One of the financial sector’s biggest ever hacks was also one of its simplest, when hackers got their mitts on a JPMorgan Chase employee’s login credentials in Spring 2014.
The banking giant had neglected to implement two-step verification on one of its servers, and sat by as attackers found their way into 90 other servers, making off with the names, addresses, numbers, emails and other information of around 76 million households and 7 million small businesses.
One in three American households were affected by the breach. And while the bank has never revealed the cost of the hack, it announced shortly after that it would increase its annual cybersecurity investment to $250 million. The risk was too high not to.
But while the bank’s lack of two-step authentication had exposed a vulnerability, the hackers’ way in was an errant JP Morgan employee. People are the weak link when it comes to cybersecurity, but they don’t have to be.
Major cybersecurity risks
The majority (88%) of data breaches in the UK are caused by human error, not cyber attacks. Effective cybersecurity means more than technology. It covers data management, education and organisational culture. And it starts at the top.
Senior figures in any company are top targets for scammers. Not just CEOs, but lead finance roles like CFOs, too. You’ve heard of ‘phishing’, but the latest trend is ‘Whaling’ whereby scammers masquerade as senior people in a business to solicit payment and sensitive data from colleagues, by email.
One hacker group, known as London Blue, has compiled a list of 35,000 CFOs, including those at the world’s biggest banks and mortgage companies. These employees are easy prey for whaling, if they find it hard to tell a real email from a fake.
And threats like these aren’t only aimed at the JPMorgans of the world. More than 40% of all UK businesses suffered a cyber breach or attack in the past 12 months. This isn’t purely a large business concern – with one-third of small businesses lacking their own cybersecurity strategy.
Changing business security cultures requires leadership from the top – whereby managers identify sensible rules for insulating the company from attack, educate their teams and – perhaps most critically – stick to the rules themselves.
Hacking is usually portrayed as a ‘technical’ activity. A geek armed with a hoodie and a laptop cracks into a server and runs amok. But media depictions of hackers hold little water in the real world. Cybersecurity and hacking aren’t all about computers. They’re about attacking human vulnerabilities.
Protecting your business against such attacks therefore starts with people and training. Organisations must make everyone responsible for cybersecurity, not just the IT team.
Effective cybersecurity means doing the basics at a high level, throughout a business and on an ongoing basis.
Ask yourself: is cybersecurity training required at your organisation? If it is, when did it last take place, and how robust is the programme?
Next, ask whether your business is Cyber Essentials-certified. If the answer to the latter is no, start by investing in the scheme. Cyber Essentials is a simple but effective government-backed scheme to help protect organisations against a wide range of common cyber attacks.
To make cybersecurity stick in your organisations means resetting leadership thinking on the topic. Consider how well you understand your business’s financial risk or current sales position. You probably study it with regularity and discipline. Cybersecurity must secure pride of place next to these business measures.
Business cybersecurity technology
Implementing the right cybersecurity technology in any business is easy. Focus on four key pillars:
- First, implement a strong antivirus. ThreatAware recommends Webroot SecureAnywhere. It’s lean, mean and will protect you from the latest threats.
- Next, implement and enforce web browsing security. This will help prevent your team unintentionally going to malware-infected websites. We recommend using Umbrella.
- Then install a patching tool to keep software watertight. ‘Patching’ means constant, iterative updates to software programmes. Keeping your software up-to-date is a vital cybersecurity step. We recommend AutoMox, a cloud-based, automated patch-management solution.
- Finally, leave no gaps. Your cybersecurity programme should apply to everyone. From consultant to COO, allow no-one into the business without the correct cyber-infrastructure in place. Lock everything down but leave an external device unprotected, and the hackers can simply let themselves in. Thank you very much.
Hacking is a business, just like yours
Hackers are businesses. Not legitimate ones, of course. But they’re not bored teenagers, either. Four in ten UK businesses have been the victim of a cyber attack – a number that requires skill and coordination to hit. Hacks are not spur-of-the-moment crimes. Instead, they’re process-led, the result of careful planning and reconnaissance.
Take hackers seriously, therefore, and they’re more likely to leave you alone. There are simply too many easy targets on offer to try and crack secured businesses.
Of course, you may not know whether you’ve been hacked. Attackers typically remove all traces of themselves once they’ve ransacked your servers. For a quick checkup, insert your email address here to see whether your email and password (and more) are on the dark web.
Cybersecurity is all about the basics. Understand and act on the simple stuff, and you’ll increase your resistance to cybercrime overnight. But understand that you can’t tackle the problem alone. The best business leaders have got cyber on their business agenda, and know that every employee needs must be trained to recognise and protect the business from cyber threats.
Your business is at risk; so are your competitors. And while big businesses can swallow the financial damage of a major hack, smaller businesses cannot. Leadership counts. Are you stepping up to the plate?
Image via Unsplash, https://unsplash.com/photos/OfwiURcZwYw