“There is no patch for careless, greedy or stupid” according to FBI Computer Intrusion Head Don Codling. He is referring to the growing problem of cyber crime across the world and the knowledge that many of the attacks that occur are initiated to some extent by internal users.
Cyber Security Solutions
Around two thirds of large UK businesses have recently suffered a cyber attack which creates a £34 billion problem for the British economy. Our spending to increase security and combat cyber crime has increased by £16 billion as a result and most of this budget is being spent on the installation of cutting edge security solutions. Obviously anti-virus software systems are a central component in the fight against cyber crime. Yet a completely overlooked aspect of beating cyber criminals is to look internally and train your staff. In fact only 17% of large UK companies have already invested in training their staff in the best practices related to keeping hackers out of their systems.
How Do Attackers Use Internal Employees?
Although some attacks will be initiated by a purposeful internal breach, often staff can easily get caught up in a cyber attack without having any malicious intent towards their organisation. Many are tricked into allowing hackers into their internal systems by simply clicking on a link in an email, or enabling the use of macros which will execute code in a spreadsheet.
Whilst many spam tactics do exist in the world of cyber crime, some perpetrators use extremely sophisticated methods to target specific employees in an organisation and gain knowledge of their user credentials. Once they hold these privileged log-in details, the hackers will then be able to move freely around the systems, carrying out reconnaissance of the network setup and seeking out administrators or those with financial capabilities who will be of use to them. Identification of such elevated users can take a matter of minutes and from this point it can be simple to use their credentials to make unauthorised payments to external offshore accounts.
In particularly malicious circumstances, some users with raised financial privileges can be specifically targeted and threatened with harm to their family members. One case saw an employee being coerced into allowing hackers into his internal systems after he was sent a copy of his own child’s private school bus timetable. Social media is often used by hackers who need to gain a profile of key individuals within an organisation who they wish to threaten.
The Importance Of Staff Training
It is vital that internal team members are given in-depth and regular staff training regarding the possibility of being the target of a cyber attack. Businesses should not rely on the strength and knowledge of an IT department to increase security and safeguard their internal systems. Technical staff will certainly need to be in charge of implementing, monitoring and maintaining security software and they should also be the first port of call in dealing with any potential intrusions. However, cyber crime awareness needs to fall on the shoulders of all individuals across the entire structure of the organisation. IT solutions can only increase security so far without the assistance of humans to act responsibly when carrying out their everyday tasks.
Steve Hill, Director of External Engagement at The Open University, explains –
“Businesses need to recognise that investing in IT infrastructure and retraining staff must go hand in hand. As the techniques used by hackers to breach networks and servers become more sophisticated, companies need to do more than simply update their IT systems. Instead, they must ensure that their employees have the knowledge and skills to maintain best practice and future-proof the company’s defences.”
It is imperative that all employees that have access to a computer are trained in the latest trends in cyber crime and the best methods that exist to prevent it. As cyber attacks become more sophisticated on a daily basis, it is essential that employees are regularly retrained to ensure that their knowledge and interest in preventing cyber crime does not wane. Staff training should become regular, standard practice.
In many industries including the legal sector, cyber security is more than just protection against financial and reputational loss, it is also an issue of compliance. Companies that are regulated by stringent rules should create a best practices document as part of their internal staff handbook. This will ensure that employees know what is expected of them and are able to understand that failure to act accordingly could be a grounds for the termination of their employment contract.
Staff training in the prevention of cyber attacks is one of the most important steps that an organisation can take to increase its security measures. However, it is also essential that companies increase security by keeping their systems updated with the latest anti-virus and intrusion detection solutions on the market. We are able to provide you with a free security review which will identify any potential weaknesses and vulnerabilities in your current setup and advise you on the best ways to future-proof your organisation against a cyber attack. Want to know more? Get in touch today.