TECH TALK: Bill Magee explains why everyone in an organisation needs to know the cyber rules
The business world’s apparent inability to be cyber-canny is at the crux of some rather unsettling online security words of warning winging their way to me from across the Pond. They arrive as the global marketplace is put on high alert following a new wave of data breaches found to be specifically targeting vital commercial supply chains.
The latest such breach involves Mercari, an “eBay” style e-commerce platform recently expanding operations into the UK and USA from its Japanese base, where it is heralded as the country’s first unicorn. The company confirmed tens of thousands of customer records, including financial data, have been exposed.
What’s become known as the “Codeecov supply-chain attack” acquires an organisation’s authentication credentials/source code to access private repositories.
Mercari says it’s since strengthened its cyber defences. A familiar tale of too little too late?
Former FBI supervisory senior agent Edward P Gibson bemoans a persistent failure to follow basic safety rules via the internet. Holyrood business conferencing gatherings know this online security pioneer from his Microsoft days when he was chief security adviser.
“Ed the Fed” would don G-man style dark glasses to dramatically press home a challenge to audiences to be cyber-smart. He now fulfils a similar chief security advisory role for Secured Communications (without the shades).
From Washington DC Ed told me that until we do act, we will never stop being a fertile platform for an ever-growing deluge of unauthorised intrusions and theft of our confidential data.
Ed asks: “How confident are you that your video meetings, files, messages and calls are truly private?”
Even “ironclad encryption” won’t save us if we don’t follow certain rules which, if adopted, would make it eminently more difficult for scammers and hackers to succeed in their seemingly endless and largely unchallenged cybercriminality. Mr G knows what he’s talking about. He’s also a national security risk analyst and anti-money laundering specialist.
High-profile hacks and data breaches continue to provide rich pickings through huge ransomware demands and levies. Now, cybercriminals are lowering their sights by taking advantage of unease caused by the pandemic, to increasingly take aim at smaller businesses, hospitals, colleges, schools even charities. Especially when it involves employees engaged in hybrid working that’s accelerated during Covid-19.
Top of Ed’s list of what should be simple every day precautions: avoid allowing the use of social media platforms and require your employees use systems you approve of; keep everything in one application; each time a user switches apps there’s an opportunity for data to be left behind or re-routed; so keep things simple as not all your employees will be tech experts.
Newly-launched UK Cyber Security Association emphasises it’s crucial to have business continuity/business reliance plans including data back-ups in situ along with being prepared for when you are hit and how to respond to an attack – and have essential cybercrime insurance.
UKCSA’s founder CEO Lisa Ventura points out that cyber attacks are being performed “every second of every day,” and an organisation should review its current cyber defences and continue to have them tested by professionals.
A company’s greatest asset – its employees – can, at times, be a liability, as a big percentage of data breaches come from human error. It’s all well and good having strong security practices at your business, but they will only work effectively if everyone’s working on the same page.
So, invest in correct workforce training. Act swiftly in reporting a breach to avoid a potentially compromising situation and keep data safe. Not only should staff should remain alert but an entire organisation.
Extensive safety measures may be adopted in a company’s main office but it’s worth checking if such measures are being safely extended by staff working from home, “on the road”, or at other locations, as they won’t automatically extend outside. Also check if personal laptops are secure.
Global payments security industry specialist Neira Jones reports the Financial Conduct Authority is sending 4,430 employees on compulsory cybercrime and data security courses.
So surely it follows: to stay commercially cybersafe, we should make online security training mandatory and for all staff. Irrespective of grade or seniority.