Successful companies often build their culture around a small number of key concepts and one of the most enduring has been ‘we’re all in sales’ or a variation on this theme.
I enjoyed a recent Cyber Security session run by Transpire and lead by Markus Krebsz and Wendy J Barnes using tools developed by the National Cyber Security Council (NCSC) and I’m going to encourage the widespread adoption of a new key concept ‘we’re all in cyber security now’.
Across the wide range of Cyber Security defences an organisation can operate, one of the most valuable and potentially vulnerable is the ‘human firewall’. This is the idea that no matter how sophisticated the technical cyber systems that can be deployed, if a human being can be tricked into divulging a key piece of information or is careless, the entire system can be compromised.
But if staff are well-trained, vigilant and apply some common sense, the human firewall is so much more difficult to breach.
What types of common Cyber threats are there?
Cyber criminals are looking for data, IP or anything else you may regard as your ‘crown jewels’. It will vary from organisation to organisation but anything that can be sold is a potential target.
There are many potential threats and the most common are:
- System attacks: Hackers use software to probe vulnerabilities in systems and look for ways in through unsecured areas.
- DDOS attacks: Hackers overwhelm a system, server or network with more access requests than it can handle. The target is then forced to pay the hacker to cease the attack.
- Phishing email. A hacker sends an email containing a link which, if clicked, installs malware or uses a fake but convincing email address to trick the recipient into giving up a password or other valuable data.
Pretty much every kind of person or organisation, from individuals and their life savings to British Airways and Facebook has been affected by a cyber attack. in early 2020, the Financial Times reported that the UK Home Office app created to allow EU Nationals to apply to live and work in the UK after Brexit has serious vulnerabilities. These could allow hackers to steal the most sensitive personal information, including passport details, of the 1m people who have so far downloaded it: https://www.ft.com/content/8dd7bd46-0636-11ea-9afa-d9e2401fa7ca. Its astonishing to learn that a high profile government project is so poorly protected.
The Human firewall:
There’s a widespread belief that Cyber Security is an IT issue and, yes, an IT department would be expected to protect a company against the first two of the most common threats. However, phishing is actually the most common form of cyber attack and its success relies on tricking an individual into giving hackers password details or clicking on links which install malware.
There are apparently whole companies set up whose employees spend their entire time sending phishing emails.
Organisations need to help everyone understand their role in protecting an organisation from cyber attacks.
- Be sceptical: If you’re surprised by an email sender or email content, always carefully check the email address and try and use a second way of verifying the sender. Call them, ask someone in your organisation if they know of them. If something looks too good to be true, it probably is.
- Use a strong password and change it regularly. These are actually the top 10 passwords of 2019 according to Splashdata:
123456, 123456789, qwerty, password, 1234567, 12345678, 12345, iloveyou, 111111 and 123123.
How easy do you think any of these would be for a hacker to crack?
- Be careful. If there are strangers in and around your office, be extra vigilant even if they seem genuine. Another human error which has led to systems being compromised is conference attendees being given free USB drives which install malware when plugged in.
- Buy as many variations of your company url as you can think of, especially subtle mis-spellings. These will usually be very cheap (£10/year or less) as no-one else will want them but they will prevent hackers buying them and using them to trick your employees.
Its not impossible to hear companies bemoaning the new practices necessary to become GDPR compliant but one of the new regime’s great benefits is that it has significantly raised the general understanding of the value of data and the requirement to protect it. This should mean Cyber Security training is seen as a benefit.
Planning and responding to a Cyber Security breach:
You never know when a breach is likely to happen but if you don’t have a Cyber Security instant response planned, you need to do so NOW. You may need to employ an expert to help, but it needs to cover how you will:
- Ensure you can quickly identify when you have been breached.
- Shut the breach.
- Forensically analyse the breach and its consequences.
- Tell the people affected (including the ICO where relevant), tell them what was taken and tell them what you have done to remedy the situation.
You may also need to consider making a public announcement including most of the above.
Don’t ignore Cyber Security:
It may seem daunting and potentially complex but the one thing you cannot do is ignore it. With some joined up thinking bringing company departments together, planning, training and watchfulness, you can reduce your chances of suffering an attack. Get yourself a virtual ‘guard dog’ and make the hackers think twice before targeting you.