September 5, 2018

Should you click on this link?


Ever since an unlucky or gullible Trojan uttered the words: “Ooh look – someone’s sent us a lovely wooden horse…” one thing has been painfully apparent regarding security of any kind: any security system is only as secure as the people who are part of it. In other words, the most powerful and effective tool in your information security toolkit is your people – and malicious data thieves know this. That’s why they exploit apathy, laziness, carelessness, our egos and our innate curiosity. It’s why your team must be fully engaged with the right knowledge, beliefs and behaviours if you want to secure your organisation effectively.

Two examples. A surprisingly common UK phenomenon involves security breaches initiated by people innocently picking up apparently carelessly discarded USB sticks in car parks and inserting them into a workplace machine to see what’s on there, or if there’s any space. Curiosity will get you every time. Then there’s curiosity’s sometime-nemesis, ‘assumption’. A modern fable – recently someone who, for the purpose of this article we’ll refer to as my eldest child left what we’ll call, for illustrative purposes, our house, locking the front door but leaving a ground floor window open. Luckily, nothing unfortunate happened this time – and the reason for the inviting aperture was very plausible – “…I didn’t think anyone could get in through that window.” The road to Hell has been resurfaced; sections of it are actually now paved with assumptions. (To balance the record, I left our back-door unlocked all night once, by accident).

Which brings me to why I used the term data thieves. These people range from the feckless, the bored and/or mischievous opportunists, through to career criminals who are seriously intent on causing damage to your property, and in the case of data theft, your reputation. We’ve all heard of those high-profile cases. At the extreme end, there are alleged malicious attacks by state machinery, seeking to gain competitive advantage, destabilise economies and perhaps even democracies. Regardless, the results can always be devastating, whether it’s a systems breach, data theft or full-blown ransomware – and there is much information available online explaining each of these nightmares.

Sticking with business, the stats are scary. According to a 2017 report by Accenture the average annualised cost of cyber-attacks was $11.7m, with the US at $22.12m, the UK at $8.74m and France and Germany hovering at close to $8m, with the overall annual figure rising by 27.4% in one year alone. Other sources report higher numbers. If your business relies on information or data and keeps or processes it (and few businesses do not fall into one of those categories these days) then the cost to your business can be extreme – not just because of the potential financial damage, but the subsequent catastrophic loss of trust in your brand. As more companies put confidential and sensitive data into ‘the cloud’, workplace mobility and international matrix working become more commonplace, and as the rise of networked devices heralds the internet of things, the potential vulnerabilities will increase exponentially. So, what can be done to protect our businesses?

Instinctif Partners starts with the premise that any information security protocol is as secure as the least diligent person applying it. Assuming that you have an excellent IT department, or a similarly qualified consultant to help you take care of hardware and software, an equal emphasis and focus should be placed on your people. They need to be made aware of the scope, nature and potential impact of cyber-attacks, malware etc., and it’s key that they understand their role in the chain of events where each potential scenario is concerned. However, this on its own is not enough.

Purposeful and effective behaviours are key to ensuring the success of any information security policies and protocols. This includes encouraging your people to form good habits, and ensuring that they continually question and learn to recognise each threat as it arises, remaining alert and informed of any new issues as they develop. This need not be an exercise in anxiety – secure behaviour should be as second-nature as looking up from your mobile phone when crossing the road –paying attention, adopting the right behaviours, and not making assumptions. Ever sniffed a slice of bread to check that it’s fresh before popping it in the toaster? With the right awareness, understanding, nudges, behavioural change and engagement programmes in place, a continuously engaged team can become a strong line of defence against cyber-attacks.

It certainly should not be left to chance, or curiosity. Wooden horse, anyone?