From high value target to smart ninja: The do’s and don’ts of organisational cyber security

Always on the look-out for sizeable data sources they can compromise, cyber attackers are creative and resourceful individuals who often strike when least expected. For example, weekends are one of their favourite times, when incident response time is minimised by people not being at work, such as in the case of WannaCry in May this year. Equally, we’ve seen many businesses believed to be ‘safe’ at the centre of a cyber attack stories.

The problem is, no organisation, regardless of its size, public image, or financial weight, is on the safe side nowadays. Any institution, be it public or private, that holds a significant amount of confidential data, including medical records or financial information, is a sought-after target. From universities to small businesses to banks, all organisations are at risk.

However, many people believe they are not a ‘high value target’ for identity thieves – such as students, for example, who consequently have rather minimal knowledge on how to protect themselves online. As a result, we’ve seen UK students being targeted by fraudsters in the run-up to the new academic year with a fake email scam claiming that their Student Loans Company (SLC) accounts have been suspended.

Who is ultimately responsible?

The question is: Does the responsibility to safeguard individuals’ online assets lie within the organisation? Or is each of us responsible for the security of our own data online?

A simple answer would be: both. Employers, training providers – anyone who stores and deals with customer and employee data has to think of ways they can protect it from cyber threats, as well as raise awareness amongst staff. Equally, individuals are responsible for safe browsing.

Phishing is still the most successful attack vector for cyber criminals. Humans are inquisitive by nature so even though they aren’t necessarily expecting an email on their finances from their bank, for example, they will still open it to ‘see if it is for them’. This can result in their machine being compromised with ransomware or a banking Trojan and more than likely added to a botnet.

The spam campaign authors understand traditional security platforms and know how to evade spam filters with improved phishing emails that are more and more difficult to spot. When confronted with this, users are advised to report fraudulent emails to ActionFraud, the National Fraud & Cyber Crime Reporting Centre, as they have the authority to act.

However, at an organisational level, there are various steps companies can take to ensure they educate their employees and customers, and also have the correct technological capabilities in place. Below is a list of top do’s and don’ts colleges, training providers and employers should follow to protect themselves and their staff from cyber fraud.

Do’s

1. Encourage employees and customers to use strong passwords and a password manager if necessary.
2. Use a client side Virtual Private Network (VPN) such as Freedome to ensure network security within the organisation.
3. Add privacy to social media accounts and encourage the same practice across the organisation.
4. Enable two factor authentication on emails and click-to-play for Adobe Flash or remove it altogether.
5. Use an adware scanning tool and scan devices on a regular basis to track cookies or other malware not identified by the firewall software.
6. Patch company devices and install firewall software. Needless to say, keeping devices up-to-date is a must.

 Don’ts

1. Educate employees to never follow an offer, such a free iPhone, that seems too good to be true. It will be a scam!
2. Similarly, employees must know to not click on attachments unless they’re sure they are for them.
3. Never use a free public Wi-Fi to log into company accounts.
4. Don’t follow links in emails, particularly suspicious ones; always type the URL in a browser.
5. Don’t install software/utilities from an unknown source, as those tools may install spyware on the device.
6. Don’t ignore warnings generated by the firewall or other security solutions (don’t follow links to pages highlighted by the firewall).

Ultimately, a good user education programme for staff on the dangers of email would go some way to reducing this risk. We live in a digital era, when using emails is the new norm, and employees of all ages should be taught how to protect themselves online. We’re being exposed to a new wave of threats today compared to 50 years ago, and adaptability is key.

Bryan Campbell, Senior Security Researcher at Fujitsu UK & Ireland