Time to make all staff cyber security warriors

29.05.2020 by

It’s official: lockdown fatigue is real. After weeks of isolation, the novelty of working from home is wearing off for many people. Tiredness, emotional ups and downs, extra stress over finances and worries over the health of loved ones is taking its toll. But still, we work on. And the danger at this point is complacency. Cybercrime hits governments, businesses and individuals every day, but since Covid-19 turned the world upside down, attacks have skyrocketed. More people are working online and new apps promising to make this easier (just think about the rapid development in video conferencing apps, for example) means more people are trying new things. It also means that apps potentially contain more holes for cybercriminals to exploit. Zoom has already famously appeared in the news after the UK government was seen to post its meeting ID to the public, thus exposing a way that malicious hackers could spy on the zoom meetings – and that’s just the frozen H20 atom of the tip of a very large iceberg.

In short, malicious hackers are taking advantage of ever-changing social, emotional and working conditions to use all types of phishing, malware, social engineering and many more attack techniques to break into – and break – businesses and organizations. They know, as they always have done, that people are the weakest link in any cyber security structure. Note here that ‘people’ includes workforce, suppliers and customers – and even their family members. It’s often easier for malicious hackers to get into a system through the wife or child of the CEO, for example, or the one receptionist in the company who, not being C-Suite, is assumed not to be a target.

If there was ever a time for businesses, organizations, governments, charities, and any other type of entity that holds valuable data (by the way, all data is valuable – from names and addresses to bank account, password, and social security details) to educate their workforces, now is it. The great news thing about staff education is that it can be extremely low cost. An internal communication system can be put in place quickly – whether it’s an email from a sole director to customers and suppliers, or online meetings organized by the in-house comms team. The most important thing is to get it done, to keep people up to date, and to offer thorough communication.

This doesn’t have to be complicated: the majority of cyber-attacks can be prevented with rudimentary understandings of common cyber-attack methods (such as malware and phishing) and how to avoid them. The problem companies will face, however, is communicating this in an engaging way. Say ‘cyber security’ to anyone that’s a non-techie and eyes can quickly glaze over. And this is completely understandable – the discipline traditionally focuses on defense, is reactive and slow, and communicated in dry, technical speak. Consequently, it fails to engage most InfoSec professionals, let alone anyone outside of the department (this is one of the main reasons why cyber security has failed, colossally, to keep up with cyber criminals.)

To actually get staff on board, engaged, and actively keeping systems secure, business owners need to do something quite revolutionary: they need to teach their staff to think like cyber criminals. Cyber security just got a little more interesting, right?

Now, of course, not everyone in an organization needs to know the ins and outs of cyber criminality – but they do need a glimpse. It will make the difference between a member of the finance team receiving a slightly odd email from a company director and thinking ‘Oh, maybe they’re just having a bad day’, to thinking ‘Hmmm. She doesn’t usually communicate like this. I’m going to follow it up with a call to her to check it’s legitimate’.

To get staff actively engaged, companies should invest in ethical hacking training for at least one member of staff (ideally more). This could be the CIO or entire InfoSec team, or the MD and I.T staff members. Ethical hacking is a method which teaches cyber security attack and mitigation techniques from the point of view of malicious hackers. It shows cyber security staff how to break in to their own company’s system. Now, this might sound crazy, but it is highly effective. Think about it; who is better able to secure a company’s IT infrastructure, an IT professional that knows only about defense, or an IT professional that knows how cyber criminals attack and how to defend the system against those attacks? One is shooting in the dark, the other has shone a light on the holes in a system and patched them up.

Luckily, ethical hacking is easier and cost-effective nowadays thanks to cutting-edge online courses like Hands-On-Hacking (which takes engagement to a whole new level by teaching students the latest attack and mitigation techniques within virtual sandboxed environments), which costs only several hundred dollars per student, rather than thousands of dollars associated with traditional off-site training. Once staff – whether that’s one person or 20 – are trained in ethical hacking, they can then effectively engage all staff, all suppliers, all customers and anyone associated with them, in easily creating systems which are exponentially more secure than most. And generally, most cyber criminals are looking for easy wins – so any move in the right direction towards a more secure system is going to take many companies out of the firing line.