2019 has seen the largest number of data breaches yet, with a ‘higher than average likelihood’ of cyber-attacks and data theft. In fact, the number of security breaches, cyber-attacks, and amount of data lost has been growing year on year. Threats are being constantly refined and evolve to counter even the best defences.
Data is money, and data is power. The greatest vulnerabilities and targets are not necessarily financial, but those can be measured in their ramifications to personal security. Targets are those organisations which hold a lot of personal data, sensitive, confidential, identifiable and crucial. Governments, local councils, schools, health authorities are all ideal targets for the data-gathering cybercriminal.
The Top Three Attacks Faced by Governments
Sensitive data is at risk from both internal and external forces, and a robust cyber security awareness training programme should give employees a comprehensive awareness of all types of attacks, with regular updates to counter the evolving threats posed to cyber security. Some of the most common threats to government cyber security include:
Ransomware is an insidious threat which withholds essential data from businesses, usually disrupting function until a sum of money is paid – usually in an untraceable form. UK businesses saw a 195% increase in ransomware in a year, wreaking havoc and costing time, money, and trust in businesses.
Governments, councils and other public organisations are just as susceptible to ransomware attacks as private businesses, and such attacks could cause disruption to essential public services as well as functions within the organisation – this adds an extra level of need for a timely resolution, and could increase the likelihood of the organisation giving in to the hackers and paying the ransom.
In a recent example in Texas, cybercriminals shut down operations for a number of local government offices, asking $2.5 million (approx. £2.2 million) for restoration of service. With a prompt and co-ordinated response, the attack was contained with no apparent transfer of money. Although no definite port of entry has been reported, the official response has been to step up cyber security education, ensure password hygiene, second factor authentication, and a vigilant, educated workforce.
Although the culprit entry point is not always identified or reported in the media, we do know that infected emails are still the main source of ransom and other malware, with a like-for-like increase of 365% from 2018 to 2019. Emails are one of the biggest threats to cyber security, but with good practice this threat is almost fully eradicable. The difference between business as usual and a total shutdown could be as simple as teaching employees just not to click on emails they’re not 100% sure about.
Phishing and Spear-Phishing
Spear phishing is a sophisticated, targeted method of stealing data and credentials. Spear phishers gain a deep knowledge of the practices and machinations of an organisation to work out their vulnerabilities, and use this information to create domain names and email addresses similar to those used by real employees and administrators. Spear phishing emails can be extremely convincing, and take advantage of trust between workers to gain access to sensitive data.
– Check out our comedy sketch on Phishing Emails in Real life from our hilarious Sketches security awareness training series:
In the run up to the EU elections in May, spear phishing campaigns were used by Russian cybercriminals, targeting several European governments. Domain names and email addresses were created which closely mirrored those of trusted co-workers. The intimate knowledge needed to create these fake accounts is one of the more disturbing aspects of this kind of attack, yet with regular security awareness updates, employees can be confident when identifying these threats.
Accidental Insider Threats
Accidental leak of data is another major issue for governments and other organisations dealing with sensitive data. Simple, non-malicious human error is still thought to be the biggest cause of data loss. The wrong address on an email, unencrypted files, even just misplacing physical equipment is all too common, and incredibly easy to prevent.
The high-profile incident in 2017 where a member of the public found a USB containing all of the security information for Heathrow airport is a case in point: why was the information unencrypted? Why was so much sensitive data on a single small, easily-misplaced physical vessel? There are a multitude of simple layers of protection that could – should – have been applied to this data which would have completely averted this potentially catastrophic security breach.
The Case for Security Awareness Training
Threats to cyber security ultimately come from people, whether faceless cyber criminals, insider attacks or just mistakes, and many vulnerabilities depend on human error or an overly-relaxed attitude to cyber security. Cybercriminals’ greatest weapon is a good understanding of human behaviour – understanding the curiosity that makes one in two users click that link in an email, the poor-quality password, or failing to set up second-factor authentication – if it can be put off until next time, it might never get done.
The greatest weapon in our arsenal against cyber-attacks is also human behaviour. With education, with understanding, and with a strong cyber security awareness training programme, our employees are our best defence system.
In their 2018 report on Cybercrime and the Internet of Threats, research consultancy firm Juniper stated that ‘all businesses need to be aware of the holistic nature of cybercrime and, in turn, act holistically in their mitigation attempts’. This means that every link in the chain of protection must be robust, and that human factors need to be recognised as paramount when it comes to fighting cybercrime. Furthermore, ‘as social engineering continues unabated, the use of human-centric security tactics needs to take hold in enterprise security’; real people, the workforce, has potential to be either the weakest or the strongest part of cyber defence.
The best way to reduce the risk of human error is to enable your workforce to make that difference, to help them feel confident both in their own online presence and in the event of an attempted cyber-attack. Education and regular updates mean a competent, vigilant and empowered workforce: your greatest defence.