Cyber Security – Some Mothers Do ‘Ave ‘Em
Whilst attending the Oxford edition of VentureFest in July this year, I found myself attending Oscar O’Connor’s enlightening ‘Cybersecurity – They Want Your Data’ session.
Whilst settling down, Oscar – who is Head of Assessment for the Cybersecurity Challenge and a Fellow of the British Computing Society – immediately engaged with the room and asked what we thought the single biggest security threat was to business.
After a few technical replies, the correct response was ‘mother’s maiden name!’
We've all been through the process of verifying ourselves to a bank on the phone or on the web, where you give your mother’s maiden name or the place you were born. It appears these authentication questions seem to be forming the underlying basis for people creating their passwords.
‘Don’t use the same passwords for different online accounts’ tends to be the consensus, however, we’ve all been there when your business subscribes to a new subscription platform and you have to create yet another username and password! You then use the same username and password that you use for umpteen other sites.
There's a term for that feeling: password fatigue – and it’s helping fuel the malware economy.
If that message from Oscar struck a chord with me, so too did his statement that ‘total security is a fallacy’ – unless, that is, the device is switched off and locked inside Fort Knox.
Working in the professional services’ sector, I often read or, in fact, encounter situations where human error in applying the basics is to blame. ‘Too senior for security’ is a term I often band around which is used to describe business leaders who ignore basic security procedures themselves such as secure passwords etc. to make their life easy.
This not only makes them the weak point in security wall but also clearly sends the wrong message to the wider organisation on the attitude to these matters.
Cybersecurity, however, is a something that affects all people at all levels in a business. No sector, it appears, is safe from the prying digital tentacles of those who want your data. Quite often it takes a business over a month to figure out there’s actually been a security breach!
Results from a 2015 UK government survey suggested 74% of SMEs had suffered a breach, up 14% from 2014. The same survey also found that attacks cost SMEs between £75,000 and £311,000 on average.
Targets can be broken down into two forms; hard and soft. Employees – or people – are seen as the leading soft targets. People are forever susceptible to fishing scams, social engineering, coercion or corruption.
End user devices such as laptops, smart phones and tablets are fast replacing desktops as businesses introduce ‘bring your own’ (BYOD) into their technology policy, but these also provide their own unique set of security challenges.
‘Stuff that’s open to the internet’ is also soft target for hackers with company websites, file transfer portals, firewalls and gateways all proving easy targets.
As important as it is to protect vital assets such as intellectual property and client records, is there such a thing as too much security? Striking a balance is essential because the last thing you want is for your security measures to be counterproductive. We ourselves are often frustrated by the lack of flexibility that comes from security measures which protect us using technology for what it is for, to provide an outstanding service to our clients.
What do I recommend to my clients? First and foremost, ensure you carry out a security audit. There are lots of SaS (Service as Software) options available - as a firm we recommend Rizikon - that will help your business identify possible vulnerabilities by asking questions about different aspects of your organisation. These questions include ICT systems architecture, security policies and financial information, to assess what threats will be faced by your organisation, and to identify any vulnerability that may exist.
My second recommendation is winning heart and minds. Everyone needs to buy into it. From the top to the bottom, everyone who has access to a device that’s connected to your businesses network needs to ensure they do not leave themselves open to a potential security breach. This, in some ways, is the harder task!
The cost of this activity, however, will pale in comparison to lose of business continuity, breach of professional confidentiality, reputational risk or regulatory fines!
Dare you choose to ignore cybersecurity?
If you require any further information on the topics discussed in this article please contact Jason Mitchell or your local MHA MacIntyre Hudson advisor.