Cyber-Attack Prevention Must Begin with Staff Training
The biggest vulnerability any organisation has to cyber-attacks comes from neglecting to create efficient protocols at staff level. A few simple precautions could have prevented many of the “hacks” we saw in 2016.
The year 2016 ended on a very sobering note in terms of the increased risks in digital security. In December Meath County Council confirmed that they had been subject to a hack which attempted to steal over €4 million. Fortunately, the council’s bank was alerted to the fraud, and the theft was detected before it was completed. The funds were frozen in the Hong Kong bank account they were sent to and legal proceedings to have the funds returned were initiated.
Similar hacks were enacted on a number of councils and key State agencies throughout the country. The year saw at least 20 organisations stung for €22 million in cyber-attacks. The full scale of the damage is likely much higher, as many of the successful attacks often go unreported by the victims, who fear reputational damage as a result of being scammed.
But why is this still happening? According to the latest PwC Global State of Information Security Survey 2017, there is a distinct shift in how organisations are now viewing cybersecurity, with forward-thinking organisations understanding that an investment in cybersecurity and privacy solutions can facilitate business growth and foster innovation. According to the survey, 59% of respondents said they have increased cybersecurity spending as a result of digitisation of their business ecosystem. 2016 saw cyber security become a priority issue across all sectors, yet there has been a consistent increase in the amount of attacks being successfully perpetrated. This might be surprising considering the increased vigilance in digital security. But the reason is quiet simple. Human error persists.
The word ‘hack’ can often be misleading in representing the nature of these thefts. When we think of a hack we think of a programming expert sifting through thousands of lines of code in search of vulnerability that they can exploit weaknesses in an organisation’s system. This image needs to be immediately debunked, for all it really does is creates a false sense of complexity around digital security.
It allows the average staff member in an organisation to feel that digital security is not their responsibility; that it is only for computer experts who can speak the language of 1s and 0s. The reality is that these thefts can be committed not due of some alien complexity but due to their complete familiarity and banality.
Meath County Council was caught out by a “phishing” scam. A phishing scam doesn’t use sophisticated computer technology, it uses basic social engineering to trick the victim into handing over data or money. We have all come across these scams by now. We might get an email from our bank telling us of some suspicious activity on our account and asking us to confirm our information. Those of us who haven’t already fallen victim might think we know a phishing scam when we see one but they are becoming more convincing and targeted all the time. The scam on Meath County Council was “CEO fraud”, whereby emails purporting to be from council chief executive Jackie Maguire asked for the transfer of the funds.
This is why the first step in effective digital security is ensuring that staff are trained to implement basic protocols to ensure that inevitable security breaches can be quelled as quickly and as safely as possible. An email should not be the only step necessary for a transfer of such a large sum of money to an external bank account. When John Hallahan, the head of finance in Cork City Council received a similar email from someone posing chief executive of the city council, Ann Doherty, he first spotted that the email had been sent to his spam (the first red flag). When he investigated further he noticed that the format of the email wasn’t the standard format that staff in the council used (it used a
Use unique passwords for all your accounts
Everyone has that one trusty password that they consistently use over and over again on different sites. It’s something no one could guess, only something they could possible know. That’s all well and good, but if they get “phished” – tricked into entering their passwords into shady imitations of the sites they intended to visit – then they could potentially be giving away the password they use for every website. It wouldn’t take long for a criminal to have a truckload of information gathered.
Use a password manager
So how to remember all those unique passwords? Software like LastPass (free) or 1Password (paid) which will store your passwords, generate secure random ones for you, and sync them across multiple devices.
If you can memorise all your passwords, you can almost guarantee that they aren’t varied enough to be secure. A password manager may feel like putting all your eggs in one basket, but it’s a padded secure basket kept up-to-date by the best minds in the basket business, and what you’re doing right now is more like juggling the eggs above your head while blindfolded.
Use random passwords
Once you’ve got your password manager, use it to generate secure random passwords for you, rather than trying to invent your own. You aren’t as random as you think, and “brute forcing” passwords – systematically trying every variation until you succeed – is getting quicker at the same rate computers are. If you have a handy method for creating passwords, like “take the first letter of every word in a line of poetry”, then someone else has probably also realised the same thing, and written a programme to automatically guess those passwords.
Turn on two-step verification anywhere you can
Many services, including Facebook, Google, Twitter, Tumblr and more, let you enable two-step verification, also known as two-factor authentication. As well as a password, you need to prove you have access to a second trusted device, normally a phone, to log on. How you prove that varies: sometimes a text is sent, sometimes you use a special app, sometimes you just hit a notification on your phone. Two-step verification prevents a third-party from logging in to your accounts even if they have managed to steal your password. It’s an added layer of security, which makes it very difficult indeed to hack in to protect accounts.
Update your software
Update your software as frequently as possible. Most hacks are carried out by attacking software using weaknesses that were known, and fixed, long ago. It’s like we’ve invented vaccines, but you’re still catching smallpox. Particular focus should be paid to your operating system, web browser, and Adobe Flash.
Use a six-digit PIN on your phone
If your phone gets taken while it’s unlocked, there’s not much you can do. But if it’s locked when it gets stolen, you can prevent the bad loss of hundreds of pounds of technology from turning into the loss of enough personal data to have your identity stolen too. On an iPhone, open settings, hit Touch ID & Passcode, flick on Erase Data, and click Change Passcode to set it to a six-digit PIN. Almost every Android is different, but look for a “security” menu in the settings app, sometimes under “personal”. Then, head to the “lock screen” menu to enable the auto-erase feature.
Enable full-disk encryption
Your computer’s hard drive can be set to automatically encrypt when it’s turned off. You think the risk of identity theft is bad when your phone is stolen, just think what happens when your computer is lifted. Encryption can be enabled on a Mac using FileVault; on Wondows you can use BitLocker.
Back-up to an external hard drive
Everything on your computer should be stored on a physically separate hard drive under your possession. Ideally, everything on your phone should be stored on your computer too.
If the worst happens, and you lose everything, you need to be able to restore. This could happen because of a ransomware attack or just because of a literal lighting strike. Cloud storage will help, but cloud platforms go bust unexpectedly, are just as vulnerable to hacking, and have an annoying tendency to “mirror” your computer – meaning something deleted from your local storage can be deleted from the cloud at the same time.
There are just some of the simple steps anyone can take to significantly reduce the risk of a digital attack or scam. It is also helpful be aware of the attacks and scams that are in circulation. The Gardaí will often circulate warning on reported attacks. There is also some helpful information on www.consumerhelp.ie/scams.