IMPORTANT Website terms of use and cookie statement

RIBA Business supplier spotlight series with Mitigo

In this RIBA Business Supplier Spotlight, we are joined by Lindsay Hill, Chief Executive Officer at Mitigo, our technical security partner. Lindsay is a solicitor and experienced CEO. He has spent 30 years as a specialist in legal & regulatory compliance and business risk management, including legal obligations for cyber and data security.

Lindsay Hill, Partner and Chief Executive Officer at Mitigo

Tell us a bit about Mitigo

As a specialist partner to RIBA we provide cyber security and business resilience to architects in the UK. In a nutshell, we protect our clients against the potentially dire consequences of a cyber breach.

How do you work with clients?

There are a couple of ways in which we work with clients. Firstly, we may be called in by businesses in a panic to undertake an emergency response after they have suffered a cyber attack. Our process involves working closely with the client to understand what has happened, in order to contain the incident and make sure the criminals are kicked out of their system. At times, we also deal with ransom demands to get the compromised business back up and running successfully.

More frequently, our services are taken up by clients who recognise the risks of a cyber attack and the importance of staying protected on an ongoing basis. We have a range of services that are designed to manage the specific risks that architects face and keep them safe.

We give new clients a risk and vulnerability assessment and draft their policies and procedures for them. We also provide a cyber security staff handbook to companies which employees must read and sign, making them more mindful and understanding of the risks.

Based on the current crisis and rise in cyber attacks, what advice can you offer members, based on the types of attack you are seeing?

My three top pieces of advice to RIBA Members would be the following:

  1. Recognise that cyber security is not the same as IT support. What we see is firms getting breached because they assumed their IT people are also looking after their security. Our professional expertise is very different from the IT function, so it is important to understand both disciplines, but treat them separately.
  2. Understand the risks your firm faces from a variety of vulnerabilities. For example, people working remotely with poorly configured and unsafe connections, using mobile devices, cloud platforms and cloud technologies. Criminals are becoming increasingly sophisticated and innovative, and the methods of attacks are evolving constantly, as firms seek to defend themselves.
  3. Practices should recognise you don’t get security simply by buying more technology. There is an old saying: “If you think technology alone can solve your security problems then you don’t understand the problems and you don’t understand the technology”. We see businesses being advised or persuaded to buy more expensive security software, but what they really need to do is employ someone to properly configure the systems they already have. There are many security features available within your existing technology if you know what you are doing. Buying more will not protect you more.

What forms of attack do you see most frequently?

The two most common forms of attack we see at Mitigo are ransomware and email account takeover.

An email account takeover is when the criminals get into your email system, often through Office 365. Once they enter, they can spy on traffic, look at all your emails and send and receive messages, which are then diverted so they are never seen by the hacked individual. We have seen situations when going into businesses where the criminals have had access to their system for a couple of months, watching traffic and biding their time to decide when and how to attempt criminal activity. Common examples of such activity include invoice hijacking and diverting payments.

The Multi Factor Authentication (MFA) is where we have seen sophisticated, real time logging in. Screens are presented that look like you are logging into your own Office 365, but you are entering your security code and credentials into the criminals' fake screen.

One of the most frightening forms of attack is ransomware, a situation where an individual or a criminal gang get into your system. They bide their time to see what valuable data they can access and encrypt it for blackmail purposes. They effectively have two ransomware attempts. The first threat is saying the systems are now encrypted, and unless a certain amount is paid, they won’t decrypt it for you. The second threat is to release company data unless a ransom is paid.

In our experience, the starting price is usually $50,000 for these ransomware demands, and it is a very unpleasant ordeal. We have seen companies down for three weeks and even those who can get back up and running after a few days, still have business interruption for weeks. It is very costly when you are down and even if backups work, you aren’t protected from the theft of your data. The consequences are large as employees can’t work and projects get stalled.

How do these criminals communicate on the ransomware demand?

In terms of communication, when you are first attacked, a message will pop up to say you have been encrypted and they are seeking a ransom. The regulators and police recommend ransoms aren’t paid due to good policy reasoning, but people sometimes pay as they are scared and in a desperate situation.

The problem is you don’t know what data has been taken, how it will be used in the future or whether the bad people will come back. Information can be aggregated with other information that is illegally attained or even publicly available through social media. They can use that to do socially engineered phishing attacks in the future, so the damage that can be done once access has been gained is huge. Personal data losses still need to be reported to the ICO and the individuals whose data has been accessed need to be informed.

What are the 3 most important ways a practice can protect themselves from a cyberattack?

Our service answers that neatly as it is exactly what we do for our clients. The starting point is to conduct a proper cyber risk assessment. Once this step has been taken, there are three areas you need to attend to:

  1. Assess the vulnerabilities in your technology set up and make sure it is securely configured and independently tested on a regular basis.
  2. Nurture your people. You must provide cyber awareness training, try to create a security culture and test whether training is working through simulated phishing attacks. On average, we see from our clients that 20% of untrained people will click on links. You can improve this with ongoing training to change behaviour.
  3. Governance – you must put policies and procedures in place to control the risks and make sure the measures are working.

All three areas are needed to stay protected. If you miss one, then you create an exposure to an attack.

Some of these areas you may be able to implement without specialist assistance but to ensure you are really mitigating the risks then it is best to discuss it with a security specialist. We would be happy to talk through the services we provide for consideration to any business.

In a series of interview led articles, we provide an up close and personal look into the portfolio of products & services chosen to help support you in practice. Find out more about our technical security services for architects and practices.

keyboard_arrow_up To top