Politics often throws up examples of highly memorable, and equally emotive, language designed to make voters think a certain way about a particular party.
The UK’s current election fever is no different, with politicians coining the rather loaded phrase, “Weaponizing the NHS”, to show how a party is allegedly playing politics with the country’s treasured National Health Service for its own gain with the electorate.
The phrase has also appeared in the cyber security arena, with those staging cyber-attacks described as “weaponizing” people to carry them out.
The words “cyber” and “weapon” are often used together and I’m disappointed by my peers who have decided to do so. As with its political use, language like this is frequently employed to convey a sense of drama or importance; but, in actual fact, these words conjure up images that play to stereotypes and are neither helpful in creating awareness or engaging business leaders in the importance of cyber resilience. Yet, despite the unfortunate turn of phrase, cyber attackers are indeed using people to deliver cyber “weapons”.
For example, most cyber-attacks begin with either a phishing and/or a social engineering attack – where the attacker is deliberately seeking to exploit a person’s natural instincts to help someone who appears to need it. We also know that the methods used by the attackers are becoming increasingly sophisticated as they strive to make their activities more targeted and get a better return on their investment. Like any other “business”, criminals don’t want to be wasting their time or money.
Phishing or social engineering attacks are often well thought-out and well-planned, frequently hiding the attacker behind false identities that fool their victims. When targeting an organization, the attacker may identify someone who heads up the IT security team and then approach someone else who works in the organization with a story like this:
“Hi Jo, I work in IT Security, part of John Smith’s team. You may have noticed that there have been a few network issues today. I’m really sorry to bother you, I know that you must be busy, but to fix this I really need your help. Can you quickly confirm your username and password to the payments system?”
This is a very simple and effective form of attack that exploits people’s instincts and it’s not a stretch to imagine how this tactic may be used in an email. So what can be done? There’s no silver bullet but it comes down to a combination of effective, efficient and consistent use of people, processes and technology.
IT companies regularly offer new solutions to prevent phishing emails but the attackers are aware of this too and are continuing to alter their methods, making such emails harder to detect and prevent. It has become an “arms race” for the latest technology and this can be cost-prohibitive for many smaller companies. This may not appear to be a problem for larger organizations but it so easily could become one if one of these smaller businesses is part of its “information eco-structure”.
Technology cannot prevent someone divulging confidential information over the phone, however, a simple process could. In response to this vulnerability, many organizations have introduced an “identification and verification” (ID&V) process. This is an internal version of the system that clients go through when, for example, contacting their bank either by phone or online. The user shares a password, or more accurately part of a password, with IT security and it’s used to ensure that both parties are who they claim to be.
Another way of managing this is to introduce an effective awareness campaign, designed to help employees identify suspicious looking emails or bogus calls and to know what to do next. But this needs to be delivered in an engaging way that resonates with everyone, from the top down.
But let us be honest, typically, cyber security messages can be somewhat dry; the challenge is to bring them to life. To achieve this they need to be free of jargon and “techie- talk” and should be delivered in multiple formats throughout the year. Both messages and their delivery methods have to be engaging in order to stand out from the plethora of corporate messages that employees are bombarded with every day.
Traditional cyber awareness approaches have tended to involve an annual delivery of poorly-designed, computer-based training packages, with confusing messages and dull posters that have failed to help make organizations truly cyber resilient. Instead, employees who are currently at risk of being “weaponized” need the right tools and awareness training to protect themselves and their organizations alike. AXELOS is therefore devising simple advice and techniques – delivered via a range of media and channels – to help everyone in an organization develop good cyber behaviour.
More AXELOS Blog posts from Mark Logsdon
Have you heard the one about the three judges...? A Cyber story to be aware of
The perils of cyber-attack – and the new solution
Preventing cyber attacks - it's a people thing as much as IT