THE FINAL OF OUR 3-PART SERIES, BASKERVILLE DRUMMOND REPORTS ABOUT THE TYPES OF ACTIVITY IN REGARDS TO CYBER SECURITY.
Last week we discussed the types of threat and how they do it. This week we are discussing the different ways you can take action against cyber crime.
CYBER SECURITY – INTRODUCTION
Cyber Crime accounts for nearly 50% of all reported crimes and cost UK Businesses an estimated £30bn in 2017. With 43% of businesses reporting a cyber attack or breech last year the movement of criminal activity from the physical to the cyber world shows no sign of abating.
Against this threat firms have a duty of care to :-
- Protect privileged client information
- Ensure the business can operate
- Protect brand value
- Protect staff welfare
In order to do this most firms have embarked on a program to increase their cyber security (the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access).
With the tightening of technology-based security the attackers are moving from “old school” hacking where they seek to gain access to solutions via direct connection to your network to social engineering hacking. This is where they seek to trick people into providing the access and by-pass the security solutions by using intelligent “scams” based on data harvested from various sources.
This change of approach has put staff members at the forefront of cybercrime activity. In a recent survey 91% of IT Professionals highlighted “users” as a major vulnerability with 62% believing this to be the largest threat. This is borne out by the fact that 72% of data breeches are directly attributable to staff receiving fraudulent emails and 67% of targeted attacks are aimed at junior members of staff.
It has to be accepted that human behaviour is the biggest risk to a firm’s security but it should also be recognised that staff members are now under a constant attack from organised cyber criminals and therefore need education and protection from social engineering hacking.
PRACTICAL ACTIONS AGAINST CYBER CRIME
WHAT CAN WE ASK STAFF TO DO?
There are three areas where staff can help protect themselves and the firm :-
1. DATA SECURITY
- Keep PC/Mac’s secure
- Log off and shut down personal computers (PCs, Macs & Laptops) when not in use or outside office hours.
- Ensure all PCs, laptops & mobiles are secured with a password protected screen saver with the automatic activation feature set at 30 minutes or less.
- Keep devices secure
- Secure and store out of sight any portable equipment such as laptops, mobile phones, and tablets such as iPads, in a locked drawer or cabinet when not in use.
- Secure and store out of site any data media, such as CDs, when not in use. If they contain highly sensitive or confidential data, they must be locked up or encrypted.
- Keep your PC safe
- Scan media such as data disks, CDs, DVDs and other portable storage devices for viruses and malicious software from unknown or 3rd party sources from a machine that is not connected to the network, before accessing them.
- Download and run files or open email attachments from unknown, suspicious or untrustworthy sources. These files may contain viruses and malicious software.
- Use USB ports on your desktop computer or laptop for connecting non-IT approved devices, such as USB flash or disk drives, cameras, mobile phones, etc.
- Copy data onto your Personal PC.
2. EMAIL SECURITY
Always look out for fraudulent email. Viruses, malware and ransomware are often delivered via e-mail which often looks to have been sent from an authentic source but there are often tell-tail signs.
The main points to double check in all e-mail messages are:-
- Is the message from an unknown person/e-mail address or company?
- Is there a suspicious E-mail address e.g. the display name does not match the e-mail address?
- Is there an attachment(s) on unsolicited or unexpected messages even if from apparently internal or official e-mail addresses?
- Does the message have a generic salutation?
- Does the message contain any links?
- Is the message requesting you take urgent action, open attachments or follow links?
If you receive an e-mail with one or more of the above characteristics, it should be viewed with suspicion.
Unsure about an email?
- Do Not open any attachments or click on any links
- Delete the message or contact the Helpdesk for advice
- Never forward the message on to another person
- Think before you click!
3. PASSWORD SECURITY
Passwords are the bane of modern life but remain one of the major weaknesses with an estimated 3% of people still using “password” for their password!
All precautions must be taken by the owner of a password to safeguard its confidentiality. You should treat passwords like your personal bank pin code and good practice suggests you do not:
- share your passwords with anyone, including colleagues, even when going on holiday.
- Write passwords on a pad / sticky notes in your work environment.
- Reveal your password over the phone to anyone
- Include your password in an email
- Use the same password for work and personal use
- Use the same password for different systems
Given the number of systems we use on a day to day basis it is easy to end up in “password hell”. However, it is also advised not to use a “password database” app as several of those have been hacked or are false harvesting applications.
Instead we would recommend that you have a different password for each major system which holds important data and a more common password for sites with less important information (e.g. BBC iPlayer)
HAVE YOU BEEN GOT?
There is a very useful website “Have I been pwned” (https://haveibeenpwned.com/) which is a database of email addresses which are known to be hacked or involved in a data leak.
Ask staff to check their email addresses regularly on this site and to change passwords immediately if their email address exists.
Most firms will have appropriate procedures in place but there should be a regular staff briefing to update on the scams which are currently active and the activity you are seeing as a firm.
Staff need to be able to report any cyber threats they experience especially those which are of the coercion nature. Firms would be advised to setup a notification process for such occurrences and to treat employees as vulnerable to such activities.
Full whitepaper available here.