Fighting cybercrime requires education as well as technology

There isn’t a single ‘magic bullet’ to keep every organisation safe from attack.

The National Cybersecurity Centre (NCSC) was launched in October 2016 to help UK businesses protect themselves from cyberattacks, as many are still not equipped to fight back against this type of crime. To coincide with the launch of the NCSC, the Rt Hon Philip Hammond MP, Chancellor of the Exchequer, also launched Initiative 100, part of the government’s National Cyber Security Strategy, which aims to train staff in 100 businesses to fight back against the rising tide of cyberattacks.

Schemes like these are clearly a step in the right direction, but with more than 5.4 million businesses now operating in the UK, it’s crucial that every organisation is able to protect itself from this type of attack. Cybercrime is becoming more frequent and sophisticated by the day, so it has never been more vital for UK businesses to familiarise themselves on the methods available to help prevent an attack, not only from a technological perspective, but also through a sustained programme of employee education. 

Are passwords the weakest link? 

Anyone who doubts the scale of cybercrime in the UK should consider this: the NCSC has responded to over 180 cyberattacks in the last three months alone. Many businesses now provide employees with detailed instructions for creating complex passwords to combat this type of activity, but this will actually do little to keep sensitive data away from prying eyes. In fact, at the opening of the Centre, technical director Ian Levy claimed that intricate passwords may actually be making this problem even bigger.

The complexity of passwords – and the sheer number of passwords that employees need to remember – is having an unintended negative effect on security. For many IT users, complex passwords are either written down or used across multiple applications, both personal and professional. As a result, hackers are often able to gain access to far more information than they originally intended, with just one stolen password.    

Simple, easy-to-guess passwords are also a problem, however – and further evidence that more cyber defence education is needed. One solution that could see an end to password-driven attacks is multi-factor authentication. In some cases, this could mean combining a password or other information that no one other than the user would know, alongside a physical device, such as a key fob with an additional password that changes every 30 seconds. Using multi-factor authentication in this way can dramatically reduce the risks associated with system authentication.

There are other tools beyond passwords

Whilst multi-factor authentication can go some way towards boosting security, technology alone is not enough; all employees still need to be educated on how to spot, block and report suspicious activity in order to prevent cyber criminals from accessing an organisation’s network. 

For example, by responding to a seemingly innocent phishing email, or by falling for a convincing phone call, employees can unintentionally provide hackers with all the information they need to access an organisation’s data. Once inside, it takes little effort for hackers to find and steal confidential information, secure in the knowledge that the server believes their actions to have been carried out by a verified member of staff. With this in mind, employees at the very least should be taught to be on the alert for any activity – even when it appears legitimate – that asks for login details or other private information. 

Viewed in this way, technology is actually the last piece of the cybersecurity puzzle. Everything leads back to education of staff, and most importantly, staff at all levels within an organisation. Senior managers, in particular, have to understand the potential damage that cyberattacks can cause and take responsibility for cybersecurity within their businesses.

As such, before implementing any new software or other IT solutions to improve cybersecurity, management needs to take steps to train their staff on the various types of attack and how to spot them. Any internal threats need to be treated with the same level of vigilance as those coming from external entities. A significant number of cyberattacks have actually been carried out by those within the company itself, so ensuring that employees are able to recognise any signs that colleagues could be stealing valuable information is also a key part of a watertight cybersecurity strategy. 

In order to achieve this goal, firms should look to promote a culture of self-regulation, whereby rogue employees can be identified and reported before their efforts to access confidential data are successful. Whilst IT solutions such as Data Leak Prevention can provide an additional pair of eyes within the firm, it is the human factor that is critical. Again, this all links back to the vital role that education must play when taking steps to protect a company from attack.

Getting IT right

Although cybersecurity is slowly moving up the agenda in terms of investment priority, the threat landscape is large and businesses need to fully understand the emerging risks that could impact their organisations. Senior management teams must work alongside their IT departments to develop a holistic cyber risk strategy based on around-the-clock surveillance, including a comprehensive risk register with appropriate controls in place. When combined with an increased investment in both protective software and staff development, this balanced approach should be seen as the first port of call.

An important step towards achieving better and continually improving IT security is the ISO 27001 standard, which provides a recognised best practice framework for managing IT security within an organisation. ISO 27001 is globally accredited as an effective way to manage this part of the business by reviewing, assigning controls and monitoring processes within the organisation.  This will be an important first step for many businesses looking to boost their IT security

However, the truth is that there isn’t a single ‘magic bullet’ to keep every organisation safe from attack. Instead, businesses will need to rely on a combination of staff training, sharp management focus and robust IT controls to reduce the threat landscape.  Effectively managed, this would go a long way in bolstering a company’s cybersecurity strategy. Unfortunately, the reality is that attacks are only likely to increase in frequency and sophistication, so businesses need to address this issue as a matter of urgency, at all levels of the business. 

Robert Rutherford, CEO, QuoStar
Image Credit: Den Rise / Shutterstock


ABOUT THE AUTHOR

Robert Rutherford is chief executive officer of QuoStar, a consultancy specialising in business technology. Founded in 2005, it offers business improvement and technical consulting, outsourcing and cloud services.