI). “That means that data centres, both physical centres themselves and operators, will have the same level of enhanced protection that other CNI has. For example, the telecommunications and energy sectors.”

The government is also working on a code of practice for cyber governance, setting out critical governance areas that directors need to be able to protect within their organisations. “We’re trying to make this easy for businesses and organisations, with relevant information gathered in one place.”

Latham also highlighted the important role that ICAEW members can play in influencing the organisations they work with to ensure that they take cyber security seriously. “You are in a unique position to influence the organisations you work with and to impress upon them the benefits and importance of cyber security.”

Ben Owen, an expert in covert operations, surveillance and online investigations who worked on the British, US and Australian versions of the TV show ‘Hunted’, then explained how cyber criminals use individuals’ digital footprints to find routes into businesses. “They're going for the people in the businesses – ie, you and your staff, whoever works in the business – because it’s the lane of least resistance.”

Businesses of all sizes are for the most part targeted for financial gain, Owen explained. For that reason, attackers are going to look for the easiest ways to get into systems, and often that involves people. “Hacking is really a human being hacking another human being’s brain. Take the technical part of it out of the way, and they’re tricking you into doing something that you wouldn’t otherwise do.”

He cited an attack on LastPass, in which an employee’s home computer was hacked. Training often revolves around the points of entry for a hack, but critically, the reconnaissance phase of the hack is often not discussed, which leaves vulnerabilities exposed. 

“A hacker doesn’t just target you for the sake of it; they’re targeting you for a reason. And they don’t just select you out of thin air. They do some online reconnaissance. And again, they do that reconnaissance on your personal digital footprints:your LinkedIn account, your Twitter/X, everything about you online.”

The more present you are online, the more you’re arming hackers, but it doesn’t take much for criminals to find a way in. Owen tells the story of a large energy company that challenged Owen’s team to break into the system through the personal footprints of executives. 

They targeted the CIO, who had tried to limit his digital footprint. Using his email address and location on LinkedIn, they used free software to find other personal details, which in turn led to all of his online accounts. In the end, they used a Google review of a restaurant to fool him with a fake discount voucher.

“Hackers are getting really good at understanding the human brain and the human element of the hack, because they want you to do that thing you wouldn’t otherwise ordinarily do,” he said. “They want you to believe that approach. And again, it goes back to reconnaissance. The more you have as an individual online, the easier you’re making it for the hacker.”

Owen also warned against insider threats; an Australian digital tech company was hacked by a Turkish gang, who hired someone to get a job at the company and hack them from within. This is sometimes driven by blackmail; another Australian business found that one of their employees had joined Adult Friend Finder using his work email. This leaves them vulnerable to blackmail. 

Businesses can protect themselves by doing digital vulnerability assessments on everyone in the business; determine what accounts you need and which you don’t. Get rid of the ones you don’t, and lock down the ones you do by using more email addresses for fewer accounts. 

Use multi-factor authentication and take a ‘tactical pause’ before acting when contacted out of the blue or asked to do something urgent. Use password managers and consider using VPNs – but do your research to ensure that the VPN provider is secure. 

“We really need to focus on your personal digital environments,” he concluded. “From there, that will make your businesses safer.”

 

Latest cyber security articles

Further resources

Resources
Cyber Security Awareness month 2023
Cyber security awarness

Each year ICAEW marks Global Cyber Security Awareness month with dedicated resources to help you know what to do when a cyber attack happens.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
ICAEW support
A person holding  a tablet device displaying various graphs
Training and events

Browse upcoming and on-demand ICAEW events and webinars focused on making the most of the latest technologies.

Events and webinars A-Z of CPD courses
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250