Stay Cyber Secure
Working from home has become the new normal for almost anyone with an office-based job. Bringing with it many benefits but also a number of additional challenges. Most importantly, home workers now need to become much more active in managing their own cyber security.
In order for businesses to feel more secure it is essential that your workforce follows these five simple rules to reduce the likelihood of a cyber incident and the resulting impact on the business.
Rule One: Stop and Think
Be careful about who you share data with, and how you share it. Is it really necessary to send that spreadsheet, client presentation, HR data etc? If so, add passwords to the most sensitive documents and follow up with the recipient to ensure it has gone to the correct email address.
Always question documents received from outside of your network; even if you know and trust the sender. Although your company’s own internal security might be strong you can’t presume the same of your contacts, no matter how honest they might personally be.
Rule Two: Remain Vigilant
Always be vigilant, especially if connecting to your work network via a personal device. This means that you shouldn’t allow yourself to go into ‘home’ mode. Follow office rules:
- Don’t go onto websites you wouldn’t visit in the office.
- Don’t click on unknown links.
- Don’t leave your computer unlocked.
- Don’t download videoconferencing (or any other) software not explicitly condoned by your company.
If you are a manager, it is important when working remotely to ensure employees are continually reminded to remain vigilant and to treat their work computers and other technology (especially phones) in the way required by company policy. This can be done via daily or weekly email reminders, to ensure that cyber security always remains top of mind for your staff.
Rule Three: Don’t Ignore Software Updates
This one is simple. Keep on top of software updates. These are now more crucial than ever and you should restart your computer to allow updates to complete as soon as it is viable to do so. In addition shut down computers at the end of every day to allow overnight updates to occur.
Rule Four: Use VPNs
A VPN provides a secure and properly encrypted web connection for you and your employees’ work devices to access the work network. By encrypting traffic – where an employee has to connect to the internal network via public internet – it reduces the chances of exposing them, in particular to man-in-the-middle-attacks, but also to other intrusions from cyber criminals.
Rule Five: Backup Data
If you have responsibility for projects which contain data (which these days means most of us), make sure that you confirm with your IT team or IT service provider that backups of your files are occurring daily. To make these effective, set up protocols with teams to save all work to the company network, not onto the desktop. This ensures it will be backed up and also that it is protected by a more robust level of security. The new environment has driven us a huge step further towards paperless working, and this means that protecting our online information is even more important.
The article below, by Tom Malcolm, Head of UK Cyber at New Dawn Risk, was originally published in Insurance Day magazine on 3rd February 2020.
Most people look forward to retirement, and many have a ‘bucket list’ of ideas for what they want to do.
However, in the rapidly moving world of cyber risk, one fact of growing importance that is regularly missed by new retirees is that the withdrawal of the corporate umbrella also means the withdrawal of corporate cyber protection. Once the company laptop and phone are handed in, retirees are on their own with IT, and will, possibly for the first time in their lives, have to navigate their own way through the murky waters of cyber safety.
A critical multiplier of this problem is that not-for-profit organisations which interact with the retired community tend to have much lower levels of cyber protection than actively commercial companies. This means that this area is high risk and yet also severely under-protected – an almost perfect storm of increased vulnerability.
Most people who retire want to try something new, and the most common list of ideas includes taking holidays, volunteering or joining a club.
Unfortunately, all of these activities are characterised by high levels of cyber risk. Take travel. With 81% of holidays being booked online (Association of British Travel Agents) it is estimated that only 29% of travel sites offer full protection against phishing attempts. Holiday money firm Travelex was subject to a large-scale ransomware attack in January 2020. Although denied by Travelex, the hackers claim they had been in the Travelex systems for six months and had taken 5GB of sensitive customer data.
Meanwhile, local clubs and volunteer organisations also carry high data risk for participants. Almost all clubs and volunteer organisations have extremely low levels of data protection and limited cyber awareness. Payment protocols for club membership fees can be very insecure. Sports and social clubs and the like often have amateur committees, which leave levels of cyber awareness low-level and subject to chance. For example, if the club treasurer’s computer gets hacked, the direct debit and payment details of all members can quite easily be accessed.
With the exception of a few of the largest, very few charities also have the manpower to manage and protect fully against cyber risk. At their core, charities are looking to help the people they serve. This is done by maximising the money spent on their chosen sector and so additional spend and allocation of time on other security matters is limited.
But at the same time, they hold funds as well as personal, financial and commercial data. There are signs that this risk is now being recognised. The number of charities who treat cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.
