Human factors have long been a key vulnerability when considering cyber and information security risks. Your organisations information and I.T. infrastructure may now be more vulnerable than ever. You need to be cognisant of the fact that your people may lose their normal sense of cyber security awareness, through a preoccupation or concern with their own personal circumstances. As a result, they become more vulnerable to malicious attacks perpetrated by cyber criminals seeking to commit fraud, maliciously disrupt ICT systems or compromise information. Cyber and information security risk exposure is expected to increase as the workforce adapts to a transition from an office to a remote working environment.
Did you know that when a vendor releases a software patch or update, the hackers reverse engineer it almost immediately? What this means is if you do not implement the update or patch instantaneously, the hackers know exactly how to target your vulnerable IT infrastructure. Next thing you know, you’re faced with some sort of an escalating crisis with potential to destroy your company’s reputation, smash your stock price, open you up to a claim or send you out of business permanently.
In truth, there are hundreds of ways your organisation could fall victim to an information or cyber security related incident. Vectors will vary and threats may be internal and/or external in origin. The reality is that unless you are an information technology guru you will never fully understand all of the technical risks. However, as a board member, executive manager, senior manager or business unit head there are some basic measures at your disposal to assist in mitigating cyber security related risk scenarios. Here’s some key vectors to look out for:
Phishing. Phishing is the practice of fooling a user into divulging sensitive information for the purposes of committing theft or fraud, usually without them knowing they are being deceived. Common phishing crimes are perpetrated by organised criminals using false identities seeking to defraud individuals or corporations of money or information by sending hooks via email or via the web. There are numerous examples of companies who have lost million dollars through a phishing scam that was initiated or perpetrated via email. When was the last time you tested your teams disposition to this particular vector?
Portable storage media. Forget your concerns about using The Cloud. The Cloud is probably way more secure than the majority of mediums you are currently using to store your organisations digital information assets. You are potentially much more exposed through your people’s use of portable storage media transitioning between home and the office as a result of the the COVID-19 crisis. Right at this very moment you have people saving confidential, proprietary, sensitive or client related data and information to their laptops hard drive, a smartphone or portable storage device. Depending on the context and type of material being handled by your organisation, an information security breach could be catastrophic.
Intellectual property. How secure is the information you store on your organisations IT network? How is user access to the network administered? In most organisations critical or sensitive intellectual property (IP) is poorly protected from internal threats. Network drives are open and access to folders is commonly shared throughout the organisation, allowing employees to access or copy your information/data before they depart the company.
Malware. Malware is an umbrella term for all types of malicious software. Typically malware takes the form of viruses, worms, trojan horses, ransomware, spyware and/or adware. This type of risk comes to pass when your staff download (or inadvertently) upload and execute files on their work computers or smartphones, unaware of the threat or hoping the company virus protection software will take care of them. This scenario gets even trickier in the modern age of BYOD (Bring Your Own Device) as the organisation doesn’t control the security of people’s personal property, which could be rife with malware and connected to your network. Think you have an ‘air gap’ try throwing a few USB drives around the staff car park or meeting rooms and see how many come back to your network!
Unauthorised access. How are your users’ passwords protected? Do you secure user credentials or their personal information? How often are passwords changed? Are passwords common across multiple programs and platforms? Do you use VPNs? Ever heard of a ‘zero-day vulnerability’? Confident you’re not exposed by a rogue, leaky IoT device? It goes without saying that if your organisation is targeted by a sophisticated threat actor, the consequences of a network intrusion incident could be catastrophic. Imagine if a threat actor got access to your organisations website or corporate IT infrastructure. Could you detect an event? Would you know they were there? Are you prepared to contain and respond to the incident? Unauthorised access is a huge risk and perhaps the most critical your business is faced with in digital terms.
Effective cyber security risk management begins with committed leadership, relevant policy, robust culture and an engaged workforce. Technical countermeasures are only as good as the person implementing them and can be out maneuvered the day after, by a clever threat source. Accordingly, there is no better time than the present to revisit your cyber and/or information security program with a view towards making it as secure and resilient as possible.