Last week we saw a cyber hit and run attack on Tesco Bank customers, during which the offenders removed around 2.4 million pounds from 9,000 customer accounts. In January 2016 Lincolnshire county council had a ransomware event followed by a virus in North Lincs NHS, and in March 2016, Dorset county council suffered more or less the same fate.
The kinds of attack that are deployed against companies and institutions vary, but can be collectively summarised as malware. Of these, ransomware in particular is on the up in the UK with 54% of surveyed businesses being targeted by this means. A ransomware virus occurs where once on your system, the offending code encrypts your data and will not release it until the ransom is paid, usually in Bitcoin, which is a form of digital currency.
A recent survey of 500 companies by “Malwarebytes” showed the problem is widespread, with many companies setting aside budget resource to pay the ransom. Although Tesco have not yet revealed the nature of their attack, it looks from the outside that its systems have been compromised either as the result of a direct hack or one assisted by malware.
The level of sophistication and capability of these attacks varies, and depends on a combination of the resources available to the malicious actors and what their objectives are. As can be seen from the amount of money taken from Tesco banking customers and the apparent ease with which it was done, the problem is not going away anytime soon.
IT teams and system designers spend a lot of time trying to reduce the efficacy of these attacks by the improvement of IT security, which for the most part works reasonably well.
About 30% of disruptions that have been enabled are categorised as “Human Error”. This can occur where an unwitting member of staff lets in a virus by clicking on a rogue email, or uses flash drives at work that have not been scanned for viruses.
It is inevitable that people will make mistakes, that fact is unavoidable. However, what I think we can do is to take action that will reduce the amount of times these mistakes occur. The way that we can do that is by educating our staff on what the problems are and how to avoid them.
IT is involved in all of our lives and is here to stay. If we are to have any chance of reducing the human error factor by any margin at all, education and training has to be more than a one off session when you join the company.
I have set out a few ideas below that I think are low cost, easily achievable and would help to shut the door on easy access to our systems. The list is by no means exhaustive.
· Input to staff on cyber security when joining the organisation and twice yearly after that.
· Input on cyber security when staff are promoted or move section.
· Targeted input when real, relevant cyber events happen elsewhere.
· Cyber security responsibility put into staff development reports and made part of job description.
· Organisation information security dep’t to run short education input via website, completion to be compulsory.
· Advice to staff on social engineering and phishing emails.
· Show staff YouTube videos on the subject – there are some good ones out there.
· Create a work environment where staff can confess quickly and without sanction if they do make a mistake.
· Advice staff on immediate actions if they think they have let a virus into the system.
I think that educating all staff in the benefits of cyber security should be a continuous process in the workplace. This kind of training has the potential to significantly reduce the amount of disruptions to our activities that are presently generated by human error.