If ever there was a time that the news agenda could be blamed for increasing C-Level anxiety around the perils of cybercrime, 2014 would be it.
So far this year, we’ve seen Wm Morrison affected by the theft of payroll data of around 100,000 employees, Aviva writing to tens of thousands of customers after two employees sold details, and retail giant Target announced up to 70 million customers had data stolen in a pre-Christmas data breach.
On a broader scale, we’ve now found out that the ‘Heartbleed bug’, a major vulnerability in a version of security software that encrypts internet traffic between computers, could have made personal information and passwords available to hackers for the past two years.
According to the Department for Business Innovation and Skills (BIS), 93% of large organisations and 87% of small businesses had a security breach last year, with the average cost of the worst security breach of the year costing between £450K-£850K for large businesses and £35K-£65K for SMEs.
Shockingly, the research also showed that staff played a key role in many security breaches, especially where small businesses are concerned. In fact, 36% of the worst security breaches in the year were caused by inadvertent human error with 57% suffering a staff-related breach.
Yet, SMEs aren’t necessarily in the dark as to why: 17% know that their staff broke data protection regulations in the last year.
There is no denying that technology plays a key role in the protection of a business against cyber-attacks, but as this research suggests, it is not the only thing CIOs and security leaders should be concerned with.
Security companies are also increasingly becoming aware of attacks that use social engineering to obtain sensitive details, which are then used to gain access to resources within a company’s network or servers.
This shift in the types of attacks companies are receiving is down to criminals targeting platforms that are most popular with staff.
With more staff using social media and personal devices in the workplace, hackers are able to find out names, job roles and personal details of employees and adjust their attacks accordingly.
For example, it is possible to use new starters at a company who may not be trained-up on the dangers of socially engineered attacks and keen to make a good impression, as a way into the business.
By finding and contacting staff on Facebook and Twitter, using flattery, promises of fame or fortune, or presenting aggressive ‘customer’ behaviour, staff can easily be tricked into revealing details to those posing as potential customers or partners.
This is how Google.ie was hacked, and Nominet, the internet registry for .uk domain names, says it has been contacted from supposed customers that were turned down when it became clear they were part of what seemed to be a nation-state sponsored attack.
After all, a flustered customer support assistant could easily be pressured into making changes to an account by an aggrieved customer – if they haven’t been trained not to do so without the proper authentication.
So what can be done? There’s no magic bullet that can render a business immune from cyber attack – but there are a number of basic steps and precautions that lay the foundations for a more secure business.
Companies need to put more of an emphasis on training staff from all areas of the business – from the very top to the very bottom – to be aware of the different types of social-engineering threats and how to differentiate them from genuine customer or other issues. Advice sites like knowthenet.org.uk provide useful context for staff that’s accessible to even the least tech-savvy employee.
They should consider enhanced security testing to tighten up defences. For example, having regular cycles of ‘stress-testing’ defence barriers.
Sophisticated and on-going monitoring and insight is also important: for example, Nominet was able to find and fix a vulnerability that could have allowed a remote attacker to wreak serious damage on DNS servers, crucial lynchpins of the Internet and world wide web. The cyber threat landscape, as this year has proved, changes almost constantly – so this needs to happen regularly to be helpful.
Understanding when an escalated response is necessary, and who can support you in that event, is key. Nominet has started a pilot service called Cyber Assist, which aims to help smaller companies arm themselves with the knowledge, tools and expertise needed to detect, defend and protect against cybercrime
Taken together, all of these steps can help to reduce the risk of attackers being successful. And in addition to protecting a company, they would also contribute to a much-needed wider understanding of cyber security risks and opportunities. The internet is central to modern business and consumer life today, so CIOs must remember to tackle their efforts to mitigate cybercrime in collaboration. Vulnerabilities within one of their partners, suppliers, registrar or ISP could conceivably be used to target their business, so whatever they can do to instil a sense of cyber responsibility with all employees at all levels should be embraced.
These threats will continue to shift and grow. Businesses need to take a proactive approach, and encourage staff to do the same, in order to ensure that you avoid being the next casualty reported in the headlines.
Sourced from Simon McCalla, CTO, Nominet
