By Kirill Slavin, Managing Director, UK and Ireland, Kaspersky Lab
The 21st century heist
In the past few years, we have witnessed some of the largest, most costly cyberattacks on businesses to date.
Back in 2013, a man posing as a BT engineer entered a London branch of the Santander bank and attempted to install a device known as a keyboard video mouse (KVM), that would have allowed hackers to access its network from outside.
The gang behind the 21st century heist operated out of a small office in a shed in Hounslow, west London. They had planned to use wi-fi in order to connect to the device and transfer funds electronically. Luckily, the plan was foiled following an intelligence led operation by officers from the Metropolitan Police’s special E-Crime unit. They tipped the bank off that it was being targeted by hackers, although they were not sure which branch might be under attack.
Detective inspector Mark Raymond, of Scotland Yard's Police Central e-crime Unit, warned at the time: "This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across.”
The starting point for hacks
The good news is that due to such widespread media coverage, businesses are more conscious than ever about security and are much more inclined to protect their systems from such hacks. The trouble is, no matter how sophisticated an attack may be, most hacks start by tricking an employee, with something as simple as clicking on a dodgy link or opening an infected attachment.
Security is no longer an issue solely for the IT department or technology experts within the business – it’s now a universal issue, with each and every employee a potential inflection point for unscrupulous cybercriminals. But can we trust the user to protect themselves? The common theory is no. However, this generation of workers are savvier than sometimes the industry gives them credit for.
But can you be sure that your employees understand what spear-phishing means? Do they understand watering-hole attacks? It’s vital to find a simple way to ensure the threats are understood by employees at all levels.
The curse of the authorised intruder
It’s not just those on your payroll that you need to educate and monitor. A modern business has the proverbial revolving door of visitors to their offices. Whether they are contractors, clients, partners, delivery drivers or salesmen hauling their wares. How much freedom should you give them? For example, is it ever a good idea to allow the contractor who visits your office each week to connect his USB stick to a company computer? After all, knowingly or otherwise, this device could be infected with malware, ready to infiltrate the company’s system and steal valuable information.
Lessons learnt from Stuxnet
At the beginning of the decade, one of the most famous cyberattacks of all time played out, as an Iranian double agent working for Israel used a standard thumb drive carrying a deadly payload to infect Iran's Natanz nuclear facility with the highly destructive Stuxnet computer worm.
Stuxnet quickly propagated and knocked the facility offline, temporarily crippling Iran's nuclear program. The perpetrators knew that using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
Time for class
Robust security technology is a great starting point, but all the technology defences in the world can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources.
From the largest multi-national organisations, to innovative start-ups, it is imperative that employees are taught about the different security risks facing them and how best to prevent them. From creating security do’s and don’ts to running in-depth training sessions, there are simple steps that all businesses can take to make the complicated matter of security more human.
Training employees is now a critical element of security. Whilst most are now happy inhabiting the online world, they need to be reminded of the value of protecting sensitive data and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online. Most importantly, they need to understand the policies and practices they are expected to follow regarding Internet safety.
With proper education, organisations can empower staff to protect their endpoints, and ultimately lead to an extra layer of defence to the valuable data that resides in all modern-day businesses.
Five top tips for your workforce:
• Do not trust suspicious emails
Educate your staff not to blindly open emails with unknown links, attachments or requests to provide private or corporate data, even if they have been sent from a familiar address. It’s quite possible that fraudsters are trying to trick you into giving them access to the company’s confidential information.
• Only use scanned USB media
If staff are given another person’s USB media, they should always scan it first for malware. Teach them to be especially careful with any media received as a gift, especially if they don’t know the person who gave it to them.
• Do not forget about updates
Cybercriminals are constantly seeking ways to penetrate corporate networks. Ensure that staff get in the habit of promptly applying updates to their operating system and any key applications.
• Public Wi-Fi is not safe
Staff should be taught not to connect to unprotected or unknown private networks. With public Wi-Fi, they should use a VPN connection wherever possible when working with corporate documents. When using the device in a public place, they need to be mindful of people around them seeing any information that is displayed, or notice the password they enter.
• Be careful when placing corporate information on social networking sites
With social media ever more prevalent, staff are likely to have numerous accounts. In addition to writing a social media policy, make sure they are careful with the information they place on social networking sites, especially anything confidential or defamatory. Also, educate staff not to add unknown people as friends but first check recommendations and mutual friends to make sure this is not a fraudster trying to gain their trust.
• Do not ignore the first line of cyber-defence
A strong, complex password that is changed on a regular basis is a vital first line of defence against cybercrime. Educate staff that a simple password makes it easier for fraudsters to access personal and business data. The longer the password, the more reliably it protects a device against hackers and data theft. A strong password should combine characters, figures and symbols, and should be different across different devices and accounts. Make sure staff don’t write down their passwords on Post-it notes stuck to their screens or on their devices, especially not in an unencrypted form.