Recent security research suggests most companies have poor cybersecurity practices in place, making them vulnerable to data loss. To successfully fight against malicious intent, it’s imperative that companies make cybersecurity awareness, prevention, and security best practices a part of their culture.
As October is Cyber Security Awareness month we put some questions to our Head of Technical Services, Richard Abrams, on some of the key things businesses should be considering to strengthen their security posture.
What do you think will be the biggest cyber risk to look out for in the coming months and years?
What we’ve seen over the last four or five years was an explosion of ransomware type attacks, this involved viruses and malware that would encrypt peoples’ data.
Defences have gotten better against those types of attacks, but as those defences have gotten better, cyber criminals have become more wily in the way they exploit people. And there’s a couple of ways that’s happening and more often.
One is phishing - this is where users are directed to a website or a link via an email that looks benign so it could be something like a password reset or a login to a website that they know. They put in their credentials and hackers then harvest those details and test them to brute force attack other systems. So, it could be an attack on one system and then the same username and password is used elsewhere. And this is all about getting a foothold and using that foothold to spiral out and attack elsewhere.
The other type of attack that we see is exploits, where people are exploiting gaps or weaknesses in hardware and software. Most recently a large mobile provider advised everybody to update their tablets and their phones because they discovered an exploit. And the issue is that these vendors are finding out about these exploits after they’ve been exploited so it’s always after the horse has bolted. You’ve got to get everybody to update because in that gap more people are going to get caught out and become infected.
What are the main trends and changes you’re seeing impacting businesses?
Since the pandemic, we’ve moved to a ‘new normal’ and by that we mean hybrid working, home working, more user silos away from our corporate environment, and more at the mercy of hackers as a result. Users are now working on their home network where they might be sharing a device, sharing an internet connection with their kids or a spouse, or using their own devices. “Bring your own devices” is a term where you’re using your own mobile phone or your own laptop to access corporate data and that means there’s a lot more things for IT managers to consider. It’s becoming a very difficult and fragmented place to monitor cyber security.
How important is the human factor in cyber security from a risk perspective?
An IT manager can put in multiple layers of security and should, but, at the end of the day, the human psyche and the human being is very much part of that puzzle. If colleagues in your business haven’t received cyber education, they can fall foul regardless of what mitigation you put in place, social engineering is a classic example of that. If you can teach users to spot something that doesn’t look right, have good password practice or to use multi factor authentication, then good education becomes part of your security culture and is an integral part of the overall cyber security posture that every organisation should have.
You can watch Richard Abrams in our feature with ITN Productions ‘Cyber Security: Securing Our Future’ for further information. Or if you’d like to find out more about the cyber education services Kick offers, please get in touch with our experts. We’re here to help.