Skip to main content

Why IT is not responsible for the majority of cybersecurity breaches

(Image credit: Pixabay)

We are not talking about hackers who are out to cause mischief or harm. We are talking about loyal, hard-working members of staff who inadvertently leave the door open for those with malicious intent to get inside.

The number of cyberattacks is growing all the time and the possibility of a hacking attack is keeping CEOs awake at night. The latest figures from the Department of Culture, Media & Sport show that 43 per cent of UK businesses experienced a cybersecurity breach in 2017.

It is important to understand is that every company, no matter how small, is a target. And it is not a case of if your IT system will be targeted, but when. And with the average security breach costing a business more than £36k, it is crucial to understand how best to protect your system from a cyberattack.

To err is human

While companies use software to help them protect their IT systems from attack, what the majority fail to do is adequately train staff when it comes to cybersecurity, and this is landing a lot of companies in hot water.

The latest figures show that 72 per cent of breaches were, in fact, caused by staff receiving fraudulent emails. A case in point is when one of our client’s employees received an email that appeared to be genuine. However, when that staff member read the email, they became suspicious and forwarded it to a colleague for advice. That colleague failed read the email properly and, assuming it must have been sent from a safe source, clicked on the link in the email which took her to a logon page. She entered her username and password which the hackers collected and used to access her account. As the incident happened on a Friday afternoon, the breach was not discovered until the Monday morning, they had access to that employee’s account for the entire weekend.

Invisible passwords

Passwords frustrate people, mostly because they can never remembered them! They are, by necessity, becoming ever more complex and some websites require them to be changed on a regular basis. So even though they know they are not supposed to do this, people write their passwords down - often on Post-It Notes - and put them in places where they are easy to access… often on their monitor.

When we do operational level IT audits, one of the first things we do is look for passwords which have been written down and placed somewhere visible. If they are not on the monitor, they are usually kept in the top drawer of the desk. Not very secure at all!

Most people tend to assume that as the only people in the office are their colleagues, it is safe to do this. However, this is not the case. There are a whole host of people who have legitimate reasons for visiting your premises, whether they are clients, delivery drivers,  people who are being shown around as part of job interviews, health & safety representatives, or cleaners.

Bad publicity

If you are trying to raise your profile in the media, you would be delighted if a trade magazine or newspaper wanted to visit you to look around your premises. This happened at the Hawaii Emergency Management Agency. After a media tour of the office, photos of staff members posing at their workstations were published online. One of those photos clearly showed a password written on a Post-It note that had been stuck to the monitor. Meaning that billions of people around the world could have seen it.

In a different human error security breach, a member of the public found a USB memory stick lying on the street. The stick contained unencrypted details of confidential security measures at Heathrow Airport, including restricted data such as the Queen’s travel plans. The USB was given to a tabloid newspaper which embarrassed the Airport by printing a story about the incident.

Even members of the Government are not immune to leaving themselves open to a breach. Nadine Dorries MP told the press that all her staff at the House of Commons, including interns, have her login and password details. She was making a point as a way of defending Damian Green MP who had been in the press because pornography had been accessed on his work computer. What she was trying to say was that with so many people having access to one account, you could never prove Green’s guilt or innocence. But whatever the truth behind it, the incident caused huge damage to Green’s reputation and ended his Cabinet career.

Prevention is better than cure

Regular staff training about cybersecurity is as important as implementing the correct technology. If your staff know what is likely to cause a breach, they’ll be more diligent in avoiding it, saving your company money and reputational damage.

There are technical solutions to the password problem. Password manager software bypasses the need for anyone to memorise passwords, enabling you to log on securely and exclusively to all your accounts without the need to write anything down.

Richard McBarnet, Cyber Security Ambassador to the Hertfordshire IoD and MD, Lumina Technologies