Criminals want to make money out of you. The internet gives them that opportunity.
The threat landscape is dominated by well-funded and business like adversaries using extremely sophisticated, targeted attacks. In addition, many businesses are still falling foul of negligent employees who continue to put businesses at risk.
Despite this, many organisations are simply not doing enough to tackle the battle against cybercrime and are overlooking the IT fundamentals that can enhance their ability to mitigate risk.
Each and every organisation should consider the possibility that they may have already been breached however, big or small they are. Everyone is a target. Organisations need to act now.
The Scale of the problem
The modern world is now heavily reliant on the Internet. Websites and social media have become vital channels of communication allowing companies to interact and sell to customers.
Businesses are also providing employees and partners with online access to their systems, and facilitating flexible working through cloud computing.
As the significance of the Internet has grown, however, so has the ability of cyber criminals to attack. Their incentive is driven by increasing value placed upon data, which is now a highly prized commodity across the world.
As a result, the scale of the threat is at its highest level and organised gangs, nation states and even bedroom hackers worldwide are targeting some of the world's biggest and smallest firms. And, its never been easier with sophisticated cybercriminal tools kits now avalible for just a few thousand pounds. Everyone is vunerable to attack.
Variety of attacks
Denial of Service Attack: Or DoS attack as it is also known is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Phishing: This is the fraudulent practice of sending emails purporting to be from a reputable source in order to encourage individuals to reveal personal information, such as passwords, credit card numbers online as well as occasionally money through indirect means.
Water holing: Creating either a fake or legitimate website in order to exploit users using it.
Scanning: Randomly attacking large sections of the Internet.
Spear-phishing: Similar to phishing but involves sending targeted emails to individuals that could contain an attachment with malicious software, or a link to down load an infected file.
Subverting the supply chain: To attack software or equipment that is being delivered to a business.
Time for businesses to get smarter when tackling cyber attacks
The topic of cyber security is increasingly at the top of the agenda for business leaders, especially with the number of ransomware attacks on the rise. According to research from McAfee, ransomware attacks – in which corporate data is hacked and held hostage by cyber criminals in return for financial payments – have risen more than ten-fold in the last two and a half years.
This rise is in part due to hacking methods becoming more sophisticated with cyber criminals having evolved their techniques from the more traditional routes such as malware, worms or viruses, for which IT defences are designed for. Instead, hackers are looking to new tactics including the hiring of moles or internal spies – such as former or existing employees – to pinpoint weaknesses within the businesses and tap into data in return for a monetary sum or other incentive.
Small businesses a prime target
It is often only global corporations that we hear are experiencing these attacks, with eBay and Domino’s Pizza just two brands to have had personal records held to ransom in 2014. While they certainly create headlines, it is largely SMEs that are most at risk – due in part to a limited awareness as well as insufficient security measures. In fact, a recent survey from Kaspersky Lab, revealed that three quarters of SMEs believed their business was too small to be of interest to cyber criminals with just under 60% of respondents stating that they thought the data they held would simply not be of interest. And yet an attack can have devastating consequences on a business, damaging its reputation and causing customers to undergo a serious crisis of confidence.
Prevention, not cure
A number of these attacks are successful due to outdated systems and processes. It’s easy for businesses to slip in to a ‘fit and forget’ culture whereby security defences – including anti-virus software, software patches and firewalls – are installed but neglected soon after. This includes the need to make regular checks and ensure that software remains up-to-date. By sidestepping this, businesses are finding themselves with a number of legacy processes that are simply not sufficient to protect against modern threats.
Ransomware programmes are becoming more readily available as an easily downloadable online kit, which means that the number of amateur cyber criminals are increasing as hackers become more confident in their technological capability. It’s likely that businesses not carrying out regular tests on their protection measures may have already been compromised. As such, it is critical that organisations regularly check the three core pillars of defence; anti-virus software, software patches and firewall.
