Cyber security and resilience research

[RobC101]

Hello everyone!

I am a mature student at university, and my dissertation project is researching businesses and cybercrime. The Police offer advice and basic training in this area but struggle to engage with businesses, and I am investigating the potential factors behind this. The core of my research surrounds micro and small-sized enterprises, but I am interested in responses from any size of business. I would be grateful if you would be kind enough to complete my anonymous online survey (should take about 5-10 minutes):

https://angliaruskin.onlinesurveys.ac.uk/failing-to-engage-investigating-micro-and-small-enterpris

The first page of the survey contains participant information and a question just asking you to agree to take part. This research has been approved by my university's ethics board, and asking for your consent to complete the survey is part of this even though it is anonymous.

Thank you for any help on this, especially as I appreciate you may have had similar requests for dissertation research help in the past, it is much appreciated!

Robert

 

[fisicx]

Whole bunch of questions there that either don't apply or had insufficient options.

The whole starting point was wrong. It assumes the whole business is at the same level of risk.

 

[Ozzy]

For my business the questions were quick and easy to answer; but I feel you're missing the real reason why business doesn't turn to the police for issues relating to cyber crime.
I used to sit on the regional cyber crime forum in my area run by the PCC, and left because I lost faith in it.
My firm uncovered a WhatsApp phishing scam, and managed to identify where the criminals were storing all the bank and credit card details of their victims. In plain text on the web for anyone to access.

We reported that to the police. Nothing happened.
I raised it at the next cyber crime forum with the Police & Crime Commissioner. Again nothing happened.
The following month and the next cyber crime forum, I highlighted that the scam was still running and that thousands of victims bank details were still be stored in a plain text file on the web for all to see. Again nothing happened.

However, someone at the forum worked for UK Finance and spoke to me after, and UK Finance manually every day accessed this file to retrieve the bank details of victims and deal with the banks to protect the accounts - for three months until the police finally got the site taken down.

The issue, which is this just one example I have personally experienced, is that the police are ill equipped and under resourced to handle any cyber crime. This is also confirmed in the Treasury Committee's report on economic crime, and the home office's own comments in that report.

I think that would be worth you reading as part of your research.

 

[RobC101]

Whole bunch of questions there that either don't apply or had insufficient options.

The whole starting point was wrong. It assumes the whole business is at the same level of risk.

Thank you for the feedback. Regarding the insufficient options, which question/section were you thinking about in case I can amend anything (although not sure how that plays out with responses already received).

With regard to an assumption about level of risk, I am not sure I agree (although I realise I may be too close to the questionnaire, and am blind to it). Different functions/departments within a business may be at different levels of risk to each other, but this research is just looking at the business as a whole. Because of this, I guess there is an assumption that most businesses will have some degree of risk, however small, as few businesses will operate 100% on paper. And if there is a risk, has the business ever sought or been offered advice, even if it is of a basic how to spot phishing email/messages type of thing.

As I say, I may just be too close to it. I do appreciate you responding to the survey and providing the feedback.

 

[RobC101]

For my business the questions were quick and easy to answer; but I feel you're missing the real reason why business doesn't turn to the police for issues relating to cyber crime.
I used to sit on the regional cyber crime forum in my area run by the PCC, and left because I lost faith in it.
My firm uncovered a WhatsApp phishing scam, and managed to identify where the criminals were storing all the bank and credit card details of their victims. In plain text on the web for anyone to access.

We reported that to the police. Nothing happened.
I raised it at the next cyber crime forum with the Police & Crime Commissioner. Again nothing happened.
The following month and the next cyber crime forum, I highlighted that the scam was still running and that thousands of victims bank details were still be stored in a plain text file on the web for all to see. Again nothing happened.

However, someone at the forum worked for UK Finance and spoke to me after, and UK Finance manually every day accessed this file to retrieve the bank details of victims and deal with the banks to protect the accounts - for three months until the police finally got the site taken down.

The issue, which is this just one example I have personally experienced, is that the police are ill equipped and under resourced to handle any cyber crime. This is also confirmed in the Treasury Committee's report on economic crime, and the home office's own comments in that report.

I think that would be worth you reading as part of your research.

Thanks for the in-depth response, Ozzy, it is much appreciated. Your WhatsApp phishing scam example makes for a disappointing read. I will certainly take onboard your comments and read the report that you suggest.

 

[UKSBD]

My firm uncovered a WhatsApp phishing scam, and managed to identify where the criminals were storing all the bank and credit card details of their victims. In plain text on the web for anyone to access.

There was a security guy on the Elis & Jon show on BBC5Live on Friday talking about similar

He told a story of how stupid the criminals are sometimes.

One lot were doing everything encrypted con WhatsApp but didn't really know what they were doing so just took screen shots and then texted them to each other.

 

[RobC101]

There was a security guy on the Elis & Jon show on BBC5Live on Friday talking about similar

He told a story of how stupid the criminals are sometimes.

One lot were doing everything encrypted con WhatsApp but didn't really know what they were doing so just took screen shots and then texted them to each other.

Wow! Thanks, I'll head off to BBC Sounds for a listen!

 

[UKSBD]

https://www.bbc.co.uk/sounds/play/m0013rjc about 53 minutes in

They were using encrypted phones but then taking screenshots and sending normally

 

[fisicx]

A lot of the problem were the yes no options when I wanted to answer 'it depends' or 'agree in part.

For example a small business may have a website that gets hacked. Low level issue as a backup can usually restored. They might have a client portal which needs to be a bit more secure. They might have a business network where a phishing email get through the net. It's been reported than even after training people still click on links in emails. They may have an operations system. This could be subject to a ransomware attack. Considering how sophisticated criminals are I doubt a visit from plod suggesting passwords and backups is going to achieve very much.

There are way too many variables to give meaningful answers to the questions. And even less chance the training and advice is going to prevent the determined attacker getting through the levels of protection you have.

 

[RobC101]

A lot of the problem were the yes no options when I wanted to answer 'it depends' or 'agree in part.

For example a small business may have a website that gets hacked. Low level issue as a backup can usually restored. They might have a client portal which needs to be a bit more secure. They might have a business network where a phishing email get through the net. It's been reported than even after training people still click on links in emails. They may have an operations system. This could be subject to a ransomware attack. Considering how sophisticated criminals are I doubt a visit from plod suggesting passwords and backups is going to achieve very much.

There are way too many variables to give meaningful answers to the questions. And even less chance the training and advice is going to prevent the determined attacker getting through the levels of protection you have.

Ok, thanks for the explanation, I think I see what you are saying.