This article was prepared prior to the recent major cyber attack on the NHS and other organisations but is even more relevant now.
You wouldn't dream of leaving your doors and windows open at night but have your considered your IT systems? The recent Unlocked Manchester conference heard from Asam Malik of PWC that many companies, especially small and medium sized ones, don't have a budget to tackle cyber security. Instead the attitude is to hope it won't happen. With more and more business being done online and better targeting by criminals, all companies, however small and all individuals should be thinking about keeping their computers and other connected devices secure. This is no longer just about desktops and networks but also data, websites, tablets, mobile phones and devices connected to the Internet. The conference heard how a Premiership football club discovered a flaw where a hacker could have accessed it's pitch watering system and caused flooding. This highlights the growing security issue around the Internet of Things.
There are now more criminals involved in cyber crime and for them it's easier carrying this out than physical crime such as robbing a bank branch (even when you can find one). As well as reputational damage, extortion and the risk of systems being down, there is now an added threat of a large fine. From May 2018, the EU's General Data Protection Regulation (GDPR) comes into force with maximum fines set at 20 million Euros or 4% of GLOBAL turnover, whichever is HIGHER. This means that as well as being transparent in processing data, organisations need to show that they are looking after it and have identified any risks.
The conference was clear that there was a role for Government, however it is up to individuals and companies to protect their own data and systems and that it needs to be tackled at Board Level, not just left to IT departments. There are measures you can put in place to prevent or limit the effect of attacks. Considering that a Distributed Denial or Service (DDoS) attack can take a website down, not just for a few minutes but for a few days could be catastrophic for, say, an ecommerce company. Other forms of attack could be to extort money from a ransomware attack - this is where files can be encrypted and you have to pay to have them restored.
The apparent increase in possible state sponsored hacking was also highlighted by cyber security firm, Pentest Limited who carried out an analysis on a seemingly innocuous Flash Keyboard app for Android. Astonishingly, it transmits data to web servers containing among other things, the device id, the owners email address, the coordinates of the device and all WiFi devices within range - all for an app that simply provides a keyboard. You can find the full details of the research online
. The company behind the app has denied that it is set up to spy on people. However as well as sending the information, the app displays adverts on the lock screen and it is difficult to un-install.
For most organisations, the level of cyber security will depend on the risk. We all need Internet access so there are steps you should go through to defend yourself:
- Education - Your staff are one of your weakest links. Good education could prevent easy attacks. It's not just attacks on systems though. Criminals target organisations who are used to making large payments with spoof emails from senior staff. Another recent issue has been the targeting of law firms acting on property purchases with details of last minute account changes for fund transfers. The better you educate your staff, the lower the risk.
- Internal Fraud - You should check what your staff are doing on your systems.
- Patching - Software should be kept up to date to prevent security exploits
- Client side social engineering checks - PWC highlighted that they were able to access a client firm pretending to be IT staff and were unchallenged. In fact the staff brought them hot drinks.
- Code reviews and developer training - Any code that is on your website or online should be check for vulnerabilities.
- Penetration Testing - Automated tests to see how secure your sites and data are.
- Monitoring - It is useful to monitor behaviour so that you can take planned action to deal with any attacks.
- Planning - You should assume that some attacks will get through and have a plan in place to deal with them. For example, isolating parts of systems or bringing more resources online to help with DDoS attacks.
The number of people at the conference and the comments from those attending highlighted that cyber security is going to be one of the next big areas of concern for organisations.