Anyone claiming that their cyber-security product will make you immune to cyber-threats isn't telling the truth.
Hackers and cyber-criminals are constantly playing a game of cat and mouse with security experts, and so the threats are constantly evolving. Unfortunately, there is no silver bullet to the issues organisations and individuals face on a daily basis, but that doesn't mean that we are powerless.
Many people do feel helpless, thanks to years of aspects of the industry presenting cyber-security as a mysterious dark art, however. The sector is full of ‘magic' tech and underdeveloped projects, but little effort is spent on actually making the fundamentals easier to achieve.
The resultant sense of helplessness felt by many people has led to an attitude in which they believe that cyber-security isn't their problem; that it's someone else's responsibility. Security professionals can certainly do a lot, but if people aren't willing to protect themselves, then it's inevitable that they will become victims.
Rather than continue the narrative that cyber is something to be feared, the sector needs to
empower and educate people so that they can take control of their own online security. The British Government has taken steps in the right direction with the introduction of the Cyber Essentials scheme, but businesses and organisations still have much to do.
Cyber-security is often seen and wrongly classed as a purely technical discipline. While this may hold true for many of the more deep-dive technical aspects, when an incident occurs it will likely impact the entire organisation; from the IT department to the PR and comms teams, all areas will be affected. It is important that these key members of staff, who are sometimes thought of as polar opposites, speak the same language and are able to understand each other in times of crisis.
Organisations tend to be well versed in carrying out fire tests and drills, having become accustomed to these over many years. The same can't be said for cyber-security practices, however. Organisations do not test and drill the organisational mechanics enough to ensure that, when the inevitable happens, staff who are required to respond and act are supple enough in their approach to dealing with incidents.
Getting the basics of cyber-security right and applying them properly can go a long way to protecting an organisation. After all, there is no point putting the bolt on the front door if you leave a side door open all the time. Implementing basic measures, for example, and ensuring a robust awareness campaign that really drives the message home to staff, is a sure way of improving the overall security posture and practices of any organisation.
By raising awareness of the security basics within an organisation, the risk will be reduced. As most cyber-incidents begin through phishing emails, employees should be made aware of what they look like. That way, instead of opening them and potentially compromising the organisation they'll delete them, immediately eliminating the threat. The implementation of basic cyber-security practices isn't just down to the IT department, however, but needs to be enforced at all levels of an organisation, from the very top to the very bottom.
Most cyber-criminals are opportunistic creatures seeking an easy score. Of course, there are those who are more persistent and capable, but If you make yourself an easy target then it's pretty much a certainty that you will become another statistic.
In most cases, an attack is unlikely to be specifically targeted against a particular individual; that person will just be one of a million emails on a list the attacker has bought or stolen. Basic protections will keep you safely near the centre of the herd as opposed to being picked off by the hyenas plaguing the perimeter. That's not to say that there aren't professional and organised criminal gangs out there but, as in the offline world, they tend to prey on easier to hit or extremely high-value targets.
Making people cyber aware and secure is a challenge. After all, it's easy to drive the fear, but it's not so easy to demystify and empower.
Contributed by Andy Rees, Head of Technical Consulting at XQ Cyber
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.