It’s no surprise to say that we have become a technology-reliant culture. Every organisation – whether operating in the public or the private sector – relies on technology in some way or another as part of its processes. As a result, keeping this information secure has become a focal point for organisations.
It’s important to understand cyber security is not like “normal” security. There is no single gatekeeper whose role is to keep our cyber systems safe. The responsibility belongs to everyone in an organisation – but it is down to those in leadership positions to stress the importance of cyber security to other employees and develop a strategy that is tailored to the risks of each organisation.
How much information do you share?
A large part of avoiding cyber attacks comes down to awareness. Are you aware of how much information you’re already sharing publicly and how this information can make you vulnerable? Are you aware of how your behaviour can impact the larger organisation?
Many of us already share information on social media, whether through public Facebook pages, Twitter profiles and tweets, LinkedIn accounts, or any number of other websites. While at first this may not seem like much of a problem, it can make you more vulnerable to cyber attacks.
Take the (fictional) example of Jane Smith, who spoke at a conference recently and announced her company’s partnership with the NHS to provide a new service to clinicians. Jane tweeted about the conference and about her announcement. She also tweeted about some other news announcements made that day.
Jane received an email the next day from a journalist who was at the conference but unable to speak to her because, he says, he was busy with another announcement that Jane had also tweeted about and he would like her to email him a few responses to some questions he attached. The journalist claims to be from a well-known national publication, and Jane has no reason to believe it to be anything other than a legitimate request, so she opens the attachment, reads the questions, types up a response, and sends it on.
This seemingly innocent situation may be just that – a great opportunity to publicise the department’s work. Alternatively it may have been one of an increasing number of cyber attacks made upon people, in this case a “spear-phishing” attack. These are carefully crafted emails that make use of a person’s personal information, often harvested from social media and websites. The purpose is to make the email entirely believable and for the target to click on links or attachments in the email.
These typically download malware, malign software that might be designed to grant control of your computer to the attacker, allowing them to gain access to your organisation’s wider computing infrastructure or to access sensitive information held on your computer. It might also be ransomware, encrypting your computer’s data files so that they become unusable – unless you hand over payment in return for unlocking your data. These are just two types of attacks that are seen every day by security specialists.
Of course, the answer here isn’t to prevent employees from using the internet and emails. It is not a suggestion to use less technology, but the example illustrates what can happen when Jane doesn’t appreciate the risks or give some thought to the kind of precautions she should take.
Vigilance and awareness
Senior managers also need to prioritise cyber security – one of the fundamental measures to ensure good cyber security is leadership. People at the top of an organisation need to communicate the importance of keeping the organisation secure and creating a culture of security awareness. They must draw attention to the need for vigilance and awareness, asking people to think about the personal information they share – the “digital footprint” that everyone now has.
Leaders must also drive culture change, encouraging the organisation to think about security and risk, discouraging complacency and belief in security absolutes. They need to acknowledge that cyber security attacks will happen frequently and that the attackers will occasionally be successful, so leadership is needed to prepare and respond to such events, including support for investment in measures necessary to reduce the chance of succumbing to an attack and its impact. When you consider that over 80% of large corporations and 60% of small businesses reported suffering a cyber breach in 2014 (according to last year’s information security breaches survey from the Department for Business, Innovation & Skills), and that the average cost of each incident is over a million pounds, such investment seems a small price to pay.