Cyber Crime The threat to small and medium sized businesses Cyber Crime: What does it mean for you?

Technology is at the core of our cyber criminals to gain control over It’s critical that you are up-to-speed everyday lives, so much so that for the computer systems of a large on what criminals are doing and – many of us it’s difficult to remember entertainment corporation while more importantly – what you can a time without mobile phones, hackers were able to gain access do to minimise the likelihood of computers, email and the internet. to millions of a global eCommerce becoming the victim of these types company’s customer records. of attacks. To that end, we also focus These innovations have changed the on educating our customers, which is way we connect with one another, What might be surprising, however, why, in addition to online resources1 both on a personal and business is that in their most recent Internet we’ve developed this overview to level. Technology has played a key Security Threat Report, Symantec give you a snapshot of the cyber role in how the world economy found that 60% of all targeted crime landscape in general, as well has evolved over the course of attacks were levelled against as in terms of specific threats to the last decade, but it’s also given small and medium-sized (SME) small and medium sized businesses criminals new tools for gaining businesses. One reason for this is like yours. In the pages that follow access to information and funds. that SMEs could be perceived as you will find some examples of the somewhat more vulnerable with most common types of cyber crime From malicious insiders to hackers fewer resources to invest in security. and how they might impact your and phishing schemes to malware, Unfortunately, they may also have business, combined with a synopsis criminals are getting smarter and fewer resources to recover from an of best practices for keeping your more innovative. A look at some attack. A well-known code-hosting data and systems as safe as possible. of the most recent high profile firm, for instance, was forced to security breaches reported in the shut its doors after a cyber attack news show how malware allowed that lasted all of 12 hours.

1If digital, links to http://www.hsbc.com/internet-banking/online-security - if print, references URL in a footnote Assessing your exposure When considering your business’s exposure PERPETRATORS to cyber threats, think about your critical processes and services. Here are a few to consider: aers: A Multinational eCommerce Company, February What are your key information systems? through May 2014 – The company’s customer database Do you rely on a website for customer orders? If was hacked sometime between late February and early so, do you have robust processes in place to March of 2014 – giving hackers access to the names, ensure it is secure and can remain available if encrypted passwords, email addresses, attacked? physical addresses, phone numbers and dates of birth of the majority Where is your customer information held? of their 145 million members. In local databases or a cloud-based system? How are they secured? Which employees have access to your important business data? Is it necessary for them to have Cyber Criminas: access to everything they do? Carbanak, 2013 to present Do you rely on any third parties who have access – An unknown group of to your critical systems? What checks are there on hackers has reportedly what they do? stolen USD 300 million from banks across Are your key software and computer systems kept eastern Europe. up-to-date with security software, versions and patches? Does your business regularly use electronic payment systems? What are your processes to Maiious Insiders: A UK-Based Insurer, May 2014 – avoid fraud through social engineering tactics? Hundreds of phones owned by the insurer, were wiped clean when a disgruntled employee of their security How is email used in your business? contracting firm hacked into one of their systems. Do your employees know how to identify and In addition to the loss of data, the attack respond to phishing attacks? caused the security firm to lose its How would you recover should any of your yearly contract with the insurance systems be attacked? company, estimated at potential earnings of GBP 500,000. Are your employees trained to recognise cyber threats and what to do when faced with them? The access point: How are they getting in? Systemic threats: Caused by a weakness of some sort in commonly used technology that hackers and other cyber criminals then use to gain access to victims. - Heartbleed, 2014 – a vulnerability in one the The state of cyber crime today Internet’s most popular security packages allowed perpetrators to access and steal information from As technology becomes when you factor in the the memory of systems using the package. more sophisticated, so too potential loss of business do cyber criminals. They due to a tainted reputation. Staff access & insider: This can be due either to social engineering schemes that set out to trick steal money and identities In its 2015 Data Breach staff into providing log in information, physical or from individuals, and they proximal access using a variety of devices or an target businesses of all Investigations Report actual current or former employee seeking financial 3 types and sizes for a variety (DBIR) , Verizon found gain or revenge. that cyber criminals were of end goals. According to 3rd party & supply chain: In this case, access is 2 able to compromise an PwC , the cost of security obtained through a business partner – whether a breaches against business is organisation within a matter supplier, service provider or customer. The tactics increasing across the board. of minutes in 60% of the used are similar to staff access & insider entry For small and medium sized cases. That means even points. if a breach is discovered enterprises, PwC estimates - A large U.S. discount retailer, late-2013: Malicious the average impact is within hours, the damage software installed on point-of-sale (POS) devices between GBP 65,000 and may already be done. in checkout lines led to a breach of personal and GBP 115,000 on average. financial information for an estimated 110 million Staying informed about For larger firms it’s GBP customers. Perpetrators were able to hack into what current and growing the POS devices by stealing the login credentials 600,000 and GBP 1.15 threats exist is key to of a third-party HVAC contractor, which gave million. Of course, these are understanding what you can them access to the retailer’s network. averages and the damage do to protect your business, could be higher – especially employees and customers.