With good news at the charity level, individuals here can help widen awareness of the issue by focusing on cyber security for any small community organisations that they’re involved in, and by asking whether some form of protection can be afforded.
Ill health and social care
Many older retirees have issues with health, mobility and care. People become more vulnerable, and yet the organisations that they interact with are not famed for their ability to protect the people they look after from hacking and related issues.
Hospitals and doctors’ surgeries have been at the centre of large-scale hacking incidents more than once, while care homes are acknowledged as often lacking strong central IT resources, let alone the risk factors that come from large numbers of care workers having direct access to residents’ belongings, including bank cards and data. A glance at the findings of Australia’s recent Royal Commission on care for the elderly gives some horrifying evidence of how regularly those who live in homes can be preyed upon by the teams that are supposed to care for them.
Individuals can do little to influence hospitals or doctors’ surgeries, but here the risks have become more well-known since the 2017 Wannacry attack paralysed 60% of NHS services. We are all reliant on both private and NHS organisations investing in cyber protection and ensuring that they prioritise the safe management of patient data. Of course, it is worth considering that private medical facilities are in some ways more of a risk than the NHS because, although better funded, they will hold details of patients’ payment information alongside their medical records, doubling the impact for those involved.
Creating a cyber shield
Those who are cared for at home will also be vulnerable. They are often alone, accessible to casual visitors, and with their bank details and cash available to anyone who visits the home. The risks are obvious, but what is less clear is how to take action to build a complete protective shield around the growing retired community, helping them to ensure that they, their data and their finances are protected throughout the later years of their lives.
Families cannot shoulder the whole burden. So, what can those businesses who work with the elderly do to protect their community? Care homes are a particularly vulnerable part of the front line, as they hold a huge amount of PII (Personally Identifiable Information) data on their patients. Much work could be done here, in terms of increased training and awareness for care home staff and for families of residents, combined with an up to date and well-maintained IT infrastructure. Insurance coverage also needs to be increased, with a step change needed in residential home groups awareness of the need to protect their residents from cyber risk at every level.
Solutions can be found
Action is needed, and the insurance industry can help with this. Care homes, private hospitals and charities are at the front line. All of them need to tighten their cyber protections, and also develop greater awareness of the need to knit together full protection for the people in their care. Let’s work with these groups to build their educations and protection as much as we can.
Tom Malcolm is Head of UK Cyber at New Dawn Risk
The original article can be viewed here
The cyber health of an organisation can be measured with some accuracy. A company’s attitude towards its cyber security, training, accreditations and insurance gives a clear picture of how well-managed cyber risk is by that individual firm.
For many firms, however, their measured score on this topic would be disappointingly low. Cyber risk has been a buzzword for the last three or four years, and corporate focus has heightened further due to the GDPR legislation, which shifted responsibility for data security firmly into each individual firm’s lap.
Firms such as British Airways have lost or been fined millions for cyber breaches, and many organisations, including NHS hospitals have had their operations closed down temporarily by cyber hackers.
Human nature is the problem
But human nature is amazingly resistant to change. In spite of numerous high-profile attacks in the last couple of years, there is still a fundamental lack of true cyber awareness in many businesses and a low adoption of cyber basics. Just take a look at your own online profile and consider the following statements.
- We all know we should change our passwords often (but rarely do).
- We all know that we shouldn’t open suspicious looking emails and links but we often do it anyway.
- Many organisations have outdated firewall and anti-virus software, in spite of having teams dedicated to managing their cyber security.
Training can help
The unpalatable truth is that the cyber security community is beginning to understand that corporate firms need government support. This is most important in the areas of education and training. In most regulated industries there is a requirement to Know Your Customer (KYC). It is also mandatory for the company to deliver ongoing training and learning programmes to all staff, as well as CPD (continuing professional development), and compliance training.
Love or hate the regulated environments that exist, they promote and maintain high levels of safety and financial security for the industries they serve.
By contrast, the 2019 UK government survey on cyber security found that only 38% of small firms were aware of Government cyber security initiatives and accreditations, rising to 48% in large firms*. However, 80% of the cyber-attacks occurring every year could be prevented by adherence to the five controls recommended by the UK Cyber Essentials training programme
Now, for the first time, decisive steps are being taken by the government to provide education and training, and firms need to be aware of them. The Cyber Essentials Scheme was first off the blocks. This is the UK government accreditation, designed to educate the workforce, and protect organisations from the most common cyber-attacks. Find out more at https://www.cyberessentials.ncsc.gov.uk
The Cyber Essentials programme had an initially high uptake but, has since disappointed with low corporate retention. Many firms have slipped behind and are now non-compliant with the accreditation. This lack of focus has forced the government for the first time to take measure to push education in the field.
