Cyber Security Series: 2. Power to the People

Who’d be a CISO nowadays? Expected to set and oversee information security strategy, and potentially take the fall should a breach occur. You need eyes in the back of your network, trust in your team and the ability to influence the board with sound business arguments, not horror stories. The world’s first CISO is widely acknowledged as Steve Katz, who was hired by Citigroup in 1995 after it came under attack from a hacker trying to steal $10m by gaming the international transfer funds system. The breach was spotted by members of the Citigroup team who noticed anomalies on transactional printouts and rang the alarm. The fact that this issue was captured by employees rather than being flagged by the system led Katz to state:“It shows you the importance of people within the overall information security process. They are your greatest risk, and your greatest asset.”In this article, the second in our Cyber Security Series, we’ll look at the most common types of cyber crime and the actions we can take as a result. Let’s begin by being clear on one thing:

Cyber crime sits in the hands of people, not PCs

The first point in considering cyber crime is that there is always a person, or people, behind any criminal action. Fortunately, we’re not yet in a position where devices have decided of their own free will to empty the bank accounts of innocent citizens or steal organisational data – what would a laptop want with £1,500 or the passport number of Bill Evans from Solihull?Because we know that it’s other human beings behind criminal activity, we have a distinct advantage over computers – the ability to think in a way that only humans do. And whilst we may not personally understand what drives someone to become a cyber criminal, we can be clear on why someone wants to attack our organisation. Broadly speaking, these reasons will fall into one of the following categories:

Child’s Play

Life for teenagers has changed a lot in the last twenty years. Whereas previously you might have got your kicks by graffitiing a shop front or setting off a fire extinguisher, you can now wreak havoc with a cheap drone and some basic coding skills. The expansion of IoT-enabled devices is leading to a trend in breaches that might perhaps fall under the category of ‘mischief’ such as hijacking office lighting.  

“It shows you the importance of people within the overall information security process. They are your greatest risk, and your greatest asset” – Steve Katz

Lessons Learned

Where there’s an IP address, there’s a way. Organisations need to think not just about core infrastructure, but every single connected device. Gartner predicts that by 2020, more than 25% of identified enterprise attacks will involve IoT.

An axe to grind

We all have the occasional bad day at work, but some people take their grievances to extremes. The well-publicised Morrisons data breach in 2014, which compromised the details of 100,000 employees, and cost the company £2m to put right, was put down to the actions of just one disgruntled employee. Andrew Skelton was sentenced to eight years in prison but that wasn’t the end of the story. In December 2017, the High Court ruled that Morrisons was ‘vicariously liable’ for the breach, paving the way for a compensation claim filed by over 5,000 staff and highlighting even greater need for employers to think about who has access to their data.

Lessons Learned

Data security is not just ‘an IT issue’. In this instance, HR comes into play as it is believed that Skelton’s motivation was the result of a disciplinary procedure. Questions have since been raised about whether it is appropriate for employees facing disciplinary action to continue to have access to confidential data. This article offers some sound advice on how companies can seek to minimise the risk of employees causing, or falling victim to, a breach.

Financial gain

Why go to the risk and trouble of robbing a bank or conning people on their doorstep when you can steal hundreds of thousands of pounds from the comfort of your own laptop? As we make our homes and buildings safer, criminals are quick to seek out weak spots beyond our four walls – and as it stands, there’s still plenty to exploit. A court sentenced British cyber criminal Grant West to more than 10 years in prison after finding him guilty of defrauding individuals and selling information that had been stolen from organisations including Asda, Ladbrokes, Barclays and BA.

Lesson Learned

Corporate data doesn’t just sit within HQ. Some of the information stolen was via reward systems – BA’s data was stolen via Avios. This means that to adequately protect the information held on your customers, your third party partners and suppliers must hold the same high standards as you.A secondary element in this case was the use of phishing. West sent emails purporting to be from Just Eat, offering a reward in return for card details. Just because these emails were consumer in nature, it doesn’t mean that they weren’t viewed or responded to on corporate devices. Adequate employee training and controls to capture phishing emails will minimise the effectiveness of this kind of attack.

Organised crime

Europol’s Serious and Organised Crime Threat Assessment (SOCTA) report details the rapid expansion of ‘traditional’ organised crime groups into online activities, resulting in the creation of Crime as a Service or ‘CaaS’. CaaS allows entry-level cyber criminals to carry out attacks at a scale disproportionate to their technical capability. In 2016, an international criminal infrastructure platform known as ‘Avalanche’ was finally dismantled after four years of co-operation between law enforcement agencies, investigators and prosecutors from 30 countries. To give an idea of the scale of the Avalanche platform, its dismantling resulted in the seizing and blocking of over 800,000 domains. The precise cost of the damage caused by the platform is unknown, but conservatively estimated to be in the hundreds of millions of Euros.

Lesson Learned

Cyber crime is serious business and it’s growing. We need to place the same level of importance on protecting our organisations, data and employees at a cyber level as we do on a physical level.

Giving Power to Your People

With so many people potentially out to get your business – how do you know who the ‘Good Guys’ are? Going back to Steve Katz’s quote, it’s (almost) everyone in your business. They each have the potential to operate in a manner that greatly reduces the risk of your organisation becoming a victim of cyber crime – and they don’t need to be White Hats to do it. Here’s some quick tips on helping to make sure everyone takes ownership – and the CISO has a fighting chance of successfully implementing their strategy.

Be clear about the impact of a cyber crime

In a worst case scenario, cyber crime results not just in reputational and financial losses, it results in job losses too. Employees need to understand the real-world impact of cyber crime, and the importance of small actions on their part.

Make it real

Helping employees spot the classic signs of cyber crime, such as phishing emails, will have a positive impact on their personal lives. If it helps to give a flavour of the scale, it’s worth knowing that the National Cyber Security Centre (NCSC) Active Cyber Defence programme blocks on average 4.5 million malicious emails a month from reaching users. Cyber security training is not just a ‘corporate initiative’ – it is equipping people to protect themselves from modern crime.

Clearly communicated processes

What should someone do if their device presents a ransomware message? Disconnect from the network? Inform IT security? Clear processes result in decisive action that can minimise the damage of an attack.

Make it an agenda item

If there’s a new threat on the horizon, don’t restrict the knowledge to the IT security team. Cyber security should be on everyone’s agenda.

Create an early warning system

Some malware can sit within an organisation for months and it may not choose to surface on the CISO’s desk first. Give employees a clear view of what constitutes unusual or suspicious activity and get them to report it immediately. Put the power in the hands of your people.‘Cyber Security – Power to the People is the second in a series of articles designed to encourage debate and action in organisations who want to take a positive approach to cyber security. Our recommendations are based on the experiences of our customers, the knowledge of our cyber security team and analyst insights. To discuss any aspect of this article, please comment below and we’ll get in touch, or contact our Security Solutions Architect, Iain Marsh, at [email protected]. Find out more about SCC’s cyber security services