1http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf 3To compile data, Verizon worked with nearly 70 contributing organisations includingservice providers, IR/forensic firms, International Computer Security Information Response Teams and government agencies, among others. More than 80,000 security incidents were considered. WHAT IS TACTICS

istributed enia of erie o: A Global THE DARK Video and Online Gaming Company, December 2014 – A group of hackers known as the Lizard Squad launched a series of DoS attacks on a WEB? variety of gaming sites. As a result, this and other online gaming services experienced several As defined by Dictionary. hours-long outages. com, the Dark Web part of the internet Maiious Code: A Large, Multinational Entertainment that is “intentionally Corporation, November 2014 – The attack used hidden from search destructive malware designed to wipe computer hard drives and render data irretrievable. In addition, sensitive engines, uses masked operational and personal information, including emails, IP addresses, and is were released to the public. The company estimates it accessible only with a will spend tens of millions of dollars on investigation and special web browser.” remediation.

oia nineerin: A U.S.-Based For-Profit Managed Health Care Company, February 2015 – Personal information for as many as 80 million customer and employee records were compromised by a sophisticated cyber attack. Early but unconfirmed indications were that attackers may have used social engineering techniques to prompt employees to change their passwords, giving perpetrators access to administrative privileges.

hysiaroima ess: A British Multinational Banking and Financial Services Provider, April 2014 – Using a keyboard video mouse (KVM), a team of cyber criminals gained access to and control over accounts at the bank’s branches, transferring GBP 1.25 million to cash laundering accounts before being apprehended.

The Perpetrators: who’s after you? Hackers infrastructure on the Dark Web, for While stealing money is sometimes instance, or using backend services a motivation, many hackers are such as money laundering. In also often in it for the challenge addition to providing these types of and the potential notoriety they can services, organised cyber criminals gain. As such, their skillsets will also use a variety of advanced vary from those who use easily tactics to launch their own attacks. accessed online tools to those who are more technically advanced. Staff access and malicious insiders Cyber criminals Malicious insiders are typically Cyber criminals are almost always employees or third-party partners driven by financial gain. Again, who already have access to their level of sophistication can your organisation’s network range. Lone cyber criminals may and abuse their privileges. This take advantage of existing online includes disgruntled employees criminal tools. As they expand their who want to harm the company activities, they may also rely on in some way or steal from it. organised cyber crime services – renting or purchasing malware and

1http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf 2To compile data, Verizon worked with nearly 70 contributing organisations includingservice providers, IR/forensic firms, International Computer Security Information Response Teams and government agencies, among others. More than 80,000 security incidents were considered. The Tactics: because, as they stated, “the for delivering malware cost of resolving this issue to • Malvertising, which uses how do they do it? date and the expected cost of malicious web advertisements refunding customers who have Denial of Service inside legitimate websites been left without the service How much money would you to deploy malware with the they paid for…” put them “… lose if your customers couldn’t intent of infecting as many in an irreversible position access your website for an internet users as possible both financially and in terms hour? A day? Or more? • Watering holes, which focus of on-going credibility.” on targeting specific groups of If you rely on your website to accept people by exploiting well-known and process orders, the answer is Malicious code and trusted websites likely to be quite a lot. The goal of perpetrators visited by their intended victims launching Denial of Service (DoS) What if your customer database and redirecting users from the attacks is to make one or more of was stolen? real site to a malicious one an organisation’s computer systems Based on their estimates, the unavailable. The most common Verizon DBIR puts the financial In January of 2015, a small target is the web server, focused loss for a breach of just 1,000 regional U.S not-for-profit on bringing down the organisation’s records at between USD healthcare system of hospitals, website and disrupting the flow 52,000 and USD 87,000. clinics and community of business, but can also be used pharmacies discovered on mail servers, name servers or Malicious code, or malware, can some of the corporate any type of computer system. include viruses, trojans and worms. Malware can range in technical workstations and servers had malware installed on them. In June of 2014, a well-known sophistication with the ability to code-hosting services provider evade detection, spread through The malware allowed shut down operations after target systems and carry out a perpetrators to capture what began as a DoS attack range of activities. Advanced login information directly escalated into a request for malware, which has not yet been from live web sessions ransom. The perpetrator was identified as malicious by current when users visited financial able to gain access to the anti-virus providers, is becoming and social media websites. company’s cloud services more and more common. Those compromised by the and ended up deleting the Malware can be delivered in any breach include both current majority of the company’s data, number of ways, including: and former caregivers. including backups. Although • Spear-phishing, which uses the attack lasted just 12 hours, targeted emails to entice it was long enough to put recipients to click on a link the company out of business and/or enter credentials

