I’ll make no apologies for another article about Cyber Security, according to the British Chambers of Commerce (BCC) (http://www.britishchambers.org.uk) digital survey which was published last week, 20% of the c. 1,200 businesses responding had fallen victim to a cyber attack in the previous year. Narrowing the results to “larger” businesses (with more than 100 employees) and the percentage which were victims of cyber attacks rises to 42%.
The BCC concludes that big businesses are far more likely to be victims of cyber attacks than small businesses. The BCC also tells us, from the responses to its survey, that:
“Only a quarter (24%) of businesses have cyber security accreditations in place.” and “
Smaller businesses are far less likely to have accreditation (10% of sole traders and 15% of those with 1-4 employees) than big businesses (47% with more than 100 employees).”.
From which it seems to me that it would be quite reasonable to extrapolate that larger businesses with more sophisticated IT knowledge and systems, including businesses which have gone to the trouble of acquiring cyber security accreditations such as ISO27001 or the UK Government’s Cyber Essentials Scheme, are roughly twice as likely to fall victim to cyber attackers than small businesses with very basic IT systems and minimal IT and Cyber Security skills.
The reality of course, aside from the statistics, is that whilst schemes which encourage organisations to keep their access controls and technology up to date and minimise technological vulnerabilities are a good thing, the biggest cyber security vulnerability in any organisation is the employees. The more employees you have using your computers the more likely it is that one of them will make a human error which allows the bad guys access into your systems. The primary focus of corporate cyber security strategy needs to be directed at preventing human error, and the data from this survey and many others reinforces the message that however sophisticated your IT defences may be, the primary spend on cyber security needs to be directed to the weakest link - human fallibility.
Of course your employees don’t mean to open the virtual door to cyber criminals, but most of the effort invested by the black hats is not in finding new “zero day” (not seen before) technology vulnerabilities, it’s in conning people. Most successful cyber criminals are first and foremost con-men not safe-crackers. They don’t climb in through the open upstairs window like a cat-burglar, they persuade someone inside to unwittingly open the front door and let them in.
That persuasion may be based on an employee’s function or role in the organisation, or it may exploit their human nature as epitomised by Maslow’s well-known hierarchy of needs. It may be crafted to broadcast to a wide audience in order to stumble across the small minority of people who might fall for it, or it may be precisely targeted at a single person who has been extensively researched by the con-men to ensure their “offering” is pertinent and credible. Whichever, basically all the cyber con-man needs to do is persuade someone in the company to open an email or click on a web hyperlink that appears relevant but actually causes the user’s computer to pull the malware through the cyber security defences and into the organisations IT systems as though it was wanted by the user. For the most targeted of these cons the cyber criminals may spend weeks or months researching the intended victim and crafting their pitch accordingly - they will put a lot of effort into fooling someone who can authorise a big payment or who has access to the most sensitive commercial information or highest level of IT systems access in a company.
Given the criminals’ expertise in conning their victims it is not surprising that they get a good hit rate. Ultimately their challenge is not to find a way of breaking through the organisation’s Internet perimeter fence; the route to cyber crime success is to persuade the right person to invite them inside as official and trusted guests. Most commonly that means persuading someone to do something which downloads malware agents via the web or email which the cyber criminal can then use to spy on, manipulate or damage IT systems and data, but in some cases it means actually inviting the criminal onto the premises in person, so he can surreptitiously install his hacking equipment. People appearing to be computer, printer, electrical or building maintenance engineers, office cleaners or any other visitor who might appear to have a valid reason for touching your computers or using an electrical socket which happens to be adjacent to a network connection can easily install a device which creates a covert bridge between your organisation’s IT systems and the outside world. This can then be used to monitor and control your internal IT systems from outside of your security perimeter. Typically the equipment used is no bigger or more suspicious in appearance than a standard 13-amp plug.
Whether the cyber criminal gets past your defences by conning your employees into clicking on a malicious hyperlink, or by persuading them to let him inside to service your laser printer really makes no odds, all that matters is that he is inside, past your expensive perimeter defences, where he can leave software or hardware behind that will give him the ability to remotely monitor your systems and take control. If you can prevent this by educating your employees so that they understand the threats and are appropriately paranoid then you can significantly reduce your organisation’s risk of being a cyber crime victim.
Obviously you can’t neglect your organisation’s cyber security perimeter defences, that would be analogous to leaving all the doors and windows open when there’s no one at home, but in designing your cyber security strategy you need to understand from the outset that the technology-based perimeter defences and access controls are nothing more than a deterrent to the casual criminal - the professional cyber criminal will simply look for a way to have your employees unwittingly “passport” them to the inside. Therefore the major priority of your cyber defense strategy has to be focused on mitigating the human fallibility of everyone in your organisation, from the CEO to the contract cleaners who come in at the end of the day to clean up.
Obviously technology can help - systems which scan emails, attachments and web pages for embedded malware before they are allowed onto your computers, systems which check that the links which your staff might click on in emails and web pages are not known to link to malicious sites or files - these defences directly assist your employees in avoiding cyber threats, but they are far from perfect. It is comparatively easy for the criminals to create a new delivery mechanism, from a new website or email account, that will get past such defences - no cyber security technology is foolproof and the cyber criminal only needs to get lucky once.
You can restrict access to prevent your staff from using a wide range of social websites or receiving email from domains not normally used for business purposes - and you will quickly discover that some of your customers or suppliers or staff need to use these. Restrictions are useful, but they will probably inhibit someone - if you inhibit your customers they will complain and go elsewhere, and if you inhibit your staff from serving your customers they will look for a backdoor route around your defences so that they can do their jobs! Restrictions on employee Internet access need to be handled carefully, the cyber security technology objective must be to protect employees from specific threats, not to put in place blanket restrictions which intrude on business.
My opinion and advice then: Yes, go ahead and spend money on technology-based cyber defences, at the perimeter of your network and to assist employees by flagging up that the link or attachment they are about to open may not be as kosher as it seems, but never believe that technology is the solution to the cyber crime threat. The biggest threat is the cyber criminal’s exploitation of unwitting human fallibility: the biggest challenge for every legitimate organisation - business, charity, public sector, is to help their employees be knowledgeable about the ways that cyber criminals work, and be paranoid on behalf of their employer. Cyber security is not just an IT responsibility, it falls on the shoulders of everyone in the organisation.