A major problem with cybersecurity is complacency, because as businesses we receive so many cyber threats it's difficult to know which one is a priority, what is the impact and where should you focus your limited resources?
The threat of a cyberattack has become the unavoidable cost of doing business today in the UK and cybersecurity is often seen more as a cost to protect against things that may or may not happen rather than proactively fixing security vulnerabilities, that if breached can have dire consequences.
The situation is made worse from a combination of a lack of awareness in UK companies at board level and employees that are often the greatest cybersecurity threat either by accident – for instance by opening malware from an email or using weak passwords – or by intentionally stealing sensitive information.
It can be exhausting to continually hold your staff to task on something which may occur.
What tends to happen is that we fall into bad habits, as the risk assessment becomes lower there is a feeling of the "storm" having passed and we drop our guard.
Typically, as systems themselves have become harder to penetrate, the hackers have sought out softer targets. The easiest plan of attack has most recently been to target people, to take advantage of human fallibility and our desire for an easy life.
Staff for example may be right at this moment using their personal emails to carry out business correspondence or using their own cloud storage to upload work related files or even worse fail to apply strong password hygiene.
The fact that we live now such connected lives multitasking, means we are possibly accessing multiple business applications at the same time as we are catching up on social media, making it a chore to continually come up with difficult passwords, ones that we can actually remember.
The typical security advice we receive is to make passwords as complex as possible for the multiple applications that we need to log into.
Add to this the fact that more and more of us are working remotely or have jobs where we are on the move - means that we sometimes put productivity before security.
Trying to remember all those complicated passwords becomes a point of friction, outweighed by a low perception of the risk.
Why is password re-use a problem?
Password re-use today is still a major risk for individuals and companies.
Security firm BullGuard cited recent studies showing that 90% of all passwords are vulnerable to attack in seconds. Also, 10,000 common passwords like "qwerty" or "12345678" allow access to 98% of all accounts, BullGuard said. Amazingly, 21% of online users rely on passwords that are 10 years old, the company said.
Research suggests that when it comes to security, for those mechanisms that create extra work as a means of protecting us, as employees we do favour the route of least resistance.
That means in effect we typically would rather take a shortcut to complete a task at the risk of a security breach. Which in a worst-case scenario means that users use the same password across multiple applications.
One of the most common ways for a business to be hacked or breached is from attempts to steal an employee’s password to log into a secure system and steal that person's identity.
Attackers commonly use lists of stolen passwords and emails when attempting to breach a perimeter, or when trying to move within a network to potentially less well defended systems by utilising a poor password choice or lack of strong authentication methods.
In addition there will passwords not on a list that are more specific (such as employees in an organisation using the company name in their password) or time limited ('Christmas2019', etc.) that will probably not exist in a global breach list, but attackers may still try to breach a system using obvious combinations.
The NCSC (the National Cyber Security Centre) the UK's independent authority on cyber security have said how important it is to change your password policies (if necessary) to make it easier for users to choose 'good' ones. This includes using password blacklists (that is, making sure your users can't choose any passwords commonly found in data breaches), something that the National Institute of Standards and Technology (NIST) also recommend.
A great way to check if you have an account that has been compromised in a data breach is to check the website Have I Been Pwned. If you see a password that you use in this list you should change it immediately.
Be careful with using personal devices at work.
It may be common for your employees to use their own devices, yet these personal devices lack the same level of security that as a business you would demand in the workplace. All it takes is one lost, stolen or breached device to compromise a business’s entire network.
Businesses need to make sure if they are allowing BYOD (Bring Your Own Device) that they provide a policy on how to use devices in the workplace and inform employees what actions they must take in mitigating any security risks. Allowing a policy of BYOD has made cybersecurity more difficult to manage. There is less opportunity or best practices employed to exert technical control on personal devices.
And the consequences of a cyber-attack can be devastating, disrupting your business, causing considerable financial and reputational pain, and possibly have a direct impact on your customers if their data has also been stolen.
And with the implementation in May 2018 of the GDPR there are potentially regulatory fines – as well as the remedial costs to your IT systems and infrastructure after a breach.
GDPR has obliged larger firms to report incidents because of the risk of very large fines, making them more aware of threats and the need to report incidents in a timely manner.
According to the 2019 Hiscox Cyber Readiness Report more than three out of five firms (61%) reported an attack in the last year – up from 45% the previous year and the frequency of attacks has also increased.
So, it’s important to find the right balance between productivity and security.
As we increasingly work outside the typical office environment the risk of a security breach also increases. The variety of network connections, smartphones, laptops and a multitude of other devices are placing new demands on IT structures for them to be managed safety and securely.
At Worktools we provide a comprehensive range of hi-tech products and cybersecurity support services to keep your productivity in tip-top shape.
We’re your peace of mind when it comes to technology and cybersecurity, with 24/7 access to our dedicated team of IT professionals your business will never skip a beat when it comes to tech downtime.
Make contact, and let us know where you need help, you'll find we are good listeners.
Image source: www.freepik.com