From 2020 all UK government vendors will be required to hold the Cyber Essentials accreditation, and to keep it updated. This move is intended to create a non-regulated half-way house, making it important for firms to become accredited; and for the Cyber Essentials credential to become widely accepted as a pre-requisite for doing business with any organisation.
Regulation is not here yet, but it is clear that the government is serious about ensuring firms prioritise and manage their cyber security. Firms who do not currently do this need to up their game.
Attack the issue on several fronts
Even if your firm is not prepared to work towards Cyber Essentials, there are other steps that can be taken. All firms, no matter how big or small, should be reviewing their cyber exposure and regularly checking the controls they have in place are adequate. Educating the workforce is a further important step to consider. All this can then be supported by a cyber insurance policy, which if these measures fail to prevent a cyber incident, will help an organisation to mitigate the effects both during and after the event, and get back on their feet again.
In summary, there is much that can, and should be done to protect a firm of any size against this new and pervasive risk to businesses.
If you fit into the category of ‘let down by human nature’ and would like to do more to cyber-secure your organisation, here is our checklist of steps to take to improve your cyber status:
- Check your GDPR position and ensure you are compliant
- Sign up to Cyber Essentials, and ensure you stay current with training requirements and updates
- Invest in education for your workforce – helping them to behave in a safe and secure manner online
- Protect your organisation with a cyber insurance policy, should the worst happen
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch firstname.lastname@example.org
Board members are key decision makers for every firm. They also play a pivotal role in safeguarding a company from both internal and external pressures. In a listed firm the board will look to protect the interests of shareholders and employees; while in a private company the focus is usually on helping management to make consistent and effective decisions for the business.
However, it is a fact that boards are not generally perfectly structured for assessing and prioritising cyber risk. Age is one factor. But there is also recruitment bias to contend with. When recruiting for the board, the typical skillsets that are favoured by recruiters include law, regulatory expertise, financial and accounting qualifications or HR experience. Notably missing from this list are IT, risk management or cyber security expertise.
The UK government’s own 2019 survey found that currently only 38% of small firms have in place board members or trustees with responsibility for cyber security. In large firms, less than 60% have a specific board member with oversight of this key risk. Worst of all are charities, where the number is only 30%*.
This is shocking, given the potential impacts a cyber event can have on a firm – from prevention of trading to loss of reputation, or data theft fines and reparations.
The challenge to be faced is increased by the fact that, not only are a board’s external Non-Executives are unlikely to have been recruited because of IT skills; but frequently a firm’s staff Chief Information Security Officer (CISO) – or equivalent – will often not sit on the board, leaving a gap in decision-taking expertise, and sometimes even in board awareness of the risk at all.
The challenge is not just one of ‘being in the room’. Attitude and communication are also important barriers to board’s understanding of how to manage cyber risk. Former CEO of Lloyd’s, Dame Inga Beale commented that “communicating in the same language is one of the barriers to effective collaboration between boards and information security functions”** The challenge is for an IT specialist to speak clearly to the board, to address their main priorities; and in doing so, to move beyond technicalities and into overall business risk
How can this be achieved? There are some simple rules which can make a big difference. Firstly, it is critical to use effective and simple tools to illustrate the risk, for example, using financial models to demonstrate the cost of a data breach, rather than system maps showing outages in terms of time and physical areas affected.
The CISO needs to team up with other departments to clearly analyse the effect of a cyber incident, including looking at elements that are not within their remit such as public relations and associated negative publicity, legal ramifications and impacts on share price / revenues or profits. These issues are ones that boards understand and can respond to much more easily than system-focused descriptors.
Overall, the approach must be to give the board issues that they can quantify and use to measure the potential financial impact to the business. Conversely, don’t use jargon that may make the board feel out of their depth, as this will make them reluctant to question, become involved or take decisive action. The point of having a board is that regardless of their technical knowledge they should still be able to provide valuable advice and help management steer around both new and old risks.
Managing a board is a skill in itself, and getting the decisions made that you need becomes doubly tricky in the relatively new and complex field of cyber risk. If cyber security is your responsibility in a firm, you need to arm yourself with the understanding of a board’s approach, as well as taking time to talk in their language. The board’s input can be valuable. The key to getting the best out of them is to articulate clearly the whole-business impacts of a cyber risk. It is simply a case of learning how to speak the language of the board.
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch email@example.com