Cyber Resilience – Prevention Rather Than Cure

Do you remember what you were doing on Friday 12th May 2017?

For many, it should have been about planning the weekend, wrapping up for the week and writing their to-do list ready to start again on Monday morning. But instead, we were gripped by a story which affected almost everyone in the UK. Our NHS had been attacked.

You may remember the discussions with colleagues and family, the idea of a cyber-attack was nothing new, but it was probably the first time that it felt so personal. Operations were cancelled, computers were shut down across an estimated 40 NHS organisations, work ground to a halt, but it did have one positive outcome, Cyber Resilience was very much back on the agenda.

This week (11th-15th September 2017) is Cyber Resilience Week with over 40 events taking place across the UK, educating businesses on how to better protect themselves from online threats, and prepare their business for an increasingly digital future. We (DigiEnable) teamed up with our good friends at Magma to run a morning seminar at Downtown in Business’s Rise and Grind event. Over 30 businesses turned up to network, chat and discuss what it takes to become cyber resilient.

First, it was important to understand the differences between “Cyber Security” and “Cyber Resilience”, a difference which at first glance is not very obvious. The simplest way to think about it is that within “Cyber Security” you can only be one of two things, Secure or Insecure.

Cyber Resilience however, is more about risk management, and ensuring that your business has systems and procedures in place to reduce the risk of cyber-attacks and data breaches. Cyber Resilience could involve a new page in the staff handbook, and extra hour on an induction, right through to complex software solutions, but the important thing is that you’re thinking about it, and more importantly, you’re taking action.

In a recent survey 20% of businesses stated that losing access to their systems for a day would have no detrimental effect on their business. A quick survey of the room found that there wasn’t a single business in the room who felt the same way. Whether it’s websites, customer databases, POS Systems (electronic tills) or simply e-mail, in most cases if they stop, so does the business. At present, 77% of businesses do not have a cyber-security strategy. So, is it time to invest in the best software, most secure systems and hi-tech solutions? Actually, we’d suggest you started somewhere else….your team.

One of the fastest growing areas of cyber-crime is CEO Fraud. To date, around £32 million has been lost to online fraudsters, with only £1 million being recovered by its victims. The concept is scarily simple, the fraudster sends an email to a member of the finance team under the guise of the CEO asking for an amount to be transferred to a specific account as a matter of urgency. The member of staff will follow their boss’s instructions, only for the money to end up moved between various accounts, ultimately becoming untraceable.

Protecting yourself against CEO fraud can be relatively simple, introduce a policy within your finance department that states any requests should not be initiated without a phone call to back up the email…regardless of who it comes from. Most businesses affected by CEO fraud stated that the email came from a Gmail or a Yahoo account, carefully checking the sender’s address will usually result in the discovery of subtle but important variations telling you that it’s not really the boss who has made the request.

Another area of growing concern is password security. Everyone knows someone who has a “password book”, a small notebook they keep by their computer with all their (and usually important company passwords) written down in case they forget them. Guess what, that’s not that secure. We’ve even heard of passwords being stuck to computer screens on post-it notes to make them easier to remember it. A simple rule to remember is that if others could see your password while you’re away from your desk, it isn’t secure, and your data, and your business could be at risk.

We recently attended a “Cyber Security” talk hosted by Sarah Green at Training 2000 who shared a humourous, yet worrying video about how easily people can be coerced into sharing their passwords. Watch the clip below, and ask yourself, how you would respond if asked these questions?

Most people still have one password which they use for most of their online accounts, which means that if someone can gain access to one, they have access to all your accounts. There has been a long held belief that replacing letters within your password with numbers and characters is the best way to beat the hackers.

Unfortunately, as recently admitted by the inventor of this more complex system, this provides no more extra security than a single word password, as brute force password finders easily include these additional characters into their hacking software. So instead of “Pa5sW0Rd”, how about using longer phrases which would take hacking software much longer to break “nobodywilleverguessthis”. A quick check on https://howsecureismypassword.net/ shows that the first “Pa5sW0rd” could be cracked within 2 hours, while the longer password would take 277 trillion years. Which one makes you feel more secure?

You’d hope that the majority of people understand that passwords exist for a reason, to keep what’s on the other side of the password secure.

Yet many still prioritise easy to remember passwords, over secure ones. Check out the list of the top 10 most commonly used passwords, if yours is on it, it may be time for a change.

Nobody claims that “Cyber Resilience” is an easy subject to approach with staff. We live in a world where there is always another “risk” to be aware of and it’s easy for threat fatigue to set in and think “it’ll never happen to me”. But it’s at those times when you become most vulnerable.

We like to give our staff and colleagues the freedom to work remotely, from home, from coffee shops, which is great for flexibility and morale, but are you aware of the security concerns that come with logging onto a free wi-fi connection (read our blog on staying secure in coffee shops)? With a small amount of guidance on how to check a free wi-fi connection is secure, and the benefits of using a VPN, you can rest a little easier that you’re taking all the precautions needed, to work how and where suits you.

Ultimately, that is the overarching message regarding cyber resilience. Taking time to think about potential issues NOW, rather than wait until the issue occurs is key to becoming more cyber resilient. For example, enabling 2 Factor Authentication on any accounts that allow the process, is great idea to protect yourself. Even if someone has managed to get hold of your password, they still need your phone or other authentication tool to be able to access your accounts.

Inevitably, a discussion around protecting yourself and your data, leads into what is probably the hottest topic in business circles right now. How are you not only protecting your data, but also your customers’ data, in other words…GDPR.

GDPR (General Data Protection Regulation) comes into effect in May 2017, it’s a new EU wide regulation which standardises the way citizens’ data is handled and processed. This section of the presentation was led by Jeremy Coates (Magma), as a company who handles massive amounts of data on a daily basis, he’s had to learn the ins and outs of the new laws to protect his own business, and the interests and data of his clients. 

Jeremy made it clear that GDPR is a great idea, and should be welcomed. As a citizen we’re assured that unnecessary data will not be held about us without our permission, but from a business perspective there is a huge task ahead to prepare ourselves, and ensure we are not at risk of the “up to 20 million Euros” fine for those who do not adhere to the new rules.

With (at time of publishing) only 251 days to go until GDPR becomes law, there are some scary statistics around how ready businesses are for it. A recent survey found that less than half of SME owners have heard of GDPR, with less that 10% saying that they understand it. Now is the time to speak to someone in the know. The new regulations aim to strengthen the resilience of a business against data breaches – and paying more attention to how, and why, you hold customer data can only be a good thing.

As we reached the Q&A element of the workshop, there was simply not enough time to answer everyone’s questions, so the idea was floated for a follow-up event in the near future. Both the organisers and the attendees agreed that this was a good idea and we hope to be able to bring you further details on this in the near future. As promised, all the slides and video used in the presentation have been collated in a handy bundle.

The workshop was prompted by Cyber Resilience Week 2017, but it’s prompted awareness and interest from businesses that will continue long beyond the focus week. Maybe 2017 will become the year of Cyber Resilience, and with our Downtown in Business event being just one of over 40 across the UK, this week could start a new movement of businesses understanding that digital resilience is not a one-off event, but a fundamental way of working.