When it comes to protecting your business from cyber crime, technology is only ever going to be part of the solution.
"Business systems are defined as including technology, procedures and people. The fact is, unless your people are operating properly, your technology and procedures won't be operating properly either," says John Bolger BDO Senior Manager Risk Advisory.
If anything, people are your weakest link. “They are your first line of defence. They have intelligence in relation to suspicious activity and can be sceptical, keeping their eyes open and generally being vigilant for attack vectors such as phishing or CFO fraud,” he says.
So far, so secure. But then their basic human kindness goes and lets you down.
“When an email comes in asking for a favour, such as to make a change of bank account details, it’s human nature to want to help out,” says Bolger.
And while we are naturally suspicious when it comes to dealing with money, when it comes to information security, not so much. “Yet data security is critical too.”
Vigilance must be embedded in the culture of an organisation. “You can train people as much as you like, but unless it comes from the top down, it won’t work. For example, management has to be supportive if someone raises what turns out to be false alarm. Such vigilance should be rewarded not pooh-poohed.”
But the best way to embed cyber vigilance in an organisation is to make it personal. “If you take the time to explain to staff all about their own rights and entitlements in relation to how their data is protected, and at the end tell them ‘the same goes for all our customers too’, that is a much more effective approach. In our view, 90 per cent of cyber security training should be about the staff member’s rights because that makes it personal,” says Bolger.
This works too in terms of password security. “It’s telling people that if they have the same passwords for all their accounts and bank accounts, once one is hacked they are all at risk. And again, the same goes for the passwords they use at work. It’s about making it personal with real world examples.”
Cyber security isn’t just about bank accounts and customer data either, and that should be made clear too. “It could be as simple as telling a caller when someone is on holiday and when they’ll be back, which on a personal level could result in a burglary in their home.”
The risk of a security breach of any sort is greater than you may think, mainly because, as has always been the case with any kind of fraud, businesses are loath to admit they’ve have fallen victim to it. “There are many more cases of it than the public ever gets to hear about. It is more prevalent than people think,” he says.
We’ve probably all experience the most common form of it, phishing – where a bogus email entices us to click on a link. Equally common, for businesses at least, are what are known as CFO emails, requests to a business to change account details for payments.
While both are delivered via technology, they rely on the recipient’s action to be successful. To work, someone has to click on the link or make the changes.
“By educating and training staff, by getting employees to understand that if anything looks suspicious, it probably is, to not click on a link without verifying it, you can do a lot to protect yourself,” says Karl McDermott, head of connected solutions at Three.
“Equally, they need to not put that random USB key they find lying around the office into their computer.”
It sounds odd that anyone would, but security audits that he runs often involves leaving USB keys about the place and, inevitably, “someone thinks ‘great, a place to store movies’ and we get an alert,” he says.
Now that staff is so mobile, additional cyber vigilance is required.
The use of hot spots is a particular issue. “If you are in a public hot spot, such as a coffee shop, and you transfer unencrypted data, someone else can swipe things like usernames, passwords and possibly sensitive data over the same network.”
The use of virtual private networks and automatic encryption systems will keep you safe, but only if staff stick to the protocol.
Not all threats are external either. Organisations are increasingly looking to ensure they don’t hire staff members likely to be tempted to facilitate cyber crime.
Increasingly, scammers are targeting staff members and offering them financial inducements to collude in attacks.
“We now see that money is offered and people are targeted for such things,” says Pat Moran, cyber security partner at PWC. Money is changing hands for passwords, or to have a USB stick inserted surreptitiously into an office computer. And identifying the kind of person who is likely to help a hacker do this is easier than you might think.
“People have a social media presence and in it they often flag up what they do on a day-to-day basis. There are others out there collecting that information, and making propositions to key people,” says Moran, referencing a particular example where a number of blue chip multinational organisations had their data stolen because they were being supported by an IT service outsourced to a country in the developing world.
Such people can be short of money, and have very low levels of loyalty to their direct employer, not to mind their employer’s client company, and it’s customers.
Ensuring your supply chain is robustly protecting itself from cyber crime is therefore important too. And here again, people are the weakest link. On the other hand, people can be your best asset too. “If you get the people stuff right, everything else follows,” says Moran.
It’s people who put your policies into practice. In one of PwC’s cyber security tests, it will send a stranger into a building to see how far he or she can get, and how close to putting a USB stick in a computer, before being challenged. “Even training people to not automatically hold open a door for a stranger will help, because we are very trusting as a nation. If I had €100 to spend on information security controls, I’d spend €95 of it on people. And if you get the people right, everything else follows.”