It's not cybersecurity - it's cyber hygiene education
Imagine the scenario: you’re on the frontline of a call-centre, helping run a customer service helpline.
You receive a call from a woman – she’s flustered, and you can hear a baby crying in the background.
She’s polite and apologises continually for the noise of the baby, who sounds sick. She can’t remember the username to log in to the account attached to the phone number she’s calling from. Out of goodwill, you give it to her.
Thinking the call is over, you offer: ‘is that all I can help you with today?’. Come to think of it, she says she would like to add a user to the account and wants to know how to get a password for the user. You say the password has to be texted to her, but (with baby screaming in the background) she says her hands are full and just asks if you can give it over the phone. Looking to help a young mother out, you give it to her. She thanks you profusely and hangs ups.
The only issue is she isn’t a young mother nursing a sick and screaming baby. She’s a social engineering hacker, who has spoofed a phone number and then weaselled her target’s account details out of you.
The face of cybercrime has changed, alongside the strategies used. It’s no longer just the teen hacker in the bedroom, it’s a variety of different faces and people with a broadening array of tactics. And what’s more, in the current climate of goodwill it is increasingly easy to get caught up in one of these highly emotional traps.
Cyber criminals look to cash in on uncertainty
While the environment of three months ago may have felt like a lifetime ago, cybercrime hasn’t been furloughed – it’s one constant that’s remained the same, and if not the same – increased its presence. Cyber criminals have proven themselves merciless in the face of a global crisis – against its staff since announcing COVID-19 as a global pandemic, with some scammers even impersonating WHO in order to channel donations to a fictitious fund.
Those that mean to do harm will continue to look for the weakest link. And while cyber criminals continue to boast of their successes – businesses feel ashamed when they are the victim.
The point is, it isn’t security needs that have changed during the past few tumultuous months. What has changed is the need for improved education, to keep businesses and their employees updated on the basic principles to keep them safe. As we move to a more hybrid way of working in the future, with employees operating from home with more regularity, this education piece will become increasingly important to maintain resilience against hacks.
And this isn’t just a role for employer to employee. There is a role for governments and vendors across the industry as well.
The five cyber hygiene principles
So, let’s revisit these cyber hygiene principles:
Just because you trust everyone in your business doesn’t mean that your receptionist needs the same access levels as your CEO. Give users minimum necessary access and leave your most valuable data vulnerable to far fewer breach points. You wouldn’t give a hotel guest a key for every room in the hotel.
We don’t use drawbridges and castle walls anymore for a reason – they give a false sense of security and encourage lax approaches to security within the walls. Once your attacker infiltrates your outer-defence the threat’s inside and there’s nowhere to hide. Breaking down your network into layers and self-contained areas keeps the entire system protected and ensures your access points aren’t left vulnerable to attack. Don’t neglect your perimeter, but don’t rely on this alone. This is where intrinsic security – building it into your network and your application platform – makes security sense. As a business model flexes to meet the needs of a Covid landscape, it is this type of security that will help meet these needs. And should there be a breach – it is contained without infecting the rest of your business.
Think of encryption as the last weapon in your arsenal against hackers – except with cyber security it keeps you ahead of the game. If all else fails and your firewalls and access protocols are breached, encryption means that all the critical data you have stored is useless to them. Like a Rubix cube, if you don’t know how to decode it and put it back together, encrypted data is a difficult puzzle to crack. Basic cyber hygiene means encrypting your files and data before sharing. The same applies to encrypting network traffic wherever possible.
From thumb-print ID to facial recognition, security is becoming personal. But even implementing basic two-factor authentication stops the first wave of breaches. And, the more personal we get with authentication, the more secure our networks will be. After all, your thumbprint is much more difficult to steal than your pin code!
Systems require updates for a reason. Every time malware gets more advanced your service providers respond with system and software updates. Don’t remain in the past. Upgrade and update to stay ahead of your attacker’s game.
Education, Education, Education
Although the recent pandemic has meant that everything has changed, when it comes to basic cyber security, we should presume that nothing has changed. The same basic cyber hygiene principals, which are often the simple ones that are forgotten or overlooked, are still just as relevant. They should be kept front of mind to keep businesses – and their employees – safe. This will help to safeguard data wherever it lies, whether on a desktop at home, mobile, or laptop in transit – or a combination of them all.
Ultimately, successful cyber security is all about identifying people as the first line of defence. Whilst an organisation can invest in hundreds of different tools, if the people unwittingly roll out the carpet to let the hacker in right in front of them, then it’s all for nothing. As a security practitioner, your primary efforts should start with education. A mandatory education process should be in place for everyone: from IT professionals and business leaders, to employees and third-party contractors, with applications sitting at the core. Focus on your people first, and then look to simplify your systems.
Just like washing your hands, good cyber hygiene habits protect everyone, and prevent the spread of maladies with the potential to decimate communities.
Webinar: OT networks, ransom attacks, and cyber resilience
Operational Technologies (OT) infrastructures across industrial sectors such as manufacturing, transportation, utilities, and oil & gas are increasingly becoming the target of sophisticated cyberattacks.
In recent months, cyberattacks have been making headlines, focusing executive attention on cyber resiliency and how organisations can take the right steps to keep themselves safe.
In the past, many OT infrastructures were self-contained and isolated (or "air-gapped") from corporate resources, so they were relatively safe from internet-based threats. Not so much today. As OT and IT networks converge, outdated and unpatched OT endpoints represent a tempting entry point for cyber attackers.
Preparing for, responding to, and recovering from cyberattacks should be a strategic part of your business continuity plan.
BizClik Media Group and Fortinet invite you to our live webinar, taking place on 24 June 4 pm BST. The event, entitled ‘When, Not If: Responding when your OT network suffers a ransomware attack’, will allow people who are joining live to ask questions.
What will the webinar cover?
- Trends impacting the multiple attack points across the industrial threat landscape
- Insights garnered from purpose-built threat intelligence and supporting services for developing cyber resilience
- A platform approach for broad, automated and integrated cyber resilience
Who will be joining the webinar from Fortinet?
Practice Director - Managed Detection and Response, and Incident Response
Industry veteran Anthony Giandomenico has racked up 30 years of comprehensive experience as an Executive, Entrepreneur, Mentor and Security Consultant for companies within information security across all industries. In his current position at Fortinet, Giandomenico is responsible for all aspects of the Incident Response and Managed Detection and Response services, including P&L, marketing activities, service delivery and new service development. He has presented, trained and mentored on various security concepts and strategies at many conferences and trade shows such as the Gartner Security Summit, HIMSS15 and ISMG Data Breach Summit and media outlets, including a weekly appearance on KHON2-TV morning news “Tech Buzz” segment and Technology News Bytes on OC16, providing monthly security advice among others.
Director of Product Marketing - Operational Technologies
William Noto leads Fortinet’s OT security product marketing initiatives globally. Prior to joining Fortinet, William spent 12 years at General Electric in both the GE Wind and GE Digital business units. At GE, William held product management and sales roles developing OT security offerings, including WindSCADA Secure, the Predix Edge platform, and the OpShield and Achilles product lines. William holds an MBA from the UMass Isenberg School of Management and a BA in Computer Science from Middlebury College.
Does it sound like something you’re interested in? If so, don’t miss your chance to join this exclusive webinar. Sign up now.
We look forward to seeing you there!