When the NHS suffered the largest cyber-attack in all its history back in 2017, the huge risk posed to businesses by ‘archaic’ computer systems became clear. In this case, it was revealed that one in twenty NHS devices ran on Microsoft XP – an operating system that was 16 years old. Fast forward two years and we’re still seeing outdated systems being used by businesses - last month, ex-British Airways employees revealed that the firm’s German call centre was operating in a vulnerable way due to outdated systems.
On top of this, the data security issues raised by the ex-British Airways’ employees were a stark reminder of the pitfalls presented by the flexible remote working concept. More and more employers are offering flexible work environments including the ability to work from home.
There are some obvious benefits – it reduces corporate real estate costs and attracts new talent looking for a better work-life balance.
However, ensuring adequate cyber security solutions for home-workers can be particularly challenging. As data and devices flow between home and business networks, it becomes harder to control the security of information. For businesses that do provide security solutions, these generally only benefit the employer and not the individual, which can make usage and take-up of these security solutions low.
Cyber-attacks are on the up: what are the risks?
News of hacks and data breaches seem to be happening more frequently – particularly as it seems technology is advancing at a faster rate than large businesses can adapt.
Securing all aspects of the business network is extremely important and IT leaders need to be agile to keep up with continually emerging threats. Attacks targeting cloud infrastructure, for example, can have an immediate and potentially catastrophic effect on a company’s brand, as well as the data of its staff and customers.
Hackers are usually quick to find areas of weakness in a system and exploit this, typically with malicious intent. Breaching data and stealing information is often a mixed bag when it comes to the types of companies targeted and the information stolen. Credit card numbers, personal information and medical records are just some of the types of data that can be hacked and leaked.
With just a username or email address, hackers can attempt to gain access to accounts using password cracking techniques. Password cracking is commonly used by hackers to gain unauthorised access using common passwords or algorithms that guess passwords. If a hacker successfully cracks a password, they may then use credential stuffing tools which enter the email, username, password combination into hundreds of popular websites to try and gain access.
Similarly, a hacker with access to a Wi-Fi password can gain access to all connected computers and devices within a network. This can be used to do anything – from copying data to monitoring usage and websites visited.
It takes just one weakness within a system for a massive data breach to occur and cause significant damage to both the business and customer.
What can be done?
On top of IT leaders ensuring computer systems are modern, fit for purpose and regularly updated, businesses need to pay more attention to the way every member of staff operates online. Do employees know how to spot basic phishing scams? Do they recognise the need for a unique password for every site, account and device? Employees should be provided with, at the very least, the basic tools and knowledge needed to keep themselves and the company safe from potential attack.
Likewise, businesses should be able to operate with remote-working benefits and employees should be able to enjoy this. Having a flexible working structure doesn’t have to negatively influence the cybersecurity credentials of a business. Reduced real estate costs mean additional budgets to re-invest in other parts of the business – like adequately securing the remote working environment for staff. The best way to get staff on side with protecting company assets is to empower them to protect themselves and their families in a personal capacity first.
As such, more education on cybersecurity is needed across the board – there is a lot of misinformation out there, including the myth that antivirus software is enough to protect people. Regular training on evolving threats can ensure employees are more mindful of potential dangers online – both at work and in their personal lives. The concept of a cyber security dashboard is a useful way of raising awareness and helping to inform employers of potential risks. If businesses knew the cyber security risk per department, even down to individual employees, training and resources could be made available to improve the security credentials of vulnerable individuals in the workforce.
Whilst the tech sector overall is working towards improving regulations, businesses and consumers need to be confident that they are each playing their part in protecting their data and combating cybercrime – education is a key factor in avoiding falling victim to these types of threats.
Andrew Martin, CEO and Founder, DynaRisk
Image source: Shutterstock/jijomathaidesigners