You Are (Increasingly!) The Weakest Link…
With cyber-crime increasing exponentially and attacks becoming more sophisticated and targeted it’s the human factors rather than technology that present the greatest risks…
There are now numerous examples of how cyber-criminals are targeting human rather than technical weaknesses, with phishing, whaling and ransomware attacks now becoming common-place and a significant cost to businesses of all shapes and sizes.
The current legislation doesn’t always help with this: an unsupervised homeworker was able to take 28,000 photos of customer information from her computer screen which she then sold for £5K before being caught after her ‘unusual’ behaviour was finally detected. She was subsequently charged and found guilty; however the resulting fine of just £1,000 is hardly likely to be a deterrent for her or others like her. The ICO specifically commented on this case and the need for stronger penalties, including custodial sentences to provide a stronger deterrent for individuals.
“90% of all malware require human interaction before it can infect its target.” (Source: Educause Quarterly/Symantec)
Even when an organisation does pretty much everything right human weakness can be exploited. Lincolnshire County Council made the headlines in early 2016 by being hit by a ransomware attack, which resulted in all their IT systems having to be shut down. At first glance this looks like a bad news story; however the post-mortem revealed a very different perspective.
Lincolnshire CC was using up-to-date firewalls, email filtering and anti-virus software. However, this ransomware exploited a previously unknown “zero day” vulnerability and made it into end-users’ mailboxes, where a single end-user clicking on this launched the ransomware attack that started encrypting internal files. Fortunately, the CC had good monitoring tools in place and an effective response plan – not only did they shut-off all their IT systems and successfully invoke their Business Continuity plans, they also alerted other similar organisations to prevent them being affected. By using backups and working with 3rd party partners, they then restored the files successfully to pre-infection status, updated their anti-virus controls and fully restored all IT Services within 6 days.
Would your organisation be able to respond so completely and effectively? How confident would you be that you and your end-users are well enough educated and informed to not click on suspicious emails?
The ‘technical basics’ – such as firewalls, encryption, anti-virus and patching – are now generally well-covered and you can expect these to be increasingly ‘built-in’ by manufacturers – for example, Apple’s iPhone encryption and Microsoft’s automated patching for Windows 10. However, it’s also important to go beyond this and make sure that users are well-educated and that suitable monitoring is in place to pick-up and quickly deal with ‘suspicious’ human behaviour.
“If you don’t know what you have and who has access then you can’t protect it.”
Banks and other financial institutions are already well down this route, with significant investments being made in dedicated teams and tools to keep their customers and their own reputation safe. You will need to make your own informed decisions on how much to invest based upon the information you look after and the risks you are facing – this needs to start from a good understanding of what your most important information assets are, both electronic and paper.
If you don’t know what you have and who has access then you can’t protect it (or measure and improve it over time – for example, drive data quality improvements supporting faster, better decision making).
Knowing what your most important information assets are is essential if you are also going to educate staff and establish the right culture and awareness to protect information. This needs to be led right from the very top of the organisation – the best and most cost-effective information governance and security frameworks rely more upon good people and processes than technology.
For your most important and sensitive information it is also increasingly important that your applications have been well thought out in terms of rigorous user access controls and that there are good, comprehensive application logs that allow you to see who has done what when and – more importantly – be able to pick up and alert on any ‘unexpected’ end-user behaviour quickly. These then need to be wrapped around with reliable processes (e.g. new starters/leavers, change of job role, regular checks on activity) and effective people – with business managers taking ownership for seeking assurance on the security of the information they are responsible for.
With increasing risks across a plethora of devices, applications and cloud services providing wider and faster access to more and more information, you need to be confident that you have appropriate information governance and security in place. Ignorance is no excuse, particularly with GDPR due to come into effect in 2018 and potential fines being increased from £500,000 up to 4% of global turnover or EUR 20M – and that’s not including potential reputational damage…
Don’t be the next Talk Talk or Yahoo – make sure that you have built appropriate information governance and security into the DNA of your organisation sooner rather than later to make you safer and stronger for the future.