If businesses and public organizations needed a kick in the backside over their cyber crisis preparedness, then many got it over the weekend as the ransomware ‘Wanna Decryptor’ paralysed hundreds of thousands of users and systems in more than 100 countries, including hospitals and doctors’ practices in the UK National Health Service.
So the irony of this being ‘Business Continuity Awareness Week’ #BCAW2017 is only heightened by the fact that the theme of the week is ‘Cyber Security’. But the timing of this week – and the theme – couldn’t be better.
As the hand-wringing, blame-gaming and shock-horror media coverage continues – it’s worth spending a few minutes leafing through the Business Continuity Institute’s guide on preventing cyber attack (this is safe to click, by the way). Sure, there is some VERY basic advice in the guide – like not using ‘password’ as your ‘password’, but don’t roll your eyes too quickly. One in five passwords are things like ‘1234567’ or ‘qwerty’ – and other entirely predictable passwords. It’s clear people need reminding of the simplest security habits.
The BCI’s guide won’t solve complex IS security issues, but it’s often the weakest links that allow the hackers in to do their business. That weakest link is commonly your company’s IS or information security policy (or lack of it) – and if you have a policy – how well employees have been trained to implement the policy AND how diligently they act on those policy requirements.
I’m in trouble – send money!
And finally, it’s not only the junior or non-techie employees who let the hackers in. Scammers and phishers target all levels of an organization in an attempt to breach firewalls or just separate someone from their money.
I’m aware of one CEO who knew what a ‘419’ scam was (wonder how many of you opened that link…) and how to avoid it, but was nearly stung by another email scam. We just managed to stop him from sending his credit card details (including the ‘magic code’ on the back) to an employee whose email to the CEO claimed he was in trouble abroad, having had his laptop, wallet and phone stolen and who needed credit card details for him to be able to book into a hotel for the night. Except it wasn’t the employee’s internet email address and he wasn’t in trouble… and, and, and.