Humans & Technology: collaborate or collide. The Cyber security UK Roadshow 2016
I didn’t know what to expect when I signed up for the Cyber Security UK Roadshow.
In this kind of events you usually have vendors aggressively trying to sell their products to the rest of us potential customers.
Not so yesterday. Most of the crowd were actual owners of SMEs, and genuinely interested to share experiences and learn.
Guest speakers included Haroon Malik, principal consultant at NCC Group, Peter Goodman, the UK Police’s national lead on cyber crime, Commander Chris Greany who is the national coordinator for economic crime, hacker Bruce Wynn (also calling himself Boris when he’s putting his black hat on) and a few others.
The focus was on the importance of the human factor in cybersecurity, as opposed to cybersecurity being solely software reliant.
One of the many very good points Haroon Malik made was that a vast majority of breaches occur due to human errors (social engineering, device loss etc) but most of the expenses go to buying security software and hardware. In essence, it doesn’t matter how many antiviruses and firewalls you have in place if employees of your company are unable to recognize a phishing email and will click on any link.
This was a recurring theme throughout the day: security through education.
We’re used to hearing about viruses, worms and trojans but Haroon identified 4 new members of the threat family: ever heard of “the travelling executive”, “the imperious boss”, “the careless vendor” and the “disgruntled IT manager”?
All of these have particular characteristics that make them a threat to a business’s cyber hygiene but they have in common that they are busy individuals for whom “taking 5” to think about how they’re managing their digital interactions is not part of “doing business”.
Unfortunately, too many companies take the approach of just being compliant with the law and nothing more.
They tick all the required boxes and they only require from their employees that they sign the policy documents. But do the employees understand any of the threats? Is the company more secure as a result? Wouldn’t a bit more education about the threats businesses are facing be a welcome addition to the onboarding of new employees?
Where will change come from?
According to Haroon, it is critical for boards and C-level executives to be very supportive of their teams in changing their mindset about cybersecurity and bringing about the changes necessary to keep companies and their customers safe.
When addressing company leaders, Haroon doesn’t talk about the hackers of China, Russia or any scary sounding hacker groups. He talks about threats closer to home, with examples of similar companies that have sometimes gone out of business as a result of a cyber attack.
Peter Goodman raised some of the challenges that businesses and the government face with regards to cybercrime.
On one hand SMEs typically have less money than large companies to spend on cybersecurity. Hence, they represent the perfect opportunity for hackers that are targeting this long-tail of vulnerable businesses.
On the other hand most of the attacks come from Eastern Europe, and the UK Police can’t go after cyber criminals in Russia or Ukraine. However, their movements across the world are being monitored by the British police who can then move in to arrest them when they go on holiday abroad.
The Deputy Chief Constable also deeply encourages businesses and individuals to report any fraud, breach or computer misuse to Action Fraud.
Action Fraud is the UK’s national fraud and cyber crime reporting centre and it is the only one of its kind in the world. Mr Goodman said the service is evolving and improving very rapidly and is now dealing with about 10 calls a minute, 24 hours a day.
Commander Chris Greany also invited SMEs to work with Law Enforcement to arrest criminals as they have all the data and evidence necessary to bring the perpetrators of cybercrime to justice.
Unfortunately, many breaches go unreported as the cost to businesses can sometimes far exceeds the amount of the fraud: the cost to reputation and the cost of acquiring new customers add a great deal to the money lost by businesses. Also, it takes on average 42 weeks for a business to realize they’ve been hacked.
There’s nothing like a live hack and Bruce Wynn drove the point home when he put on his black hat and became Boris. He proceeded to show the audience how he infected a pdf file with a piece of malware, all the while harvesting Wi-Fi networks probed by people’s mobile phones with a Wi-Fi Pineapple.
After a full day talking about cybersecurity, here are a few points to keep in mind.
Businesses should:
- make a list of who in their organization (and outside) has access to what data
- have a process in place for removing access to company systems from employees leaving the company (and also for people moving internally)
- consolidate and structure their data. Where is the IP stored? Who has access to it? Is it secure?
- be aware of documents shared by employees in the cloud and via personal email
- move beyond being compliant and ticking boxes: training is everyone’s responsibility, not just the IT department
- keep in mind that 1 breach is all that’s sometimes necessary to take an SME out of business
The next few years will be critical for SMEs, as it is not a matter of if they get hacked, it’s a matter of when.
With their employees properly trained about the risk and the appropriate response to adopt in case of an attack, companies can minimize the impact and sometimes save themselves from being wiped out.
