When news breaks around a data breach or a cyber security incident, people immediately think about systems and computers being hacked, but what about people? People manage the physical and technical estates, they define the business processes, they code software, and they welcome visitors in to an office. They are also the best line of defence. With that in mind how does an organisation reduce the risk of its people being hacked?
Post GDPR, people are now more aware of the importance of protecting data and the risk of sanctions from the ICO. Yet, negligence is still cited as the primary cause of data breaches within the work place. This is often due to the loss of devices in their charge, or failure to follow an agreed process.
Many organisations took a policy based approach to GDPR to ensure staff knew about the risks and monitored that policies were read. They also ensured 3rd party systems were compliant (as best they could be due to age).
The question to ask 18 months later is; are the policies still being followed and have they been embedded into process with the organisation?
The IT usage policy may have been amended to stop the use of USB sticks, but is a policy in place to restrict staff from emailing files to personal email accounts?
It may also require staff to ensure computers are locked when they are away from their desks, is this left to trust? Or have IT enforced a policy to lockout unattended machines after 2 minutes.
A 2017 report by Kensington suggested that one laptop is stolen every 53 seconds, and over 70 million cell phones are lost each year. This means that the Friday night ‘end of week drinks’, where employees may leave their bags containing company equipment unattended, is a clear and present danger. If a device is stolen, how secure is it and can data be wiped remotely?
Preparing people for malicious attacks
So far, these examples have been technology focused. So, what is the State of the Nation when it comes to ‘people’ related cyber-attacks?
According to the banking trade body UK Finance, there is a lack of awareness of the dangers of invoice fraud with around four out of 10 businesses unaware. Around 3,280 invoice and bank mandate scams were reported in 2018, with the average cost per case equating to £28,000.
The obvious danger here is the rise in fraudulent (phishing) emails sent to organisations. These vary from the obvious (with typos and broken English), to the more sophisticated where publicly available information, such as staff names, are introduced in the text to appear more genuine.
The main defence for organisations here is always process and due diligence. If an email is received which requires a change of bank details then it pays to verify via another source, such as the telephone. The process to change bank details should also require a form of verification.
What about where a threat presents itself IRL (in real life)? A technique known as social engineering doesn’t require technology, it just requires confidence. This is more opportunistic and could involve someone entering a building via tailgating and using a plausible cover story to enter an office and then steal trophies. Mitigating this is about encouraging staff to challenge unknown visitors and ensuring that items of value are protected.
The insider threat
It is also extremely prudent to mitigate against the risk of an ex-employee with a grudge. In 2014, an ex-employee of Morrisons stole company data which included the salary and bank details of circa 100,000 staff. The staff brought a claim against the company, and Morrisons lost its challenge to the High Court ruling.
How does an organisation begin to mitigate this? Firstly, there should be business rules around who can access data, and what data that individual is required to access as part of their role.
A robust staff exiting process is mandatory and should be built around all systems that an organisation uses to ensure access accounts are locked when the employee parts ways. Some accounts, such as social media, may have a shared password, so this would require a password change.
Why should an organisation embed a Security Strategy?
As with most business problems, understanding the WHY, and building a strategy around it is key. This blog has identified the importance of people in a security strategy, and the key tactics should be focused on awareness.
A review of processes to identify gaps and a robust training programme to raise awareness are a strong starting point to protect your organisation. Also ensure that intelligence is gathered for all breaches and that remedial actions are acted upon.