People are often the most overlooked and underestimated weakness in a company’s cyber security. NIG’s Justin Clarke and Graeme McGowan of BeCyberSure and Optimal Risk Management explore the risks.
Justin Clarke (pictured) is director of underwriting and pricing at NIG and Graeme McGowan is technical director of BeCyberSure and associate director of Optimal Risk Management.
It’s morning, and a woman walks into your company’s head office. She tells the receptionist she’s the landlord of the building next door. She’s supposed to be showing around prospective tenants. But in her rush from home she forgot to bring the planning documents to show the tenants. She asks if she can quickly plug in her laptop, download the plans and print them off. The receptionist understands her predicament and agrees. Five minutes later the ‘landlord’ has infected your computer systems with malware. And you know nothing about it. Sound far-fetched? Think again. This is just one of the many war-gaming scenarios Graeme McGowan from BeCyberSure and Optimal Risk Management organises to warn companies of the weakest link in their information security: people.
What this scenario clearly illustrates is that while a company can spend thousands of pounds on IT systems to safeguard its business, it can’t prevent employees undermining all that investment. Whether it’s by mistake, they’re under duress, or most commonly, through a simple lack of awareness.
Ignorance isn’t bliss
In fact, ignorance is one of the biggest threats to a company’s defences against cyber crime. There’s a worrying perception, particularly among SMEs, that the cost of securing a business is not always equal to the risk of attack. This goes some way to explaining why so many companies are attracted by the IT vendors’ pitch of an automated solution – a one-stop shop for all their cyber security issues. This magical panacea does not exist. Yes, you need the robust technical defence, but you also need to invest time and effort to make sure your people aren’t going to subvert it by the most basic of errors. In this context, basic errors include clicking on a phishing email, weak passwords, and indiscreet conversations in the pub or on social media. All can open up a world of opportunity to the seasoned cyber criminal.
Being compliant doesn’t mean being secure
While tough to eradicate, companies can substantially reduce these errors by working towards being secure, rather than just being compliant with regulatory regimes. Instead of asking ‘have we ticked all the boxes?’, management should be aiming to embed a culture of security. This has to come from the top of the organisation – from the CEO and CIO – right down to the security guards and receptionists. You need a well-trained, well-aware workforce looked after by a management clearly interested in the issue.
Prioritise your vulnerabilities
One problem is that many companies think they have nothing of interest to hackers. This is a monumental misjudgement. SMEs – particularly suppliers – are often used as a back-door route into the more juicy prey of larger corporations. An example of this is Target Corp, where hackers stole 40 million credit card numbers. Security and compliance can be a major drain on cash and resources but it’s about priorities. Reduce the amount you’re trying to make secure, and spend more time making that secure. Client data, how you pay money, how money is moved around – this is information always worth defending.
Education, education, education
One of those priorities should be people and their education, but management often plump for the online compliance packages that keep employees at their desk while satisfying the regulators (box ticked). But imagine if you got your employees in a room and talked about information security for a day. It’s all about keeping the idea of security front of mind. There’s also more chance of it sinking in and reappearing later when they might really need it – like that receptionist. Training is often seen as dead money. But if you think compliance is expensive, try non-compliance. Research suggests that up to 80% of unprepared businesses that suffer a serious cyber-breach and have no decent crisis management plan in place go out of business within 18 months.
No one and no company can be 100% secure. If someone promises you that, show them the door! Building a resilient defence means having the right culture. One that comes from proactive engagement from the top of an organisation with the right priorities and a well-crafted governance regime. Do that and you’ll have a much better chance of weathering a breach.