Tag! You’re IT. Cyber security playground rules
Tom Mullen, O2’s Head of cyber security, considers the role of IT in cyber security, and how the IT team is perceived throughout the organisation.
In my first blog in this series, we considered how the cloud, remote working and the use of personal devices at work have resulted in making the people we employ potentially as significant a security risk as more organised, sophisticated cyber criminals. But as IT professionals it’s just too easy to play the blame game. Yet we can’t expect everyone we hire for a sales, marketing or finance role to be an expert in cyber security. Instead we need to look at ways to reduce or prevent cyber threats and attacks from reaching the people we employ in the first place, while looking at better ways to inform them when we know something has become a problem.
Here are five areas that every IT team needs to have covered
- The Basics
Software updates are an obvious place to start. Almost everyone I speak to with responsibility for security understands perfectly well the risks carried by not updating software. After all, malware tends to target vulnerabilities that have been publicly disclosed, but also typically addressed with updates and patches.
The process of keeping up to date is not always easy. Software updates or patches can break the established interoperation between systems, but prior testing of application patching usually prevents issues with other software applications.
Remember that software updates might create a need for user training or a change in the way that users perform their roles. In the most serious cases, patches or updates can be simply incompatible with hardware, leaving them open to vulnerabilities discovered long after support for those systems or hardware stopped.
We saw this very publicly with the effects of the WannaCry ransomware attack on a number of organisations last year, including Santander, Nissan and the NHS. For the NHS, it exposed the vast number of MRI scanners, x-ray machines and other hardware still reliant on operating systems whose support for upgrades and patches had long since expired. Ensuring that you have a detailed, unambiguous procedure for backing up, protecting and encrypting your organisation’s data is another basic IT role. It’s prudent to divide the backup duty between several people to minimise the opportunity for insider threats. It’s also useful to have those backups stored in different locations to avoid all the backups being wiped out by fire, water or natural disaster. Password management and account access are routine IT responsibilities.
However, one common vulnerability I witness regularly concerns privileged account access. Where software applications, website administration, databases or other systems offer different levels of access, too often an IT team will raise a user’s access level beyond their needs, fail to turn off access for users no longer with the organisation, or provide unmetered access to temporary staff, freelancers or contract workers. By doing so they establish a substantial security risk to the organisation. Get to know the IT needs across the business, and ensure the access privileges granted are appropriate and reviewed regularly.
Cyber attacks are unfortunately becoming more sophisticated. Recently I spoke with the CEO of an SME that had become victim to an extremely convincing cyber fraud. Following months of fraudsters monitoring and learning the CEO’s use of language and communication style, the longstanding head of accounts had been persuaded to make a series of bank transfers, via emails she believed were coming from him. We will read about fraud like this increasingly, and IT’s responsibility is to stay abreast of new trends and vulnerabilities.
The National Cyber Security Centre (NCSC) publishes regular, up to date advice and information on malicious cyber activity that is available to everyone. They have also published a report on the cyber threat to UK business, designed to improve our collective cyber defences, which you can access here. Sometimes it’s as simple as ensuring that stories like these are shared throughout an organisation, which in turn increases people’s vigilance.
In my previous blog I mentioned an organisation that complained their staff rarely opened emails about security issues. That’s a concern, but more worrying was that their IT teams concluded that they had done their job of communicating their issue, and hadn’t looked at what ways they should improve their notifications.
Keeping people updated about the latest security threats is an IT responsibility, and the IT team must do whatever it takes to drive the message home. If a message doesn’t achieve the desired result, we look for the reasons why, and change it. At the start of May, for example, we borrowed the Star Wars tagline May the 4thbe with you for a security message, and people were sufficiently intrigued to open it. They were still talking about that particular security message many days later. There is a skill to getting communications right, and it will vary depending on the organisation. Look to your marketing team to help and consider alternatives to Email such as SMS, Group Chat and collaboration apps.
- Intelligence and control
However irritating it is when someone in your organisation falls prey to a scam, or responds to a phishing attempt, there is an argument that the IT team should have prevented it. The IT role extends to removing threats before they reach anyone else, quarantining sites through monitoring and keywords and blocking infected or suspicious emails before they reach a user’s inbox.
I often have to remind myself that the people at O2 have their own jobs and responsibilities to perform and are not cyber security experts themselves. Spam filter technologies, a means for staff to highlight suspicious emails or activities, IP snooping and monitoring for data loss should be constantly reviewed and assessed.
Just remember that every time you implement a form of protection on your network, the bad guys will be working on a way to defeat it. Proactive monitoring and reactive capabilities both need to be front of mind.
- Learning from experience
Whatever additional action you take with security threats, it’s essential to learn from an attack or compromise when it happens. We can only hope to protect against future threats if we understand why each one happened. What motivated the person to click on the link in that particular email? What was it that seemed so compelling?
Anyone can make a mistake, but if the IT team has a good understanding of what motivates users to behave as they do then they are better placed to stay one step ahead of the next security challenge. With the General Data Protection Regulations (GDPR) that came into force in May, the IT team’s responsibilities have expanded to include defence against data breaches and inappropriate access to content. Remember that data protection extends beyond cloud or server-based data, and involves physical security as well, so make sure you have a procedure for shredding and destroying paperwork and documentation.
Above everything else, those of us responsible for IT have a duty to ensure that the measures we put in place make it easy for people to just get on and do their jobs. The moment we implement a security measure that makes a user’s job a bit more difficult, they will look for a workaround. It’s human nature. So if you want to avoid your users circumventing your well-intended policies, keep it simple and limit measures only to those that are strictly necessary. How is the IT team regarded in your organisation?
At O2, we can help you with systems designed with security from the outset, from the UK’s only CAS(T) accredited fixed and mobile network to O2 Gateway, our flexible and secure platform combining fixed, wi-fi and mobile, for true convergence that allows for easy monitoring and expansion.
So how prepared are you? You can find out more about ways we can help here.