Why only grown-ups should be allowed to use computers.

Cyber Security and SME Business

The risks of doing nothing and the problem with SME's

The response received from most small businesses when we talk about the threat that they expose themselves to simply by connecting to the Internet, is normally along the lines of, “Oh we’ve got that covered”.  When we’re met with such a blasé attitude, we sense some sport and probe a little further.
 
The term ‘covered’ turns out to be an interesting phenomenon, as connecting to the Internet can be likened to waking up one morning and finding a rabid dog sitting on your bed - if you’re lucky you’ll be fine, but there’s a very strong probability of things going horribly wrong, resulting in a potentially deadly infection. For most, a more technical definition of ‘covered’ is probably the router provided by their Internet service provider (ISP) and some free antivirus software.
 
Despite warnings from government and technology experts and clear evidence of the risks involved, broadly speaking, SME’s in the UK - the backbone of the British economy - just don’t get it. Just look and see what the Federation of Small Business has to say on the subject last year.
 
You’d think that larger organisations - especially professionals such as accountants and solicitors - would be better advised and equipped to deal with issues surrounding data security and information assurance. But no, it’s not the case.
 
Organisations with in-house IT personnel can be incredibly introverted and protective when it comes to talking about resilience issues and IT.
 
Those who rely on an external provider will benefit only from the level of knowledge and commitment of their chosen vendor. It’s all bit of a mess with a lot of bluster and denial at its roots.
 
But before we go any further, it would be worth considering the whole notion of cyber threat. What is it really? Is it just hype that keeps consultants in a  job? Why do so few who actually run or own businesses seem to care? 
 
IT security is not for kids The overall problem I think stems from a market saturated with all things IT at prices anyone can afford, the pathological need to ‘get online’ (with government and telco’s adding to the frenzy), and  a casual, amateur approach typified by a ’my mate’s son can fix that for you’ mentality. 
 
With IT lying at the core of most organisations, why should we let this kid loose on our commercial hearts?
 
The Internet is seen as a cornucopia from which all must imbibe. Unfortunately, this fount of all knowledge and gratification is tainted, as the deviant side of the very entrepreneurial spirit which gave birth the the Internet is also very present. It’s a dark, scary place to be at times and yes, beware - here be dragons.
 
Most people seem to think that “a virus” will do something nasty and annoying to their computer which might stop it from working properly. “Malware” is a bit of an unknown quantity that has much the same effect. They think “Hackers” only target big companies and the Pentagon   and the bad guys  aren’t interested in any device that doesn’t belong to a global corporation or a defence establishment. Why do people believe this nonsense? Because there’s a guy down at the pub with a NVQ qualification in word processing, “And he says…..”.
 
So who writes and send viruses and “hacks” things?
 
Bad people. Criminals. 
 
Why do they do it? 
 
Because it’s very, very easy, it’s very lucrative and because they can. And they don’t even have to leave the house to do it. It’s crime from the sofa and its increasingly being organised on a global scale.
 
So why would they be interested in you?
 
Whereas most people could probably work out the value in gaining access to corporate data, or disrupting a high-profile organisation, few have any concept of “little old me”. And the answer to  this question is, “They aren’t interested in you one little bit”. They couldn’t care less.  All they want is your data and your identity. You may only have a few hundred pounds in the bank, but if they can get access to that - and your overdraft - and replicate the activity hundreds or thousands of times, then the numbers begin to stack up. If they can pretend to be you and obtain a loan or credit cards in your name, then they’re definitely in the money - and the bill will be heading in your direction.
 

Businesses are exposing themselves to the risk of Cyber Crime.

But just a minute - in this case it’s a problem for the police to solve, isn’t it?  No it isn’t. 
 
Cyber crime becomes the problem of law enforcement agencies once an attack has happened and a crime is committed, or if it can be proven that people are involved in activity that will lead to a crime being committed. 
 
The police and other enforcement agencies are working extremely hard to understand the full nature of the threat and disrupt organised cyber crime, but at this moment in time, there is no way they - or anyone else - can prevent it. We can, however, take steps to prevent ourselves becoming willing victims.
 
Wake up! This is the 21st century! And just as nuclear weapons can’t be ‘uninvented’, neither can computers or the Internet. They’re here to stay, so we’d all better grow up and learn how to look after this new technology - and ourselves - properly.
 
Here are some basics that will help:
 
Any device (PC / MAC / laptop / mobile phone / tablet / PoS device / IP webcam / networked telemetry equipment / network printer etc. etc.) which connects to the Internet, a network of other devices or a WiFi connection, is at risk from infection, manipulation or compromise.
 
Viral infection or malware may stop a device from working correctly, but it may also be absolutely transparent. It can harvest information stored on a hard drive or monitor keystrokes and transmit this back to a third party. Infection or breach may allow a third party to remotely control this device and use it maliciously as part of an anonymous attack on another victim. You may unwittingly become part of the ‘dark web’ - and you really don’t want to go there.
 
Wifi is a potential nightmare if it is not secured WiFi is a nightmare. Would you stand in the street and shout your bank account details through the window of your bank to the cashier? Probably not - but in effect, whenever you use WiFi, this is what your device is doing.
 
Not just with your financial details, with everything. WiFi isn’t some sort of point-to-point laser beam-like method of sending stuff from tablet to router. Oh no, when you think of WiFi transmission, think “balloon” or “globe” - because WiFi is a 3D transmission. It spreads in all directions, leaking through windows, walls and floors. 
 
Who else can “listen” to it? Well, anyone with a modicum of knowledge and a laptop, or a few bits of kit that can be bought online. Just consider who could be sitting outside of your office, or the homes of your employees, or in Starbucks, harvesting information from you and your organisation? If you’re starting get impression that threat sits not only behind the curtains, but on every corner, you’re starting to catch on to the reality of the problem.
 
As if this isn’t bad enough, the vast majority of people might as well fling open their front door and invite the cyber criminal into their lives…..
 
When was the last time you opened an email from a sender you didn’t recognise?When was the last time you opened an email from someone you thought you recognised and then thought, “Oh, oh - this doesn’t look right”.  
When was the last time you clicked on a link to a website that you had never visited before?
When was the last time you picked up a USB stick and plugged it into your computer because you couldn’t remember what was on it?
When did you last change your access passwords? When did you last chat to someone about using IT at work? 
Because all of these simple and innocent actions are all criminals need you to do to fall into their trap and.  Their  success count on you falling for their tricks!
 
It really is that easy, and for the majority, their ‘security’ provisions really are this poor.
 
The new British Standard 65000 on Organisational Resilience addresses Cyber Threat, while there’s plenty of talk at government level and within the insurance world about ‘mitigating risk’ and the government endorsed Cyber Essentials scheme can help you get started on the road to better cyber risk management.  
 
Meanwhile regulators such as the Information Commissioner’s Office (ICO) and the Financial Services Authority are most disapproving of anyone with a shoddy attitude toward protecting data. They share a propensity for issuing crippling fines like sweets. 
 
However, I don’t think they ever fine the IT department…
 
 
 

 

Stuart J. Green Digital Engineering SJG Digital are a Cyber Essentials certification body who specialise in working with SME’s to help them to effect a change in attitude towards cyber threat and deploy cost effective solutions that will grow with their organisation and the ever changing threat landscape.