Insights into the additional risks that come with the summer holidays from Leonardo Cyber Security Division, SWCRC Board members.
The school holidays are upon us. As the future of our nation emerges liberated from educational institutions across the land, with metaphorical refrains of Alice Cooper ringing in their ears, we should reflect on the fact that for cyber criminals, school is most definitely not out for summer.
For cyber criminals, the summer break brings opportunity. This may manifest itself in a minor way - for example adjusting phishing campaigns to offer too-good-to-be-true family package holidays – but there is also opportunity to exploit the seasonal disruption to business processes. Many employees will be covering the unfamiliar roles of colleagues, making them potentially more vulnerable to social engineering. Critical functions (particularly security) may be operating a skeleton crew, meaning that attacks have a better chance of avoiding detection, and of causing greater impact when successful. The travel industry, schools, their suppliers and customers (including parents) may carry out more intensive financial activities during this period, making them more lucrative targets for Business E-mail Compromise (Invoice Fraud).
For business, the challenge as ever is to establish proportionate, affordable security controls in uncertain economic times – always maintaining vigilance and staff awareness.
Overcoming this challenge starts by removing the trope that security is an expense, a regrettable spend. Security is a business enabler. As customers become increasingly aware of supply chain security risk, a mature security programme can indeed be the contract winning difference – a powerful marketing point.
We’d all love to have bleeding edge security technology, but budgets are unlikely to stretch that far. What’s important is to continually evolve, improve, and avoid dismissing affordable but imperfect security controls.
One example of this is two factor authentication, which is arguably one of, if not the most effective security controls available. It is not unusual for businesses to dismiss the use of SMS (text message) for two factor authentication, on the basis that it can be compromised, choosing instead to remain on single factor authentication. Whilst it’s true to say that SMS two factor authentication can be more readily compromised than alternatives, that doesn’t mean it’s easy - nor does it mean that alternative methods are perfect. What’s almost certain is that if you’re operating single factor authentication on an exposed edge, it’s not a question of if you get compromised, but when.
What’s important to remember is that a significant proportion of cyber criminals operate on a financial incentive - they are illegitimate businesses. Where their target requires more than reasonable effort in terms of money, time and resources to achieve objective, they will choose another opportunity with a better profit margin. If your business has made that effort unaffordable for the majority of threat actors operating in your domain, you’ve significantly reduced your risk of becoming a victim. Raise your security bar and avoid being the low hanging fruit!
A clear understanding of your business exposure to cyber threat, and the corresponding risk, facilitates the selection of proportionate security controls and delivers value for money from security investment. Where businesses do not retain in house capability, external providers such as Leonardo are available to support the creation and implementation of economically prudent security strategy.”