Cyber-attacks not a question of ‘if’, but ‘when’

Professor Kamal Bechkoum, Head of the School of Computing and Engineering at University of Gloucestershire,

Despite the gradual easing of Covid-19 lockdown regulations, industry has never been more reliant upon its online networks and remote-working capabilities. The threat of cyber-attack has similarly grown. Organisations need to be clear on how their data and IT infrastructure is protected, says Professor Kamal Bechkoum, head of Business and Technology at the University of Gloucestershire

Picture a cyber-hack on your organisation as being like any other scam – tenacious, infuriating and often playing on human weakness or error to achieve access to your most important resources.

The government’s Covid-19 ‘test, track and trace’ smartphone app, piloted on the Isle of Wight, is a prime example of what can go wrong for organisations when a significant lack of trust comes into the equation.

According to a recent 1,000-person survey almost half (48%) of people in the UK questioned about the NHSX contact-tracing app say they don’t trust the government to keep their information safe from hackers.

The poll also found that 43% of respondents are worried that using the app could give fraudsters an opportunity to launch phishing attacks by email or SMS. This is in addition to the thousands of fake Covid-19 domains springing up and being used to initiate a spate of recent online frauds.

Given that one of the most important public health and safety plans of our time appears to be struggling to assure the public of its authenticity and trustworthiness, how can business leaders make the right decisions to protect themselves and their stakeholders through these troubling times?

In the first instance understand that a cyber-attack on your organisation is inevitable. It’s really not a question of ‘if’, but ‘when’.

Forecasts for the number of online-linked devices, otherwise known as the ‘Internet of Things’ (IOT), in 2020 varies from between 26 billion to 75 billion. If there’s one lesson that can be learnt from the current pandemic it’s that more of us than ever before are working remotely and often mixing the use of personal and professional devices to stay connected.

There is so much information created by these devices – up to and beyond 2.5 quintillion bytes – that 90% of the world’s data has been created in the last two years.

Considering this massive volume it is perhaps understandable that cyber defences can never be 100% secure. The grand challenge facing all organisations is the need to improve their understanding of where threats are most likely to come from, and engage in habitual good security practice at all levels of the organisation.

To begin with, a threat register should consider criminals, ‘hacktivists’, competitors, hostile states, and insiders, alongside the following tips:

Four top tips to becoming cyber-secure

  1. A human firewall – people are the first line of defence. Lead by example and develop all of your policies and teams to be cyber-aware. Preparedness can’t simply be delegated to the IT department or executive. It has to be the responsibility of everyone
  2. Update systems regularly – this should be done continuously to ensure the latest software versions and patches are in place to help systems become as airtight as possible
  3. Continuous security – there is no single event or graduation ceremony that guarantees the job is complete. Everyone within and connected to the organisation needs to appreciate that this is a continuously-evolving process
  4. Worse case planning – have a plan for when things go wrong. Who will take the lead on responding to the attack? How can the problem be solved? Who needs to be informed? What can be learnt and done to prevent similar attacks in the future?

All IOT devices and systems are vulnerable. Malicious apps will often sit in the background for long periods of time collecting data until the time comes for them to strike.

One devastating example was the December 2015 Ukraine power grid cyber-attack, when hackers were able to compromise the information systems of three energy distribution companies and temporarily disrupted electricity supplies for around 230,000 consumers.

This is not massively different from what the average cyber-criminal might do to gain access to your bank account, and make no mistake, even the experts are vulnerable.

Over the last year I’ve personally experienced six attempts to get into my own system and fell victim to a spear-phishing scam. This is an increasingly common form of attack where criminals attempt to gain sensitive information, such as usernames, passwords or credit card details, by disguising themselves as a trustworthy entity in an electronic communication.

After gaining access to my address book the fraudsters contacted 250 friends, family and associates, asking them to pay for Amazon purchases on ‘my’ behalf. Two fell for it.

On another occasion, I’m somewhat embarrassed to admit, I attempted to book some hotel rooms for visiting guests in Cheltenham, but I only had 10 minutes spare to do this. I went onto an accommodation-booking website, made the payment and received an email stating that the booking could be confirmed within three days. Later I received a call from my bank querying a transaction from Istanbul for £1,100. Luckily they managed to block any further withdrawals.

95% of internal breaches are caused by human error. Our default approach to all IOT systems should always be one of suspicion.

At the University of Gloucestershire control systems access and privileges are managed in a very rigid way. As a head of school, even I can’t download anything on my PC and I’m happy about this. When you recruit new people they should be inducted into this kind of culture.

The pressures of the coronavirus pandemic has left many of us tired, putting ourselves in a position where we might fail to properly check the veracity of texts or emails received before reacting. This is when it becomes very easy to overlook crucial details and let things slip by.

Don’t make the mistake of acting in haste. Breathe, regroup and take your time. Ask the right questions, double-check your actions and ensure that everyone is alert to cyber-security issues. Your business might just depend on it.