This month (October) is ‘Cyber Security Awareness’ month, the month in which managers everywhere do what they can to raise awareness in their organisations about cyber security.
Cyber security – It’s not just the government's responsibility!
In our line of work, we’re rarely surprised about anything, and listening to the news this past few weeks was no different.
Over the last few weeks we’ve heard of British Airways being hacked, exposing 380,000 people’s details, Facebook suffering an attack which saw 50 million accounts being stolen, and we now hear the news that Tesco has been fined £16.4 million for an attack which occurred in 2016.
What should be happening?
This month (October) is ‘Cyber Security Awareness’ month, the month in which managers everywhere do what they can to raise awareness in their organisations about cyber security, from running poster campaigns to competitions. This is great, but is it enough?
Back to the future
In 2013 the Defence Select Committee chairman, James Arbuthnot MP, said “It is our view that cyber security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents."
But, has enough been done over the last 5 years?
Over recent years the biggest impact on data protection and information security has come as a result of the changes brought about by the General Data Protection Regulation (GDPR). But has enough been done to raise awareness of cyber security threats and the steps needed to protect ourselves? Many would say no, and I would agree with them.
Major General Jonathan Shaw, former head of cyber security at the Ministry of Defence stated that the government should look to run a ‘Cyber Health’ campaign similar to the AIDS campaign of the 80’s.
Whilst it may sound a little dramatic to compare the two, he certainly raised an interesting point and there are similarities to people’s perception of these two threats.
If we put to one side the obvious difference between cyber attacks and AIDS, how people perceived the threat from AIDS in the 80’s is very similar to how people perceive the threat of cyber attacks, today.
- It’s a problem for the Government
- It’ll never happen to me – I’m not a target
- It’s not as big a problem as people would have us believe
- I can avoid it. I take precautions (which are focused in one area only)
- If I am a victim, I’ll hide the fact out of fear of what others might think/do
I remember these comments being made on an all too frequent basis throughout the 80’s, I heard them again in 2013, and still hear them now, when talking to individuals or businesses about the threat from cyber attacks.
So maybe Major General Shaw has a point, especially when we consider that in 2017 there was a 91% increase in ransomware attacks compared to the year before. In fact, when Major General Shaw spoke in 2013 the term ‘ransomware’ wasn’t known outside the security industry. Yet today it is one of the most prevalent and feared modes of operation used by cyber criminals.
What can we do?
When helping businesses, Agenci often provides advice and guidance on how to raise awareness on a range of topics, from physical access controls to destruction of confidential waste and in amongst these topics is often cyber security. Raising awareness should utilise all available channels at businesses' disposal and this is the same for the government. It would be great to see a more government-led approach to this and although they already do a lot, more mainstream media awareness is needed.
Again, to quote a current statistic, it is claimed that every hour there are 1000 attacks on computers. Is this an accurate figure? Who knows?! It could be, but I would put the figure much, much higher. Indeed, what do you mean by ‘attack’? It’s impossible to know. It’s like estimating how many people are making a cup of tea at any one time!? You can estimate by analysing ‘power surges’, but it’s not an accurate picture.
Teach it to the kids
In school the teaching of safe-sex is now relatively standard practice. But just how much are we teaching safe-surfing? We also have those who mistrust the internet for all the wrong reasons and then there’s the rest of us who have grown up with the internet and believe it is our friend.
I firmly believe that each of us has a responsibility to protect ourselves from cyber-attacks and I believe the idea that the Government should do more to raise awareness of the threat, is a good one.
But we need to take responsibility ourselves and we must change the perception that this ‘will not happen to me’. The likelihood is, it will (if it hasn’t already). For individuals to take heed, the Government needs to educate them. For people to be educated, they need to see it as their problem. This can only happen if we make them aware.
If you need to raise awareness in your organisation, why not try some of the following:
- Run a ‘best cyber related joke/story’ day
- Run a competition for best 'data protection improvement'
- Create a cyber-crossword or word-search
- Create some posters
- Send out emails from the board re-stating the importance of cyber security
- Have the head of the business give a webinar or talk on cyber security
- Run a ‘bake sale’ where the decoration on the cake is cyber or data related
- Run a ‘best cyber picture’ competition
- Run presentations or seminars but ask for volunteers to deliver them
- Promote the idea of ‘cyber champions’ across the business
- Run a table top exercise for senior managers on how to handle a data breach
- Write blogs and related articles for your company site or notice board
I believe we all have a part to play in making a safer society, both on and offline. We can only do this if we approach the world in an honest way, with our eyes wide open. So we need to raise awareness, but here’s one final idea. Why not make this the start of your cyber security awareness? Why not create a full schedule of activity for the year? Doing little and often, is far better than the ‘hit-it-and-run’ approach.
Good luck. And if you need help then you know where to find us.
Written by Gary Hibberd, Managing Director of Agenci.
Agenci provides Cyber Security consultancy services and assistance on GDPR compliance.