Communicating the danger to employees
For smaller businesses, which may not have a dedicated IT department, it’s important to educate staff about the possible ways the business can be subjected to an attack. It may be something as simple as clicking on an infected pop-up or visiting an infected site. Similarly, it’s important to be aware of any remote access that a business or individual may have to your device, including any visitors to the building that may be using a USB port to download a presentation for example.
There’s little point in maintaining technology if staff are only going to disable it in order to gain access to a site that is being flagged as potentially dangerous. In promoting the danger of possible threats from the inside out, businesses can create a ‘think twice’ mentality that goes some way in reducing their vulnerability.
It’s important to remember that holding corporate data to ransom is no longer just a concern for big businesses, as criminals are no longer afraid to invest heavily to get what they want. For smaller businesses, it may seem difficult to justify investment in security defences for an attack that hasn’t yet happened, but companies often do not know that they’ve already encountered a software attack. To prevent against this, it’s crucial that businesses invest in security technology that is regularly checked and kept up to date. In doing so, we can create a culture that is prevention, not cure.
Claim your FREE* Cyber Security assessment
Educating Employees why don’t they listen?
Training employees in cyber security needn’t be a Sisyphean task
If you’re tired of telling your employees to change their passwords, remember poor Sisyphus. This figure of Greek mythology offended the Gods, and was condemned to forever repeat the same task: pushing a rock uphill, only to watch it roll down again, before starting from the beginning.
Cyber security training can be a bit like that. Yes, some employees are diligent, regularly changing passwords and following security policies to the letter.
And then there’s the guy that just faxes sensitive medical records to some other random guy. In Canada, British Columbia’s privacy commissioner is investigating a case where personal health records were sent to incorrect fax numbers.
Or the guy who decides to appropriately access his colleagues’ medical records, as allegedly happened at Salford Royal Hospital.
Just as with people who smoke, or eat too much fatty food, some employees know what they should be doing to protect their companies against security threats, but they don’t do it. These are your Sisyphean rocks. They make the same mistakes, repeatedly, even after being told not to. Try as you might, you just can’t get them to do what they should. What’s going on?
Take solace. You’re not alone. A survey of 1,200 UK workers run by YouGov found a stark disregard for basic security practices, even though most (65%) said that their employer had a cyber security policy in place.
Over one in five of them didn’t have passwords or PINs on all of their devices. Of those that did, 21% wrote them down somewhere so that they wouldn’t forget them. And almost a quarter of all respondents shared passwords with friends, family, or fellow workers. While 35% of employees used their personal devices to access company files, half of those had viruses.
Less finger wagging, more dialogue
One of the problems may be how we’re approaching training. We often wag our fingers at employees but it isn’t working.
“I continue to despair over some of the online training packages that are given to people,” said John Lyons, chief executive of the International Cyber Security Protection Alliance. “They sit through hours of this stuff. It’s bought off the shelf, and it’s got very little to do with the business they’re operating in.”
This can be compounded by the trade-off between security and inconvenience. When implemented blindly by managers who don’t understand the working environment, security policies can be too difficult to follow for staff who just want to get the job done. Consequently, simply dictating policies to employees and threatening discipline for transgressions can often simply drive such activities underground.
Tim Holman, director of the international board for the Information Systems Security Association, recalls a security problem where his wife – a nurse – was supposed to log in to a healthcare system using her own account. That’s fine in practice, he said, but healthcare environments are often frantic and stressful. Staff will have a low tolerance for any policy that gets in their way.
“They would share someone’s logon and leaved it logged on for the whole day,” he recalls. “They realised that people just carried on doing it, and they had to take the problem out of the users’ hands because it was a big risk.”
To solve the problem, managers had to combine process and technology together, giving the staff smartcards for faster twofactor authentication.
Your staff are selfish, and that’s ok
Instead of bullying them, we should be appealing to their selfish side, said Wendy Goucher. Goucher runs her own information security firm, Goucher Consulting, where she works with clients to help them get the message across about security awareness.
“I encourage businesses to use an approach I have developed that I call ‘Selfish Security’,” she said. “This means that we try and make security messages relevant to the individuals themselves, not just to their role.”
We try and make security messages relevant to the individuals themselves, not just to their role.
