Closing the Net on cyber criminals

Already troubled ENRC's computer systems were hacked this week after the theft of a laptop. The incident underlines the need for businesses large and small to beef up security
Click to follow
The Independent Online

It goes from bad to worse for Eurasian Natural Resources Corporation (ENRC), a miner once memorably dubbed "more Soviet than City" by an ousted independent director. The group, currently battling to fend off a takeover proposal from rival miner Kazakhmys and its own billionaire founders, yesterday became one of the highest-profile businesses to publicly admit it had been hacked.

The theft of a laptop during a burglary was followed by an "intrusion" into the group's systems. In a statement to the London Stock Exchange, the company said it was upgrading security and had offered employees affected by the raid identity protection.

The hack comes just days after the Federation of Small Businesses warned that the cost of cyber crime to its 200,000 members was running at almost £800m annually, or £3,750 for every small business. A startling 41 per cent of the organisation's member companies have become victims of some form of cyber crime.

It appears the ENRC issue is a relatively straightforward crime incident, as opposed to something potentially more sinister. The stock market announcement is understood to have been motivated by a desire to be seen as whiter than white, given that the company is in the midst of a takeover battle while also facing an investigation by the Serious Fraud Office.

All the same, experts warn that a company like ENRC is just the sort of enterprise that will be in the sights of more dangerous parties than, to coin a phrase, ordinary decent (cyber) criminals.

Alex Fidgen, director at MWR InfoSecurity, which helps companies combat cyber attacks, says: "ENRC specialises in mining and producing the commodities underpinning the growth of developing countries. It is therefore of huge interest to countries like China and India, for example. The fact is, they are exactly the sort of company that would be the prime target for an attack."

State-sponsored cyber-snooping, and more aggressive activities, are on the rise, and are worrying the governments of developed, Western economies, including the British Government. Its own figures show that 93 per cent of large corporations and 76 per cent of small ones have reported a cyber breach in the past year. On average, more than 33,000 malicious emails are blocked by the Government Secure intranet (GSi) every month. These are likely to contain – or link to – sophisticated malware. A far greater number of malicious, but less sophisticated emails, it says, and spam is blocked each month.

The Strategic Defence and Security Review allocated £650m over four years to establish a Cyber Security Programme to combat the problem. It seems well-timed. It was reported this week that a notorious Chinese centre working for the People's Liberation Army was back in business after a three-month lull.

China has always denied involvement in such activities but Unit 61398, whose well-guarded headquarters are located on the edge of Shanghai, has become a symbol of the country's cyber-might.

But it's not just China. Mr Fidgen explains: "State-sponsored cyber espionage is now going to be part of the landscape, and so should be expected. Every government with the capacity will be trying to glean information for economic or other purposes. China is being tarred of a lot of it but if you look at South Korea, its banking network was disabled by the North. The Israelis have used it against Iran. And Iran itself has used it too."

In the latter's case, there is evidence linking it to a cyber attack on the Saudi oil company Aramco in which more than 30,000 computers were compromised or affected by a "spear-phishing" attack last year.

Mr Fidgen says: "This is the new landscape. Instead of warfare, it is much easier to extract information to gain economic advantage today, where there is almost no recourse to any authority, the effects of theft are not always immediately apparent, there is no legal system to deal with it, and no one wants to talk about it. Fascinatingly, the direct effect of attacks is a loss of corporation tax revenues."

This is part of the motivation for the UK Government's concern. But whether it is government, trade bodies or companies that work in the field, the message to businesses is the same: "Take it seriously."

Mike Cherry, national policy chairman of the Federation of Small Businesses, says: "Cyber crime, whether targeted at a multinational corporation or a small business with only a handful of employees, has the potential to cost not only thousands of pounds but the jobs and security of whole communities.

"Whatever the size of a firm, businesses have to take the threat of hacking and theft seriously and protect themselves adequately from crime. Clear action from the Government and the wider public sector will only work if businesses, whatever their size, proactively protect themselves from fraud and online crime."

The incident reported yesterday by ENRC may "only" have involved a laptop, resulting in the need to offer protection to employees who might have been put at risk of identity theft as a result. But tomorrow's follow-up could be much more serious, and come with far reaching and deeply damaging consequences.