3http://www.computerworld.com/article/2491008/cloud-security/hacker-puts--full-redundancy--code-hosting-firm-out-of-business.html 1500% GROWING THREATS Cyber criminals ansomare: Phishing attacks are also used to potentially earn deliver ransomware. With this, a company’s systems are locked and held hostage. While the 1500% return-on- typical ransom is somewhere between $300 and investment using $500, there is no guarantee that the files will be ransomware. released – which can be devastating to a business. According to Trustwave, an information security firm, cyber criminals potentially earn 1500% return-on-investment using ransomware – making it an increasingly attractive tactic. In fact Symantec noted that ransomware attacks grew by 113% in 2014 in its 2015 Internet Security Threat Report. % RETRIESTMET 1500 SI RASMWARE

Social engineering In June of 2015, a 10-year old American networking How well educated are your technology firm discovered employees about phishing and that it had lost USD 46 million watering hole attacks? to a likely social engineering Social engineering can be passive or scheme. In their quarterly active. earnings report4 they state:

• Passive social engineering “The incident involved employee involves the collection of publicly impersonation and fraudulent available information on a victim requests from an outside entity or organisation, which allows the targeting the Company’s finance perpetrator to construct a cyber department. This fraud resulted attack that is more likely to succeed in transfers of funds aggregating • Active social engineering uses that $46.7 million held by a Company information to manipulate targets to subsidiary incorporated in take a specific action (clicking on a Hong Kong to other overseas link, opening an attachment, etc.) accounts held by third parties.”

From a business perspective, the This type of fraud is becoming ultimate goal of social engineering increasingly more common and typically is to gain access to a protected targets businesses with overseas network or system. Active social suppliers who send payments via engineering is used in spear-phishing wire transfers. Essentially, the email and watering hole attacks, which address of one of the business’ – as noted above – are a means executives or employees is either for installing malicious code. spoofed or high jacked and then used to send illegitimate wire transfer instructions to staff responsible for processing such transactions.

4https://www.sec.gov/Archives/edgar/data/1511737/000157104915006288/t1501817_8k.htm Physical/proximal However, the security of your ensure that any mobile devices like systems and information is a shared laptops and smartphones used for access responsibility. Although cyber business purposes are encrypted. criminals are always inventing How well protected are your new ways to infiltrate systems, Train employees on best systems from unauthorised perpetrate fraud and steal money – practices access? there are several steps you can take Giving your employees the In this case, perpetrators exploit to minimise the risk of an attack. information they need to keep their ability to gain physical access business systems and information to your systems to, for example, Make use of industry-standard safe is key. Educate them on connect devices such as USB, solutions existing cyber threats and keep Keyboard Video Mouse (KVM) and Start with a “defence in depth” them up-to-date with new ones internet-connected devices to your security protection strategy by that may impact your industry using protected computers or network. installing and updating anti-virus trusted resources. (Please see the This gives them access to carry software and firewalls as well additional resources section). out a range of malicious activity. as separate email protections and internet proxy services. Train staff never to open Protecting your attachments or click on embedded Keep hardware and software links in emails originating from business: know what up-to-date unknown sources. When they do you can do Be sure to update software and receive a suspicious email, it’s operating systems on every best to delete it without opening HSBC has long been committed company-owned computer as soon it. If an email appears to be from a to online security and helping as vendors release new versions. trusted partner and asks for secure customers protect their businesses This includes downloading security information such as login credentials against fraud. This includes patches immediately if they are or to reset a password – have safeguarding our own systems. updated in between releases. employees report it to your security That’s why our Information team as well as the partner’s. Security Teams are constantly Similarly, don’t forget to upgrade monitoring activity across the hardware devices such as Employees should also never entire Bank, as well as researching wireless routers. Vulnerabilities download unauthorised software evolving cyber crime tactics to in internet-connected hardware programmes, documents or combat the perpetrators. can be exploited from anywhere applications directly from the web. in the world. It’s also important to REMEMBER No bank or service provider, including HSBC, will ever send emails requesting confidential details such as bank account numbers or other sensitive information.

