In the past few years, we have witnessed some of the largest, most costly cyberattacks on businesses to date.
Back in 2013, a man posing as a BT engineer entered a London branch of the Santander bank and attempted to install a device known as a keyboard video mouse (KVM), that would have allowed hackers to access its network from outside.
The gang behind the 21st century heist operated out of a small office in a shed in Hounslow, west London. They had planned to use wi-fi in order to connect to the device and transfer funds electronically.
Luckily, the plan was foiled following an intelligence operation led by officers from the Metropolitan Police’s special E-Crime unit. They tipped the bank off that it was being targeted by hackers, although they were not sure which branch might be under attack.
Detective inspector Mark Raymond, of Scotland Yard's Police Central e-crime Unit, warned at the time: 'This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across.'
The starting point for hacks
The good news is that due to such widespread media coverage, businesses are more conscious than ever about security and are much more inclined to protect their systems from such hacks. The trouble is, no matter how sophisticated an attack may be, most hacks start by tricking an employee, with something as simple as clicking on a dodgy link or opening an infected attachment.
Security is no longer an issue solely for the IT department or technology experts within the business – it’s now a universal issue, with each and every employee a potential inflection point for unscrupulous cybercriminals. But can we trust the user to protect themselves? The common theory is no. However, this generation of workers are savvier than sometimes the industry gives them credit for.
But can you be sure that your employees understand what spear-phishing means? Do they understand watering-hole attacks? It’s vital to find a simple way to ensure the threats are understood by employees at all levels.
The curse of the authorised intruder
It’s not just those on your payroll that you need to educate and monitor. A modern business has the proverbial revolving door of visitors to their offices. Whether they are contractors, clients, partners, delivery drivers or salesmen hauling their wares.
How much freedom should you give them? For example, is it ever a good idea to allow the contractor who visits your office each week to connect his USB stick to a company computer? After all, knowingly or otherwise, this device could be infected with malware, ready to infiltrate the company’s system and steal valuable information.
Lessons learnt from Stuxnet
At the beginning of the decade, one of the most famous cyberattacks of all time played out, as an Iranian double agent working for Israel used a standard thumb drive carrying a deadly payload to infect Iran's Natanz nuclear facility with the highly destructive Stuxnet computer worm.
Stuxnet quickly propagated and knocked the facility offline, temporarily crippling Iran's nuclear program. The perpetrators knew that using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
Time for class
Robust security technology is a great starting point, but all the technology defences in the world can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources.
From the largest multi-national organisations, to innovative start-ups, it is imperative that employees are taught about the different security risks facing them and how best to prevent them. From creating security do’s and don’ts to running in-depth training sessions, there are simple steps that all businesses can take to make the complicated matter of security more human.
Training employees is now a critical element of security. Whilst most are now happy inhabiting the online world, they need to be reminded of the value of protecting sensitive data and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online. Most importantly, they need to understand the policies and practices they are expected to follow regarding Internet safety.
With proper education, organisations can empower staff to protect their endpoints, and ultimately lead to an extra layer of defence to the valuable data that resides in all modern-day businesses.