No other topic has dominated the boardroom agenda as consistently as cyber security in recent years. While COVID19 shot to the top of everyone’s priority list in early 2020, concerns about the security of IT infrastructure and applications have grown steadily year on year alongside organisations’ increasing reliance on these systems.
In the last government cyber security survey, 77% of businesses said cyber security was a high priority for their senior management, and 64% of large businesses reported having experienced attacks or breaches over the past 12 months
Here in Bristol, cyber attacks have caused problems for schools, the NHS, and Bristol Airport, taking out vital data and systems, and disrupting people’s daily lives. And even in cases where no money changes hands, cyber attacks can cause deep reputational damage - the recent LinkedIn data scrape didn’t compromise login details, but still entailed a grave breach of personal data involving millions of users. Regulations around GDPR and personal data mean that the Information Commissioner needs to be informed when companies experience a serious problem, even if it doesn’t involve passwords.
In one of our recent roundtables it was unsurprising, that our contributors took the risk not just to their organisation’s reputation, but also to their day-to-day productivity, extremely seriously. IN this blog we share some of their insights.
You are not the weakest link
Many breaches come about through phishing techniques, with trusted users being tricked into clicking a malware link or entering their login details into a nefarious website. But our contributors were keen to dispel the commonly discussed idea that this made human beings the weakest link in security.
Actually I’m championing a different message which is that humans are our strongest link. A lot of the failings that humans have are actually tooling failures, they are things that the technology should have safety checks in to pick up and stop.
Instead more focus was placed on ensuring their team had the right tools and information to keep systems secure. This is made easier by people’s increased awareness of potential threats in their personal as well as their professional lives.
We try not to make it a big work thing, just educating them in terms of how they keep their bank details safe, how they keep other passwords safe at home, rather than saying that work is very different.
Media coverage of common scams circulating on text messages or Facebook as well as services such as Have I Been Pwned?, which alerts users when their data has been compromised, have all contributed to a more sophisticated understanding of how to keep both business and personal systems secure. And with the blurring of boundaries of work and home due to remote working and Bring Your Own Device policies, keeping security standards high across every system has become vitally important.
Spotting the phish
All our contributors focused on the importance of good training to make the human element of security as effective as it can be:
We use a phishing training service, we’ve found that to be really useful and it’s driving up awareness across our organisation. It starts from the basic, almost obvious-to-spot phishing emails, but as you get better at spotting those it then introduces ones that look very good....It’s become quite competitive, people don’t like finding out they’ve been caught by this training, especially when others have spotted the phish.
In this our contributors are ahead of the curve in the DDCMS Cyber Security survey shows that only 20% of businesses and 14% of charities test their users through mock phishing exercises.
Exploiting supplier trust
For some organisations, the weak link was not inside the organisation, but in the space between business and supplier:
They found our biggest customer and wrote a fake letter from me to their CFO saying we had changed our bank account and could they pay all future invoices to the new bank account. The letterhead was surprisingly close to our real letterhead. That could have been quite big.
These types of supply chain attacks can also be mitigated through employee training and best practice, for example by confirming bank account changes over the phone with a trusted contact.
Our contributors were at pains to point out that while the human factor is one of the most visible elements of good cyber security, it is important to remember that it is just one part of a good, multi-layered cyber security governance.
I would say that ultimately 9 times out of 10 it’s the basics...just not getting them right, not doing the basics consistently and constantly, the boring stuff. Nine times out of ten that’s usually the root cause, whether it’s a mistake in coding or a mistake in set up, or a social engineering exploit.
Closing the door on human vulnerabilities in the system is pointless if other, less obvious doors have been left open. Badly built software or unsecured infrastructure are much less visible problems, but no less dangerous.