06/06/2024
Cyber-attacks have been making the headlines again recently, with some more high profile organisations being hit.
As many commentators will tell you, it’s not “if” you are the victim of an attack, but “when” – especially with the advent of AI making phishing emails harder to spot.
The good news, is that there are some relatively simple and low-cost things that you can do now, which could make a huge difference to the likelihood of a successful attack, or potentially mitigate the consequences if you are a victim.
Vicki Bowles looks at five low-tech, low-cost solutions that you can implement almost immediately.
Five Top Tips
1. Update your software
This is largely something you can do for free, but is something that can have a significant impact on minimising risk. Software updates – as frustrating as they are in terms of frequency – usually contain a fix for a known vulnerability. Threat actors (those who are looking at ways of attacking your systems), will often use a known weakness in a particular application to try and get access, so the sooner you apply the “fix”, the lower the risk of an attack.
Think of it like a car manufacturer admitting that they only produced 100 keys, and one key could open multiple cars of the same make and model. As soon as this is made public, thieves could use this knowledge to their advantage, and attempt to steal those cars. If you don’t update software, you’re potentially leaving your systems open to anyone who has that master key.
2. Know what you’re using, how it’s linked, and whether it’s supported
This one is slightly more technical and you may need the assistance of an IT expert, but it’s definitely something that’s helpful to understand.
We are all used to using multiple different “applications” in our daily lives. Just today, I have opened emails, started a Word document, made a Zoom call, and recorded time in a time-recording software package. All of these are linked to other areas of the business, and a weakness in one could mean that others are vulnerable.
Understanding which systems are linked means that you have a better understanding of risk. If you’re using a piece of software for very limited tasks (e.g. a team calendar), which isn’t linked to anything else, if that is breached, the rest of your systems should be safe. This can be particularly tricky in a local government context, because you have multiple functions with very different needs, who are all likely to be using different applications in their day-to-day business.
Understanding what is linked, and what information is used by each application helps understand where the high risk data is, where the crucial entry points are (where someone might be able to access most of your systems if they get in via one particular system), and therefore where to focus your efforts.
Knowing whether the applications are supported is also a crucial line of defence. As mentioned in Tip 1, updates often fix known security weaknesses, but once a product reaches the end of its shelf life, the developer will no longer issue these updates, leaving the software vulnerable. You may have historic software that you use because there isn’t anything new that works as well, but understanding the risks of it being unsupported will help you make an informed view about its continued use, and any mitigations you need to put in place to protect your other systems.
3. Train your staff
According to a report by the Department for Science, innovation and Technology and the Home Office[1], 84% of cyber security events were caused by phishing last year.
Phishing is where an email is sent from a threat actor that looks genuine, with the purpose of encouraging an individual to click on a link or enter their passwords so that malware is downloaded, or passwords are revealed. Common examples include the email purporting to be from the CEO asking you to purchase a number of gift cards, or an email that looks like it’s from IT asking you to log in using a link because your password has been corrupted. These are the next generation of the “Nigerian Prince” email scams, but AI is making them much more authentic looking and therefore harder to detect and spot.
The National Cybersecurity Centre (NCSC) has some useful guidance for staff: How to spot a scam email, text message or call, which you can adapt into a bespoke training session that explains why this is important, and what to do if an employee is suspicious.
Training makes an individual less likely to click a suspicious link, or open a suspicious email, which, in turn, cuts down the risk of a successful phishing attack. It won’t prevent all such attacks, but could make a significant difference to your risk levels if staff know what to avoid, and why.
Successful training will also ensure that staff understand the importance of what they are doing and why, so a bespoke training package that you develop in-house can be more effective than bought-in training. We all know how frustrating it is to have to input strong passwords, and keep changing them, but understanding how this lowers the risk of a successful attack means staff are more likely to remember, and more likely to comply. Don’t assume that everyone understands how your systems work, and how they are linked. There are so many horror stories out there that can help – the pupil who googled “top 10 passwords” and managed to hack into a significant proportion of their teacher’s accounts for example.
4. Put a disaster recovery plan in place
A disaster recovery plan (or business continuity plan), sets out what happens in the event that you suffer a major cyber-attack. It should be a practical document that any individual can follow to ensure that all the relevant people are made aware within set time frames, who is responsible for what, and what steps you will take. Having some simple steps and clearly defined responsibilities can really help when the initial panic sets in.
No plan will be perfect, and there will be specific situations and complexities that mean you will have to be flexible in it’s application, but the bare bones will at least give you a place to start. It’s a good idea to test the plans you have in place, and update them on a regular basis to make sure that they work for you.
When designing your plan, think about what would happen if critical systems are affected – so what if you can’t access payroll? What if phone lines and email are down so the public can’t get hold of you? Which of your systems are critical, and what can wait? These types of questions will help you work out what you might need in terms of a back-up plan, and what systems or areas you need to be up and running as a priority.
5. Back up your information
Finally – and linked very much to Tip 4 – make sure that your systems are backed-up regularly, and you know where the back-up is, and how to access it. Ask questions about where the back-up is physically stored, what it’s linked to, and what security measures are in place to protect it. Having your back-up on the same system as your day-to-day is likely to be unhelpful if the whole system is compromised, so making sure that your back-up is suitably robust is key to mitigating some of the most costly consequences of a cyber-attack.
The consequences of a cyber-attack can be devastating, and very costly. There’s the time it takes to understand what has happened and start putting things right, then there’s a cost associated with systems or services being unavailable because of the attack, and the potential for individual claims and regulator fines if things have gone very wrong.
Although impossible to completely prevent, there are things you can do to help prevent successful attacks, or mitigate the losses if the worst happens, and not all of these steps involve expensive software options. People are usually your biggest risk factor, but understanding your risk is a really positive first step to taking relevant action.