What does that look like? Start by understanding what’s important to them. For most people, that’s pretty simple: friends, family, money. “People will always protect themselves, their precious information and their family before they protect the business that pays them, especially if it is a big, faceless organisation,” Goucher said.
Explaining to someone how to protect their online banking information so that they don’t get hacked will get their interest. Giving them the lowdown on how to protect their children from online stalkers is a better way to promote online privacy than any finger-wagging lecture.
Goucher has seen first-hand examples of this. In one company she worked with, staff kept throwing sensitive documents in the bin rather than shredding them. Instead of circulating scary memos, managers got smart: they had a ‘shred it’ day, offering employees the chance to bring in all their sensitive garbage from home, so that they could dispose of it safely.
Two weeks later, managers checked the garbage bins. The amount of sensitive material in it had plummeted. Employees saw some personal benefit in the practice, so it became part of their routine at work.
“It’s all about habit,” said Goucher. “If you can get things so people are doing the right thing by habit then they are much more likely to do it.”
If the carrot doesn’t work…
There’s a final, crucial component to any security awareness and training initiative: follow-through. Regularly testing employees to measure their diligence will constantly remind them of their responsibilities. Building this in to performance reviews can’t hurt either. There are testing services designed for this purpose, including companies that will send fake phishing emails to all employees, and monitor who opens them.
There isn’t a silver bullet for this stuff. Experience has shown us repeatedly that there will always be a strata of users who simply don’t get it. But at least by training properly and meeting employees halfway, companies can minimise the bad behaviour. Then, the regular testing will help to mop up the bad apples for disciplinary action. After all, the carrot is a good tool to have in your arsenal, but it will never entirely replace the stick.
You can never be too paranoid when it comes to network security
It’s almost five years ago since Deborah Plunkett, head of the United States’ National Security Agency (NSA) boldly claimed ‘there’s no such thing as secure any more’.
She made this statement to explain why her organisation’s work under the assumption that various parts of its systems have already been compromised. Fast forward to the present and we find that this operational stand point is now common across the security professionals.
With the rise in bring your own device (BYOD) and the ubiquity of mobile devices, the opportunities for potential attacks by cybercriminals has grown dramatically. Relying on the protection of the firewall to defend against these external threats is simply not enough anymore.
This has led to an increase in ‘deperimeterisation’ – this theory implies that organisations need to look inside their fortified boundary or ‘perimeter’ which encompasses firewalls, VPNs and intrusion detection systems.
Every device is now viewed as a potential threat that could allow malware to slip past the firewall and into the network, and cause significant damage to a company’s infrastructure.
Organisations can’t just assume that laptops provided for employees are safe because they’re joined to the company domain and running certain security policies. Network access control often isn’t set up to apply to those internal devices, but just because the employer has provided the device it doesn’t mean that the employee might not have picked something up while outside the company network.
They’ve got to check for this possibility, and having procedures in place to make sure that these devices pass tests before being permitted back onto their network again is a beneficial tactic. It’s still vital to have that perimeter in place to guard against inbound threats.
Organisations, however, need to check the firewalls are also scanning outward traffic, content filtering the activity of their own PCs and devices to see if they have been already compromised and are being used to spread malware on the internet.
A healthy dose of paranoia and an assumption that the battle has already been lost isn’t a bad approach to take. A good strategy is to put in place regular scans and reviews of the IT environment, breaking it down into component parts, firewall, PC, patching and anti-virus software to see how they are working as individual entities.
Too often we focus just on mitigating the external threats, but when we look at the common sense practices that can be employed from within the network, setting up internal boundaries and limiting access to an as-needed basis is also advisable.
If organisations can segment workers into distinct groups or departments, then they can start to limit access of certain resources to specific users – this ensures that if there is any kind of breach the chances of this spread to other areas of the network is limited.
If organisations embrace all these tactics, they still won’t be doing enough to completely guarantee total protection – but they never will. The only approach is to take every opportunity to review and evaluate existing security practices and look inside the perimeter for ways that systems can be improved. You can never be too paranoid.