Extra, extra,
read all about it!


Cyber Security – don’t blame it on sunshine, blame it on the human

In his speech at the Institute of Directors Conference in March 2017, Matt Hancock (Minister for Digital and Culture) recognised that cyber security is a crucial part of our modern economy. He referenced the Government's National Cyber Security Strategy (published in November 2016) and its plans to invest £1.9 billion to "defend the UK in cyber space, deter our adversaries and develop our knowledge and capability in cyber security." He mentioned that "one in three small firms and 65% of large businesses are known to have experienced a cyber breach or attack in the past year" and that "if you're not concentrating on cyber, you are courting chaos and catering to criminals."

The Government is taking this seriously and so should you – but, what should you do?

There is no easy answer to this – threats to cyber security are constantly changing and evolving – hackers are smart, you need to be smarter. This article focuses on one potential chink in your cyber security armour: humans. In the context of your business, your staff are potentially the biggest risk to your cyber security.

The results of a Cyber Security Breaches Survey (commissioned by the Department for Culture, Media and Sport) published in April 2017 found that a worrying 72% of company breaches relate to staff members receiving fraudulent emails.  Even the three next most common causes can be linked to human input; viruses, spyware and malware (33%), impersonations of the organisation in email or online (27%) and ransomware (17%).

So, why are staff members putting their employers’ businesses at risk? 

Some of course may be acting maliciously which is why it is always important to ensure that appropriate systems and methods of cyber authorisation are in place. 

However, in the majority of cases, breaches are not attributed to staff members with deliberate intent but rather to mistake or carelessness. Staff members are often unaware of the risks and level of damage that they could personally cause.  The Cyber Security Breaches Survey revealed that 43% of the businesses that had suffered breaches identified a lack of care or awareness amongst the workforce, staff not complying with policies or staff visiting untrusted websites or interacting with spam emails.

For example, many staff do not know the potential harm that downloading unapproved applications or connecting to unsecured networks on work devices can cause to a business. If that device is intercepted, even accidentally, the repercussions could be huge.

Similarly, most of us have complained at some point when we have been required to change our password, especially when our favourite 'one-size-fits-all' choice is rejected, as it doesn’t meet stringent password requirements.  But, if staff were educated about the ease with which hackers can now guess these passwords and what has happened when such unauthorised access has been gained, they would soon realise that these small inconveniences are vital to ensuring that our personal accounts and data do not get into the wrong hands.

It is therefore clear that, whilst it is perfectly acceptable for organisations to purchase the most expensive and advanced technical systems in a hope to eliminate cyber threats, if a similar level of attention isn’t also paid to staff training, such systems will be pointless.  Staff vigilance and knowledge is essential.  And, in a world where our workers are becoming more dependent on the ability to work away from the office, where there are often no firewall protections, now is the time to take action.

The starting point is simple: organise cyber awareness training for all members of staff.  Of all the organisations that took part in the above-mentioned survey, just 20% confirmed that staff had attended cyber security training in the last year and only 5% included it in its induction process.

Staff should be made aware of all potential risks, how to identify them and then who to notify if a breach comes to their attention.  Classroom style training is unlikely to be effective; interactive training should be used to test staff to ensure their understanding.

Training also needs to be carried out on a regular basis.  It is not enough to provide one course at the beginning of a person’s employment and hope that will be sufficient, because it won’t be.  Only 11% of respondents in the Cyber Security Breaches Survey confirmed that regular cyber security training was provided.  But the cyber landscape is changing every day and, as it does, the threats we face change with it.  The only way to begin to combat these new challenges is with continuous investment in training.  In the long-term, it is highly likely to save your company money and possibly even prevent irreparable damage to your company’s image.

In addition to training, staff should be made aware of what measures the company has in place to protect them from any threats.  This means having up-to-date IT policies and procedures which are readily available and which staff are required to comply with at all times.   Personal responsibility should be encouraged and if staff members fail to adhere to the policies and best practises that they have been trained on, this should not be tolerated.

The National Cyber Security Centre has published guidance with 10 Steps to Cyber Security, which is essentially about a business taking cyber security seriously at management level and considering this in the same way as any other business risk would be considered. In the context of staff some key points mentioned are:

  • all employees, contractors and suppliers should be aware of the businesses' approach to the management cyber security risk;
  • user privileges should be managed and staff should not be provided with unnecessary system privileges or data access rights – the granting of access should be considered carefully;
  • user education and awareness – relevant training should be provided to staff; and
  • to establish effective incident management policies and processes – a business should make staff aware of these and have appropriate monitoring to ensure they are followed.

Action now is more important than ever.  On 25 May 2018, the Data Protection Act 1998 (‘DPA’) will be superseded by the General Data Protection Regulation (‘GDPR’).  Although the existing legislation requires organisations to implement appropriate technical and organisational measures to protect personal data, it is perhaps the increase in fines for non-compliance that will be brought in by the GDPR that now makes cyber-security a balance sheet priority.  In short, the penalty for non-compliance with the DPA is presently £500k.  Come the GDPR, failure to implement appropriate “technical and organisational measures” to ensure data security can be up to EUR 10million or 2% of annual worldwide turnover whichever is the greater.

To summarise, some of the key things you should be thinking about are:

  • Policies and Procedures

Ensure you have clear and up-to-date policies and procedures that deal with cyber security, including incident management plans. Communication is key, these policies and procedures should be well publicised within your organisation and easily accessed by staff.  Disciplinary procedures should also be reviewed and amended to ensure that, if staff then fail to adhere to the cyber security policies, disciplinary action can be taken.

  • Training and Awareness

Ensure your staff are trained on the issues and procedures and that they are regularly made aware of cyber security threats.

  • Cyber Essentials

This is a scheme designed by the Government to protect organisations from the most common cyber threats. There are two level of badges: (i) Cyber Essentials – which requires a business to complete a self-assessment, with responses independently reviewed by a certifying body and (ii) Cyber Essentials Plus – which requires the systems of the business to be tested by an external certifying body. The Government considers that any business that uses the internet should adopt the Cyber Essentials scheme as a minimum and requires all of its suppliers who handle sensitive data to hold a Cyber Essentials certificate. 

  • Consider other information security certifications that may be relevant to your business.

News

All the latest from Acuity

Here you will find all the latest news as it happens. If it’s news and it involves Acuity, one of our clients or our CSR activities this is the place to come.

Back to news