I am working on two IT and Cyber Security Audits – and I could not get Diana to fill in for me for “The Wednesday Bit” this week although she did an excellent job last week.
IT and Cyber Security Audit | Smart Thinking Solutions
Here is something I wrote back in July 2022 for another cyber security site about how important everyone is in an organisation when it comes to cyber security.
Why should I bother with Cyber Security Awareness Training for my team?
“Everyone in any organisation has a role to play in the cyber security planning and implementation for that organisation, so cyber security training has to be part of the security framework the organisation creates.”
The question at the top of the page is a valid question for any business. Any extra expense on a business in the current economic climate, should be questioned and the decision to spend be based on the benefits to the business.
You will tell me that you implement strong passwords, buy an anti-virus solution, use multi-factor authentication on your most important accounts, have a backup you keep off site on a portable hard drive and even from time to time look at the National Cyber Security Centre website. “Isn’t that enough for any business?”.
Now as we are selling the training, you would expect me to say “just buy it”, “you need it” – and of course, you pay up – but no let’s look at the case for “Everyone in any organisation has a role to play in cyber security planning”.
A few words about the threat landscape.
A quick look at the news feed here atSmart Thinking, will quickly show you that cyber security is rarely out of the mainstream news. Whether it is a ransomware attack at a major company, spyware infecting politicians, or simple data loss by a careless employee with no threat actors involved. The examples linked to here, were, at the time of writing, taken from last week’s news stories! Cyber security is a problem that every business or organisation, large or small, must face and must plan for.
But you say, “I am not a major company, why would threat actors target me?”.
Well the first thing is that one of the examples above was just “business stupidity”, allowing an employee to download unencrypted data to a memory stick – probably the most “lost” bit of technology after UK government laptops in taxis. My first questions in investigating an incident such as this is:
• Can I see the policies and procedures relating to transferring company information and the use of USB memory devices?
• Can I see the training schedule for staff that relates to these policies?
If, for your information security, you rely simply on staff signing that they have read and understood the policies, rather than implementing effective cyber security training, then you can see why unencrypted data is lost.
The next point is that the sending of links to malicious software and websites is primarily indiscriminate – anyone could receive one of these phishing emails. In Q2 of 2021, 42% of ransomware malware was delivered by phishing, exploiting the user’s trust with social engineering techniques (Kshetri and Voas. 2022). The big companies make the headlines when they get infected with malware, the small companies don’t make the news but still lose a lot of money as a result of the attack.
Paying the ransom is not a viable option, as this often leads to subsequent attacks, as the threat actors know you are not prepared for an attack and are willing to pay (Cybereason. 2022). Remember ransomware has moved on from a nuisance cottage industry, to ransomware operations (ransomware ops), where international gangs operate in a business-like fashion, seeking targets of opportunity as well as the big fish targets (Kshetri and Voas. 2022) and (Cybereason. 2022).
“I have bought a business standard anti-virus package which everyone uses”
It is the nature of cyber security that we are often catching up with the actions of the threat actors.
This statement is very true of software and anti-virus vendors, who may discover a vulnerability in their systems only after the threat actors have started to exploit it. So there is often a gap – referred to as a zero-day threat – between the vulnerability being discovered and exploited and the patches and anti-virus updates reaching us, the users (Bilge and Dumitraş. 2012) – this means your business or organisation is at risk during that gap. The anti-virus package can only protect your organisation if it knows about the malware (fig.1).
fig.1 ESET anti-virus removes a known threat from a phishing email in Outlook
(Why did I include the above screenshot? This phishing email, complete with malware came into my Outlook whilst I was writing this article – the threat is real.)
It is during a zero-day vulnerability period that the ability of your team to spot malicious emails and attachments, and know how to deal with them, is vital to support your technical defences. But of course you, your team and the software vendors do not know when the periods of vulnerability are, only the people who discover the vulnerabilities know. If it is threat actors they can start to exploit them, if it is the software vendors they are in a race to fix things before the threat actors get involved – you, your business and team are in the middle.
And so to Cyber Security Awareness Training…
Without effective Cyber Security Awareness Training of all your team, your organisation could become a target of opportunity for the threat actors.
Ask yourself; does your team know:
• The social engineering techniques used in potential phishing emails?
• What a business email compromise attack is?
• How social media aids threat actors?
• The importance of using unique strong passwords and MFA?
• What to do if they do click on a link or visit a malicious website?
• Do they understand the importance of you not running a “blame culture” at your organisation?
• Do you understand why a “blame culture” is the threat actor’s “best friend”?
• Have you thought about the “insider threat”?
If you regularly run exercises and training across your whole team, covering these points then you are right, our training is not for you. If you do not, then we have the training programme for you.
Conclusion
I write my cyber security blog (nearly) every day after researching the latest threats and I can see that the cyber security threat landscape for businesses and organisations is something that we all need to be taking action about. The threats are constantly changing as are the targets. We have to be prepared and I consider our flexible cyber security training is a positive step in improving everyone’s cyber security.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Cybereason. (2022). Report: Ransomware Attacks and the True Cost to Business 2022. Retrieved July 1, 2022, from https://www.cybereason.com/blog/report-ransomware-attacks-and-the-true-cost-to-business-2022
Kshetri, N., & Voas, J. (2022). Ransomware as a Business (RaaB). IT Professional, 24(02), 83-87.
Bilge, L., & Dumitraş, T. (2012, October). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 833-844).
Further Reading
Photo by Mike Jones
