The Human Firewall

The Human Firewall

Highlights

  • Cyber criminals can gain information via social media accounts and pose as managers using inside information

  • Staff are best placed to recognise unusual behaviour and should be encouraged to question and double-check anything amiss

It’s true that cyber criminals specifically target employees, but it doesn’t take much to turn the team into your best line of defence...

Employees have become an awkwardly weak link in the cyber-security chain, and with recent attacks on the NHS, the issue of cyber safety has moved up the agendas of company boards. Reports suggest that 90% of cyber attacks begin with the bad guys targeting staff rather than the tech that they are using. For the criminals it makes perfect sense: why take on the firewall-loving IT department when an unaware office worker will let you straight in?

By far the easiest way for a criminal to get into a company’s computer system is to dupe staff into opening an email link that unwittingly installs malware. Phishing scams like this can then give the cyber criminals access to confidential company information, which can be stolen and sold, or returned to the business for a ransom.

In the report ‘Building Confidence: Facing the Cybersecurity Conundrum’, Accenture surveyed 2,000 executives across 15 countries, including a sample of 124 Irish businesses across all sectors. It found roughly one in three targeted cyber attacks resulted in a security breach in 2016. Everyone already knows these scams exist, yet the majority of those surveyed were confident in their ability to protect their enterprise.

The new gold rush
“Cyber attacks have become the new gold rush,” says Norman Mortell, a board member of the Humber Business Resilience Forum, which was set up in the summer to help the region’s businesses tackle cybercrime. “The reason they’ve become so popular with organised gangs in particular is that when they used to focus on drugs and guns they could only sell them once. Data and personal information can be sold again and again.”

The good news is that you don’t need to spend millions on a fortified bunker to boost your cyber defences; you just need to educate your team. The trick, says cyber-security expert Orlando Scott-Cowley, is to get people to take responsibility for their own security at work. “People are often quite serious about such things at home,” he says, “because they don’t want their Facebook account hacked, but in the office they’re less serious about it.” The reason, he says, is that they believe security is IT’s domain.

To rectify this, Scott-Cowley thinks that all employees should go through formal training so that everyone understands the cyber criminals’ tactics, but says that reminders and updates should be more informal to stop people switching off. “Do desk drops with balloons, get someone standing in reception wearing a bear outfit with a placard reminding people of the key points,” he suggests. Anything that prevents the issue from becoming stale.

Social engineering
Employees also need to stop taking things at face value. They need to question things. They need to know that the person on the end of the phone might not, in fact, be their MD or a supplier, as they purport to be, and that they might actually be talking to someone who has employed what’s known as ‘social engineering’ tactics.

“Social engineering used to be about meeting someone and extracting information from them or going through the dustbins to find passwords,” says Kevin Else of Cyber Security Partnership. “These days, criminals can socially engineer electronically by finding employees on Facebook or Twitter.”

Smart criminals can access workers’ social media feeds to guess passwords (family members and pet names are popular) and also to work out the optimum time to pose as key employees. “They find out that the manager is on holiday this week,” Else explains, “so on the Monday they send an email to accounts as that manager saying: ‘While I’m away we need to send some money here.’”

While employees’ loose (digital) tongues are part of the problem, their eagle eyes are rather good at spotting attacks that have used social engineering to gain inside information. This is an important line of defence that should be leveraged; employees should be made to feel like part of the solution.

Freedom to question
In fact, creating a culture in which staff are educated about cyber-security risks, given tools to help combat it (see below) and given the freedom to question the unexpected has never been more important. Else says it’s vital that staff understand that they can make a difference.

“They know what is ‘normal’,” he says, “so they’ll be the first to spot something unusual. Let them know that it’s OK if they take an extra moment to check something.”

Fear of not wanting to rock the boat could cost your business dearly.

 
“Social engineering used to be about meeting someone and extracting information from them. These days, criminals can socially engineer electronically by finding employees on Facebook”

 
Kevin Else, Cyber Security Partnership
Five ways to keep your business safe
If you want a first-rate ‘human firewall’, start by getting your team trained in cyber security and then try these…

  • Have an incident-handling policy: “There’s a good chance in a reasonable-sized organisation that you will get a virus at some point,” says Else, “so people should know what to do and who to talk to.” Scott-Cowley adds: “Tell staff about threats that are happening right now. People often forget to tell teams what the threat of the day is.”
  • Use better passwords: fixing password issues is easy – use a passphrase instead. “We use a passphrase that is longer than the standard eight letters,” says Mortell. “It’s easy to remember but almost impossible to crack.” Song lyrics are good; for maximum unfathomability, try taking the first letters of words of a line from a favourite song and throwing in some numbers and non-alphabetic characters.
  • Don’t connect personal devices to work hardware: “Don’t plug your phone into your computer to charge it,” says Else. “Use a wall socket. A smartphone is a very powerful machine these days. Connecting a smartphone to a desktop PC opens up the PC not only to whatever software or malware is on the phone, it also opens up the PC and thereby the company network to everything the phone can connect to. It means that 3G, 4G, Bluetooth and wifi could become uncontrolled access points into your network.”
  • Have a social media policy: “This should include rules for work but also advice for home as well,” says Mortell. “Things like maximum privacy settings on all accounts, and an understanding that anything you say online is like walking down Oxford Street with a sandwich board on."
  • Be careful about taking work home: “Sometimes people don’t have time to finish a document they’ve been working on so they send it to their home email to work on it,” says Else. “All of a sudden you’ve got an environment that is not part of the corporate infrastructure and so the security controls you have at work will not be in place.”
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, 13 November 2018
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips

Leaderboard

1
Michael Lane
784 Points
2
Jill Holtz
768 Points
3
Ron Immink
732 Points
4
Fionan Murray
689 Points
5
ContentLive
270 Points
View Leaderboard