Establish policies around Regular security analyses – such as security protocols testing websites and internet facing Many companies put a secure password applications, conducting security policy in place so that passwords assessments of business information have a certain level of complexity. As assets and maintaining up-to-date an example, you may want to require inventory – may uncover weaknesses. that passwords be at least eight In addition, putting disaster recovery characters in length and include at systems in place that include backups least one number, capital letter and/or to all major systems and information symbol. It’s also prudent for employees assets as well as regular testing will to change passwords periodically, also help protect against data loss. once every three or four months. Take precautions with external Ensuring employees only have access to partners the systems and information they need Conduct thorough background checks on to do their jobs can lessen exposure all third party suppliers with whom you to insider threats. Dividing financial work and review contracts periodically responsibilities among key staff members to ensure they are current. Pay special may also help minimise the risk of internal attention to those who have access to or fraud. This includes implementing a provide your IT systems such as technical “maker/checker” process for payments support contractors or Cloud services. where one staff member initiates a transaction and another approves it.

Restricting internet access on business network connected machines to only trusted sites and services can protect your systems from potential malware infection from compromised websites. Limiting or eliminating the use of external media such as USB sticks will further reduce the risk of data theft and infection from malware. Warding off cyber • Limit access to systems and Additional resources information based on job duties, criminals – a checklist and split financial responsibilities Since cyber crime is constantly across two or more employees changing, it’s important for you While not an exhaustive list that may to stay up-to-speed on what’s not apply in all cases, following are a • Restrict internet access to happening in the industry and few actions to consider in protecting trusted websites and limit the what you can do to protect your yourself against cyber crime: use of external media devices business. For more information: • Conduct regular security testing • Install and update anti-virus software and assessments of websites, • Download Verizon’s 2015 Data as well as firewalls, email protections internet facing applications Breach Incident Report5 and internet proxy services and information assets • Read through the UK Government’s • Keep software and operating • Establish and test disaster recovery “Small businesses: What you need systems up-to-date by downloading plans and backups for all critical to know about cyber security6” new releases and security patches systems and information assets as soon as they are available • Take the online course, “Cyber • Have a dedicated incident security for small business7,” • Upgrade internal hardware devices management team and/ from the U.S.’s Small Business that may have become obsolete or protocols in place Administration (SBA) and ensure mobile devices used • Thoroughly research the background for business are encrypted • Create a cyber security plan using of all third party providers and ensure the FCC Small Biz Cyber Planner8, • Hold regular training sessions robust contracts are in place developed by the U.S.’s Federal to inform employees of what Communications Commission (FCC) to look for in terms of existing and growing threats • Conduct a “Health Check” on your devices, computers and • Put policies in place that further website with the guidance of protect your systems and information Hong Kong’s Cyber Security by giving staff guidelines for Information Portal’s Safety Centre9 conducting business online • Have employees take McAfee’s Phishing Quiz10

5Links to http://www.verizonenterprise.com/DBIR/2015/ 6Links to https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412017/BIS-15-147-small-businesses-cyber-guide-March-2015.pdf 7Links to https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses 8Links to https://www.fcc.gov/cyberplanner 9Links to http://www.cybersecurity.hk/en/index.php 10Links to https://phishingquiz.mcafee.com/ More Information

Following please find sources for more information on the examples included in this document.

Anthem http://www.nbcnews.com/news/us-news/anthem-major-health-insurer-suffers-hack-attack-n300511

Aurora Health Care http://www.ago.vermont.gov/assets/files/Consumer/Security_Breach/Aurora%20Health%20Care%20SBN%20to%20Consumer.pdf

Aviva http://www.bbc.co.uk/news/technology-34052408

Barclays http://www.bbc.co.uk/news/uk-england-london-27146037

Carbanak http://securityaffairs.co/wordpress/33565/cyber-crime/carbanak-swipes-300m-banks.html

CodeSpaces http://www.computerworld.com/article/2491008/cloud-security/hacker-puts--full-redundancy--code-hosting-firm-out-of-business.html

Codan http://www.smh.com.au/business/codan-fights-back-after-chinese-hackers-stole-metal-detector-designs-20150624-ghx36t.html

eBay http://www.nytimes.com/2014/05/22/technology/ebay-reports-attack-on-its-computer-network.html

Heartbleed http://www.bbc.com/news/technology-27058143

Sony http://www.bbc.co.uk/news/technology-30530361

Target http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.html

Ubiquiti Networks http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

Xbox http://www.businessinsider.com/xbox-live-outage-may-be-from-lizard-squad-hack-2014-12?op=1

This communication is issued by HSBC Holdings plc. While all reasonable care has been taken in preparing this communication, no responsibility or liability is accepted for any errors of fact, omission or for any opinion expressed herein. You are advised to exercise your own independent judgment (with the advice of your professional advisers as necessary) with respect to the risks and consequences of any matter contained herein. HSBC expressly disclaims any liability and responsibility for any losses arising from any uses to which this communication is put and for any errors or omissions in this communication. “HSBC” means The Hongkong Shanghai Banking Corporation Limited and each of its holding companies, subsidiaries, related corporations, affiliates, and representative and branch offices inany jurisdiction.