Your Biggest Cyber Security Threat? It’s All About People
Ekco's Head of NetOps looks at the role your employees play in keeping your organisation safe, including some best practices he's been using for over 20 years to help keep organisations safe.
This blog comes from Nigel van Houten, Head of NetOps at Ekco, who is based in Alkmaar.
Cyber security is the practice of keeping computer systems like laptops, smartphones, servers and networks safe, including the data which resides on those systems. In this blog, I’d like to explain what cyber security means for your business and why the biggest risk to the security of any IT system is always your people.
Security breaches cost companies lots of money. I could share some numbers but alone they don’t mean a lot and only tend to show the financial impact. Instead, try and picture telling your customers, leads, patients or people that something has gone badly wrong.
Whether their data has been lost; they can no longer access services they need, or you’ve just found out that unknown admins have had access to your system for some time – it’s never going to be a pleasant conversation.
Close your eyes and visualise the situation. Your core services are unavailable. Your phone vibrates non-stop as people demand answers and updates. Feeling some discomfort? Good. When it comes to IT security, you should never feel completely comfortable.
The Biggest Cyber Security Risks
First things first: Let’s look at the fundamentals of cyber security or information security as it’s often known to. There are several areas where security comes into play. Here, we’re going to go through the most common.
- Network Security: The basic art of keeping the bad guys out of the network. That is fairly easy: just cut all the wires to the internet and you’re safe. But as soon as we start using services on the internet, we find that it gets complicated. Network security has shifted from closing doors to opening doors if permitted.
- Application Security: This accounts for most of the data breaches that take place within a system itself. Bad coding, wrong configuration, old software… all of these create potential security incidents within an application. As stated above, sooner or later we will be letting people in to use the application – so we need to make sure they can’t open any drawers and cabinets we don’t want them to.
- Information Security: Information security is about protecting data that is stored within an application or is being transferred between systems.
- Security Operations: All of the processes and policies enforced to make sure the network, application and data are kept safe while ensuring it is accessible for those who are allowed to have access.
- Business Continuity and Disaster Recovery: Business continuity is your plan for when something does go wrong, you know what to do. It’s all about preparing for disasters and subsequently recovering from them. You plan for the worst-case to provide a lifeline in any situation. This means that, if you are on the phone with a customer who can’t access data or services, you can give them an indication of how long it will take to restore their data, or get things back up and running.
- The Human Factor: Finally, the fun part. Even if you have the best technology, security management and disaster recovery in place, we still have to deal with people. There’s an old IT joke that’s been doing the rounds for decades: everything would run just fine if it wasn’t for people interfering!
Social engineering – using human interaction to carry out malicious activities – is still a huge security risk, and this has been the case for over 20 years. Your people need to know that everything they do and share will be used against them.
Social Engineering: the Biggest Threat to Your Organisation
Right after finishing my Information Security study, becoming the first and youngest Security Officer at the university I worked at, I learned that the biggest security risk is an open mouth.
We all got a t-shirt with the classic Rolling Stones logo to remind people about the risk of an open mouth. We trained staff not to tell random people about the institution’s structure, or the systems we used. Don’t give anything away that could give people the upper hand.
The idea behind this phrase was simple. No matter what technology we implement and how perfect we make it, if we didn’t spend enough time training our employees in how to deal with security and what not to share… you’ll still have security incidents.
Fast forward 20 years and social engineering is the biggest cause of security incidents, and 30 per cent of all breaches involve social engineering. And social engineering is far-reaching, essentially covering anything that tricks people into doing something that they shouldn’t. For example…
These are emails that try to convince you to click somewhere or do something. One of the best known and oldest is the I love you email, which dates back to the year 2000. We all want to feel loved and as a result, this scam email was hugely successful. It was one of the fastest spreading viruses ever and is estimated to have caused $5.5 billion in damages.
Cold calling to gather information
I worked in banking and insurance for around a decade and was responsible for a range of different IT projects. Every week, I would receive calls from ‘someone who sounded familiar’ that needed information about a particular person or system within the organisation.
This sounds rather innocent, but criminals take their time preparing the heist and these short phone calls play their role in the attack of an entire company down the line. Hackers aren’t checking the physical security – they get insight from the inside and focus on digital security. The information they find is used to find vulnerabilities in technology and people. For example, hacking the accounts of an important employee might provide information that can be used to blackmail them. Further examples, with costs, can be found here.
Cyber Security Fundamentals Don’t Change
Going back to that uncomfortable feeling at the start of the post when we think about a security issue: I think it’s important we feel discomfort when considering these situations. This enables us to think proactively and lower the risk of security incidents. So what do we do to stay safe? Well, essentially, there are three things I needed to do 20 years ago when I worked at the university. All of them still apply 20 years later. The three fundamentals are…
Have a plan for cyber security
Imagine building a house with five doors. One door has three locks, two have one lock and the others no locks at all. Why even bother to have one door with three locks? Unless you’re sure all thieves will only try one door, you’re spending money in the wrong way. Make sure all five doors have one lock. For our complex, modern-day IT environments, this means having a decent plan. This should consist of a baseline, policy, procedures and a plan/ do/ check/ act cycle in place. So yes, audits too.
Acknowledging cyber security is yours to defend
The receptionist is one of the first lines of defence in security. This person should ask anyone asking for information ‘why?’ and also verify the background and intentions of the caller. Make everyone part of the cyber security defence. People should ask for less access rather than more to do their job. Instead of thinking about what makes their life easier right away, your staff should be questioning if what they do contributes to keeping customers, data and services safe. Just like locking the door every time you leave the house, security should become part of everyone’s behaviour.
Prepare for the worst, hope for the best
I’m a big fan of one-liners – I hope there aren’t too many in this blog. This one, however, must be included. It’s about being prepared when the visualisation from the start of the blog happens. Put yourself back in that situation and imagine losing control of all your systems again, but this time knowing exactly what to do. That’s better, isn’t it?
Business continuity planning and disaster recovery prep should be fun and not just something we do because our legal team or certification institute demands it. As for hoping for the best? Well, we can always hope nothing bad happens. Prevention and preparation just make hoping a little less important.
Wrapping things up, I can imagine you’re thinking about how busy you already are, running a business or department. Plus, daily operations already cost a lot. How will you find time and budget to follow my advice?
Well, the question you need to consider is: what happens if you don’t? My personal view is that, in 20 years, the companies that take cyber security seriously today will still exist. The ones that don’t take it seriously won’t.
Don’t lose sight of cyber security fundamentals. Keep educating yourself and your teammates. Educate your staff: from the intern to the CEO, they all play a role in keeping your organisation safe.
Our specialists have the answer