CYbER- SECURITY; wE ARE THE wEAkEST

Cybersecurity;
we are the
weakest
link
Nothing is infallible – but when
it comes to cyber security, it is
people, not computers, that are
often the weakest link. There
are plenty of horror stories
circulating the internet about
identity thefts, nations waging
cyber warfare against each
other, malicious coercion at the
hands of fake authority figures
and even Nigerian funds waiting
to be transferred to the lucky
recipient’s bank account. All
have a common theme; it’s
not the technology that lets
us down, it’s ourselves. Bill
Walker, Technical Director, QA,
addresses the issues involved.
A recent survey1, carried out by YouGov,
reveals that over a quarter of those
surveyed admitted to transferring work
files to and from home. And what’s more,
half of those said they have had a virus
at some point on their machines. It is
clear that the blur between our work and
home life may be starting to affect the
security of important corporate data.
Viruses do not discriminate. Even
those people who believed themselves
technically competent have a similar
rate of infection as people who weren’t
techies (see box out). Organisations are
losing control over their security as
workers are taking files off the grid.
Nor is national security immune. Cyber
warfare tactics like the notorious Stuxnet
worm, which exploited the transfer of
files from machine to machine in order
to manipulate unconnected industrial
machines in Iran’s nuclear power plants
from across the globe, is a prime example.
60
QA.indd 60
TW E N TY: 1 3 E NH A N C E Y O U R IT S T R A TEGY
01/03/2013 09:26
learning & development
However it isn’t just blanket bombardment
by bits of malware that is a threat.
Social engineering targets the company
through the individual
‘Social engineering’ – the term given to
scammers who use specific personal
information in order to extract more
sensitive or confidential material - is ever
more prevalent. Some attacks are so well
executed that even tech-savvy and senior
people can be duped into giving away vital
details. Would you be able to spot the intent?
Take the story of the CEO of a large business
who liked expensive cars and made no
secret of it. When a glossy brochure,
addressed to his home, came through the
letterbox with pictures of lovely looking
new Jaguars in it, he did not hesitate to pick
it up. Flicking through, he found inside an
innocuous looking CD with concept cars
pictured on the front, and his interest was
piqued. After putting it into his computer
he would still be unaware that because
he used the same password at home as
he did at work, an enormous amount of
damage would be done. And it was.
Security is a major problem for
businesses and governments alike. Today,
serious and organised cyber crime is
a far cry from the lone hacker sending
out anonymous malware from their
bedroom. Nortel, the much maligned
multinational communications firm,
inadvertently leaked information for ten
years before the extent of the breach was
fully understood. According to reports,
documents including emails, technical
papers, research, development reports
and business plans were all hacked from
Chinese IP addresses; malware was left on
infected machines even after the company
had been broken up and sold to others,
meaning the threat was passed on.
But the world has moved on. Today the cost
is enormous and growing. Cybercrime costs
UK businesses an estimated £21bn a year.
Is your organisation safe?
Most companies do have an IT security policy
and are concerned enough to implement it.
Eighty six per cent of people who said that
their organisation did have a policy, felt that
they worked in a secure way. Yet the survey
revealed that, despite the policy, people were
almost as likely to share passwords with
other people as those who had no security
policy at all. That is to say, they trusted their
employer to have a copy of the password.
As for those people in places that have no
security policy, one in ten said that they had
no password on any device at all.
What can we learn from this? Think hard
about who knows your information. It seems
simple, but what’s the point of having
upper case, lower case, numbers and
characters in the most secure line of code
possible, when you’ve instructed Explorer
to remember it for you? 15,648 laptops are
lost by business travellers each week.
Beware malicious apps
It is not just desktops that are in need of
protection. The malicious app is a growing
phenomenon. Android operating systems
have seen a number of apps that mirror
real ones – often with the suffix ‘super’ –
intending to harvest data off the device.
Website DigitalTrends found ‘Imangi’s
Temple Run (the official game) only requests
permission to access the device’s full
network and to perform, read and write
operations to storage. Temple Run Super,
however, also asks for location information,
phone status and identity, access to
accounts on the device, and more.’
In the last year malware on Android was up
by 580 per cent, and a staggering 23 of the
top 500 apps on Google Play were deemed
high risk.
This might not be an immediate problem
for business users, but the trend of BYOD
(bring your own device) is a real headache
for firms.
Information assurance
All IT security policies should make sure
that only the right people have the right
level of access. In a complex system, files
should only be seen or edited by those that
have the authority to do so. The risk is too
high to allow everyone blanket access: One
in 20 office workers have taken company
information/data with them when they
have left an organisation and joined a new
one. Minimising this risk should be high on
the agenda.
Viruses don’t discriminate:
• 44% of UK office workers have had
a virus.
• 43% of competent IT people have
had a virus.
• 45% of people who are not ITcompetent have had a virus.
• All geographic regions have the
same virus rate.
• 50% of men and 49% of women
have had a virus.
The UK government recommends 10 steps
to cyber-security, backed by the Centre for
the Protection of National Infrastructure
(CPNI), the Cabinet Office and GCHQ. The
advice is based around organisations
implementing an information risk
management regime, with other policies
relating to security, protection, monitoring
and education.
Either way, the message is clear. A fully
rounded and complete approach must
be taken to prevent damage being done.
People are the problem, and we are
all responsible for the security of the
technology we use rather than relying on
the IT to do it for us.
Reference
1.QA survey carried out by YouGov polled
over 1000 office workers online.
www.qa.com/cybersecurity
Initiatives aimed at raising awareness
are being taken extremely seriously
by governments around the world. The
Australian government’s approach,
called the Australian Defence Signals
Directorate, is the ‘Catch. Patch. Match’
system. This claims to be able to prevent
the majority of targeted cyber intrusions.
Boiled down, it essentially proposes three
strategies. Catch: malicious software with a
whitelist. Patch: your operating system and
applications. Match: the right people with
the right privileges.
EN HA N CE YOUR IT STRATEGY TWENTY:13
QA.indd 63
63
01/03/2013 09:28