SHP hears from Mike Stevens, CEO of Praxis42 on cyber safety, its link to health and safety risk management and tips on implementing online security.
Mike Stevens, Chartered Safety Practitioner and CEO of Praxis42
I am often asked by clients what measures we have in place at Praxis to help guard against online attacks and what they could be doing differently.
As an organisation, and probably like many of you reading this, we have experienced attacks in recent times. These have ranged from phishing, where we have received emails from seemingly authentic sources asking us to follow links and provide information, to attackers attempting to infiltrate our internal communications and imitate our finance team to try to extract payment details.
Thankfully, these attacks have all been unsuccessful. But from these experiences we have learned that there are many similarities between the methodology we follow in health and safety management and the procedures that ensure robust cyber security.
In short, the approach needs to be constantly reviewed. When we conduct a risk assessment or risk profile for an organisation or location, we identify whether there has been change that affects the organisation. Change, for example, might relate to the environment, the person carrying out the work, specific processes within the business, or external changes.
For cyber security to be effective, we believe the approach should be the same as risk assessments.
Although cybercriminals attack organisations for different reasons, their motivation is usually:
Data access
Information is a highly valuable asset. When an organisation holds data about clients, partners and employees, malicious individuals may exploit this data either by using it for identity theft or by selling it to other entities.
Monetary gain
The most predictable aim of an attack is when hackers deceive or coerce individuals to extort money.
Accessing supply chain information
Supply chain attacks pose a significant threat. Attackers can exploit an organisations’s supply chain as a launching pad to target other clients and organisations within the chain.
When an organisation is breached, the entire supply chain becomes vulnerable to attack as well.
Here we discuss the current cyber security threats organisations face. You can stay up to date by regularly checking the National Cyber Security Centre’s website.
Phishing and email fraud
Phishing attacks and email modification fraud is when cybercriminals attempt to deceive people into clicking on an external link by making it look as though it comes from a trusted source.
This form of social engineering frequently depends on an attacker infiltrating systems and remaining concealed for some time. They evade detection by taking control of emails and disabling firewalls and security systems.
Attackers often find the information they need to create realistic emails from the details people share on social media. It is therefore vital that everyone is mindful of what they share online.
Partner organisation attacks
Through phishing an attacker may gain access to an organisation’s partners, supply chains and service providers. Once they have infiltrated systems, they may be able to download data from all linked organisations.
Ransomware and wiperware
Ransomware is a type of malicious software that infiltrates a system and restricts access to it. Ransomeware may either deny access to everything or selectively lock away key sets of data, demanding a ransom be paid in exchange for a decryption key to unlock data.
Often ransomware appears to be user-friendly by offering helpful guidance. For instance, there may be advice on setting up accounts for payment with a warning that interest will accrue if payment is not made quickly.
Wiperware is like ransomware except it threatens to delete data rather than unlock it.
Organisations desperate to recover data may be tempted to pay a ransom, but it is not advisable. Paying does not guarantee data will be returned. In many instances, organisations that have paid money have experienced subsequent attacks.
With knowledge of potential threats and the goal of cyber-attacks, how should you implement an effective cyber security programme?
Risk management
As I mentioned, the approach to cyber safety and health and safety has similarities. This is nowhere clearer than how you assess the risk to your organisation and understand its risk profile.
Not all organisations have the funds to bring in every technical security measure available to guard against every eventuality. The solution is to carry out a risk assessment to understand:
With this information, you can then prioritise threats and assess what additional steps are needed to take to protect your organisation, taking into account the resources available.
Supply chain protection
If you have a supply chain, you should map it out to identify any weaknesses which could be exploited in an attack. If possible, you should embed security within your contracting processes by asking specific questions. The aim is to understand potential partners’ level of security and resilience, so you can check what controls are in place.
You could offer to support partners, assisting them in meeting the cyber security standards required by your organisation. This support could take the form of a checklist outlining the necessary implementations, or you could provide more hands-on assistance to help them achieve the level required.
Such collaboration not only fosters an active and engaged role for them in your cyber security measures, but it ensures they align with your organisation’s security protocols.
Team training
Did you know that a shocking 90% of security breaches are caused by human error?
By implementing a thoughtful engagement and cyber security training programme, you can establish a robust security system that benefits your organisation and employees.
Regular training and information updates should be conducted in short, easily digestible portions. The focus should be on maintaining an ongoing, low-level conversation rather than infrequent, intensive sessions. The goal is to achieve high compliance and awareness. Regular checks and assurance play a critical role here.
It is vital to convey to employees that their vigilance is integral to your organisation’s cyber security. Moreover, it is essential to encourage them to report any mistakes without fear of repercussions because swift reporting can help to prevent or limit damage. Acknowledging and rewarding employees for identifying and reporting threats is an excellent strategy.
Data and systems knowledge
Organisations need to have a comprehensive understanding of all the data and systems under their management, as well as their interconnections with other organisations. Not all data holds equal value, so security resources should be allocated accordingly. Priorities can be evaluated while you are risk profiling.
Only retain necessary data and securely delete any surplus information, sanitising the storage media at the same time. These principles also apply to old equipment, which must be disposed of securely. Data that is no longer useful to an organisation can still hold value for cybercriminals.
Data access control
All organisations must exercise complete control over which individuals can access data and in what circumstances. Implementing multiple layers of security, along with established protocols to restrict and monitor access is essential.
A potential solution is implementing single sign-on, multi-factor authentication. This involves using two or more devices to verify a user’s identity before they can access a system. Another solution is to generate and manage secure passwords for every account.
Incident response
It is crucial for every organisation to know what to do in response to a successful cyber-attack. A written plan which is divided into small, concise playbooks for easy reference is beneficial. It is important that employees at every level in a business regularly practice what they will do if a cyber-attack occurs, so it is always fresh in their minds.
Linking response preparation into your organisation’s business continuity management and communication tree ensures issues are escalated quickly and communications internally and externally are well managed.
Regularly review systems and equipment
As the nature of cyber-attacks evolves, it is crucial to conduct regular reviews of your systems and equipment to make sure they continue to provide robust protection.
Keeping software up to date, enabling updates and applying patches should be standard practice, not only for security software, but all your organisation’s software.
When it is no longer possible to update older devices and systems, they should be segregated from the network to mitigate any potential risks.
In one of our recent webinars, we discussed cyber security threats in detail. In the webinar, Daryl Flack, Co-Founder and CISO at BlockPhish shares his decades of cyber security experience.
Over the last twenty years Daryl has provided consultancy to private and public organisations, including the UK government, to ensure robust, proportional security controls are implemented.
To learn more about how your organisation can increase security against cyber threats, you can listen to the webinar here.
