2     June 2019   |   Issue 6                                                                                   3




 How do geopolitical cyberattacks   Is your company taking due


 affect the average UK SME?  diligence seriously?





 It is not unusual these days to hear about a corporate or public entity being subject to a cyberattack
 or losing large quantities of data. The attacks garnering most attention are, characteristically, not   When 75% of our background checks identify flags, a simple Google
 perpetrated by a bored teenager (a so-called ‘’script kiddie’’) but are instead state-sponsored and   search isn’t enough.
 geopolitical in nature.
       In 2002, Yahoo discovered that CEO Scott   During this research we identified a   Detailed examination of databases,
 One of the more recent attacks includes   Security and Resilience, highlighted that   protocols does the company have in   number of near misses, where clients had   online resources, and interviews with
 the Australian government cyberattack   China’s attacks characteristically target   place? What is their reputation like?   Thompson could not have obtained a   been poised to appoint a professional   carefully chosen individuals and sources,
 in February 2019, linked to Iranian cyber   big data sets and bounce off others by   Do my third parties use other third   bachelor’s degree in computer science   who, at first glance, seemed like the   is the only way companies can be
 espionage group ‘Iridium’ – a group also   hacking through a service provider.   parties? If a data breach occurs, how do I   from Stonehill College, as the course   ideal candidate but turned out to be less   certain to minimise risks when engaging
 believed to be responsible for a similar   Hypothetically speaking, if the UK   communicate externally and internally?   was not offered until four years after   than desirable. Our findings included   with a new senior hire, partner or
 attack against the UK government in 2017.   he graduated. In 2018, the world’s
 government used Amazon Web Service   According to the 2019 Cyber Security   largest luggage maker, Samsonite, also   allegations of insider trading, sexual   business.  Interestingly, there are several
 Other geopolitical cyberattack examples   (AWS) to store its data, China could target   Breaches Survey, the number of   announced its CEO had stepped down   harassment, fraud, drug taking, undeclared   mechanisms in place online for people
 include the WannaCry ransomware in   large data sets in AWS to seize this. As   businesses reporting cyberattacks   following allegations he lied on his   insolvencies, court litigation, ties to   to hide their backgrounds: for example,
 2017, the supposed Russian interference   a small pest control business in the UK,   decreased from 43% the previous year to   resumé.  sanctioned individuals and companies; all   companies which bury negative online
 in the US 2016 presidential election, North   using AWS cloud to store all personal data   32% this year. However, it appears that   of which clearly demonstrate the need for   profiles for a fee, as well as the Right to be
 Korea’s attacks against SWIFT and Bitcoin,   relating to your clients, your company’s   businesses and charities that have been   These are just two high-profile examples,   background checks before employment   Forgotten law codified in the EU’s General
 and the numerous Russian assaults on   data could be compromised in the attack.   targeted now appear to be experiencing   whereby both companies, as market   to help safeguard your organisation’s   Data Protection Regulation (GDPR).
 Ukrainian infrastructure.   Would you have a plan in place for this   more attacks than in prior years.  leaders in their sectors, overlooked the   reputation.  It further proves that using standard
 scenario?   details of their most senior executives’
 The effects of these geopolitical   Such a high percentage of attacks   No more Google searches   search engines will not recover scrubbed
 cyberattacks are often under-estimated   It is important to understand that   suggests it is not a case of if you will suffer   CVs. This resulted in not only financial   data, however, an experienced due
 always seem to be misunderstood, as   although you may not be the direct target   a data breach, but when.  losses but, most importantly, it had an   Whether it’s through an in-depth   diligence analyst is trained to spot the
 people often forget about the incident   of a nation-state hack, it is possible to be   Most importantly, do not underestimate   embarrassing impact on the company’s   interview with a former colleague which   signs and collect factual information.
 after a couple of days of bad press. The   affected indirectly – having a plan in place   the effects of a cyberattack on your   public image. Skeletons can be found in   reveals criminal activity or undeclared   Due diligence is a very complex and
 long-term ramifications of such an event   will help mitigate the consequences of the   company and employees, and never   even the safest closets.   financial issues identified through official   challenging undertaking.  A thorough
 are often not truly comprehended by   breach.   undervalue the importance of a thorough   How much due diligence is   records, relying on a Google search to   background check into senior executives
 smaller businesses in the UK.              identify these kinds of risks is unwise –
 Primarily, you need to understand your   and up-to-date company plan in   enough?  none of the red flags we identified during   and new hires should entail rigorous
 The 2019 Cyber Security Breaches Survey   own cyber vulnerabilities: does your   minimising the effect of a macro-scale   Having the right background information   the 600+ background checks in 2018 were   interrogation and analysis of information
 shows 31% of micro and small businesses   company adhere to the most basic   cyberattack. Be prepared – you never   allows organisations to work with   found through a Google search.  gathered from a range of open sources,
 have encountered breaches or attacks in   cybersecurity principles? In their Cyber   know if you will be the next target.  confidence, compliance and assurance.   such as: subscribed databases; press
 the last 12 months. Despite the statistics,   Essentials programme, The National   At TenIntelligence, we provide a range   Our Due Diligence Team completed over   articles; company registries; court
 most SMEs feel they are not at risk of   Cyber Security Centre (NCSC) has useful   of services and jargon-free advice to   600 background checks during 2018. As   Due diligence results  searches; public records and documents;
 being a target – there is a general air of   guidelines for making sure you are safe   organisations who require assistance to   reference checks; employment and
 unrealistic optimism that being a small   – the information is written plainly and is   protect their company. If you would like to   part of our analysis into these checks, we   education verifications, as well as social
 company is a form of protection. After   accessible for most.  have a conversation about your security   implemented a simple traffic light system,   media platforms. It is critical to identify all
 all, they think, why would China want to   Undertaking third-party risk management   position, or need help in reaching an   giving each background check a status   the possible risks, as the additional cost
 know how many rats were caught by a   is also important. Ask yourself and your   applied standard, contact us via    of Red, Amber or Green. Red showed   for the supplementary phases is minimal
 small Kent-based pest control business?   a significant red flag had been found;   compared to the possible losses incurred
 team – how well do you know the   info@tenintel.com.  Amber confirmed that discrepancies
 At the ITC Annual Security Conference,   provider of your cloud-based security   were identified; whilst Green meant there   from a bad business decision.
 Paddy McGuinness, former UK Deputy   solution? Do you know where in the   Sean Nichol   were no issues identified on their CV or   For more information regarding our due
 National Security Adviser for Intelligence,   world your data is stored? What security   Associate (Cyber and Forensics)  diligence service, please email us via
       application form.  From our research, a                                  info@intel.com. Our team is looking
       total of 75% cases were identified as an                                 forward to providing assurance and help
 Useful links:   Amber (69%) or Red flag (6%). This means                       your organisation make informed decisions.
 1.The 2019 Cyber Security Breaches Survey: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019  during the open source phase, a further
 2. Cyber security advice for SMEs by the National Cyber Security Centre https://www.ncsc.gov.uk/section/information-for/small-  investigative phase is required, or the   Katie Frodsham
 medium-sized-organisations  scope might also need to be expanded   Red  Green  Amber  Litigation Support and Assurance Director
       into additional jurisdictions.       6%         25%         69%          katie.frodsham@tenintel.com

 Due Diligence | Investigations | Protection  www.tenintel.com  www.tenintel.com  Due Diligence | Investigations | Protection