Written by Isabelle Dann
As the recent Equifax, Deloitte, and Yahoo! headlines have reminded us all too well, the importance of cyber security protection for all enterprises cannot be understated. Moreover, while corporate behemoths continue to dominate the news, it’s crucial to remember that SMEs are just as susceptible to cyber attacks – if not more so, thanks to a comparative lack of IT resources.
Indeed, over the summer, it was revealed that nearly one million SMEs suffered a cyber attack in the last year, which is no surprise considering the prized data and IP they hold, making SMEs an attractive target for cyber criminals. At the latest RANT Forum – led by panellists Dr Jamie Graves, CEO and founder of ZoneFox, Chris Crowther, Cyber Director for Hartham Park Investments, and Solomon Gilbert, CEO of Ferox Security – such susceptibility in relation to insider threats was high on the agenda. To recap for anyone unaware, RANT provides a platform for attendees to discuss and debate security-related issues in an open format, where participation is actively encouraged among all individuals.
Questions were raised over the best approaches to cyber security education for staff – especially those who might not be particularly au fait with infosecurity – to the hiring of ex-cyber criminals. Months later, lessons from WannaCry are still being learned, with myriad professionals still only just waking up to the need for all types of businesses to employ a robust cyber security education programme. At the same time, however, the RANT consensus was that there needs to be a more inclusive approach when it comes to establishing such a programme. As Graves said: “When it comes to cyber security, there are no stupid questions”.
Certainly, it’s vital for all IT professionals to remember that everything we do encompasses the human, rather than merely the machine. Perhaps nothing illustrates the perils of an insecure Internet of Things quite like a cursory glance at Shodan, the search engine for IoT-enabled devices, which is replete with hackable baby monitors. Consequently, as Graves emphasised, “a 30-slide deck is not interactive training”. Instead, Crowther highlighted the importance of enhancing the UX alongside education efforts, while Gilbert carries out regular social engineering tests with his staff and rewards the winners with prizes.
Meanwhile, Gilbert revealed some of the motivations of cyber criminals, himself a reformed digital offender. For example, an ostensibly ‘black hat’ subject may purloin millions of credit card details just because they can, rather than actually capitalising on them in any way. In turn, this suggests that financial spoils are by no means always the goal, but instead some semblance of control.
This was reflected in Gilbert’s conclusion: “Speak to anyone who’s coding illegal activity and they’ll say they don’t want to stay in cyber crime”. Evidently, more needs to be done to effectively communicate the opportunities that possessing cyber security skills can bring. Nonetheless, it’s paramount not to homogenise cyber criminals as some nefarious other. After all, as Glibert asserted: “If you don’t have a passion for engaging other people in security, then you shouldn’t be here”. Business leaders, take note.