“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Former FBI director Robert Mueller
On this week’s Golden Marzipan Breakfast Briefing, two experts joined us to discuss cyber security solutions. Dr Tooska Dargahi, Lecturer in cybersecurity and the Programme Leader for MSc Cybersecurity at the University of Salford and Andrew Giles, Technology Lead at Golden Marzipan covered the importance of cyber security, the different types of cyber-attacks, how to adopt effective preventive measures, and where to seek help should the worst happen.
What Is Cyber Security? Why Is It Important?
According to the National Cyber Security Centre, the main goal of cyber security is to be a method of prevention by which “organisations reduce the risk of becoming victims of cyber attack.”
The key word there is ‘prevention’ as Dr Tooska explains, “we can’t ever say you’re a 100% secure. You’re just trying to reduce vulnerabilities and reduce the potential of you being a victim”. When mentioning cyber-crime prosecutions she referred to a recent cyber security report that stated there was only a 0.05% chance of catching and prosecuting cybercriminals. So, with very little chance of finding and preventing the perpetrators from acting again, your best defense is to ensure you are as ‘water-tight’ as possible.
So, why is cyber security so important? “Because we live in a connected world,” explained Dr Tooska, “where everything is connected to everything: we store information in clouds that are managed by third parties and we have very little control over that. We have smart phones, smart homes, smart cars .”
But as Dr Tooska explained there’s not just one type of hacker or one type of attack. An attack can be opportunistic, where the cyber-criminal looks for vulnerabilities in any kind of organisation, or targeting a specific sector . And the hacker could be anything from a ‘State-sponsored’ hacker that’s looking to acquire classified information to gain an advantage over others, to a ‘Script Kiddie’ who uses existing codes available over the dark web.
Dr Tooska shared with us a really helpful infographic from the National Cyber Security Centre that details the 10 best ways to protect yourself from cyber-attack and we’ve included a copy below.
To close her presentation Dr Tooska briefly talked about privacy, an area of increasing concern given the exponential growth we’re seeing in the smart devices market (estimated to be $135b by 2025). A recent US survey reports that 27% of people wouldn’t buy a smart device due to privacy concerns, but many of us have never even read the terms and conditions of our Alexa-type devices, so we have no idea what information about ourselves we’re actually giving away.
Many housing associations think that cyber-attacks are not something they need to worry about, but that’s far from the truth as Andrew concluded: “In recent history, we’ve seen some breaches in the sector that have had major consequences. Housing associations are as much of a target as any other business, and we need to view cyber security through that lens.”
Don’t Worry, Help Is at Hand!
Dr Tooska explained that if you’re a small or medium business based in the Great Manchester area, you can benefit from the cyber security academic startup accelerator programme and contact GM Cyber Foundry for further support and collaboration.
For cyber security, there’s loads of advice for SMEs on www.ncsc.gov.uk and for more information around privacy, the best to look is www.ico.org.uk.
Here at Golden Marzipan, we are looking at governance and standards for the housing sector more closely. Our “code” looks at all aspects of IT and data, including cyber risk and it is intended to provide a best-practice framework for service provision. We will keep you posted on how this develops as we consult with others in the sector.
For more information on digital in social housing please contact steve@goldenmarzipan.co.uk
Q&A
Our Breakfast Briefing guests came from a broad mix of backgrounds and this generated a lot of interesting questions. We’ve captured a selection of them below:
1. Should I store passwords in my browser?
No, it’s not a good idea because it’s very easy to get the information from your cache. Dr Tooska was in support of password managers, but rather than just relying on passwords she encourages SMEs to use two-factor authentication at the very least.
2. Which types of passwords are safer?
Dr Tooska believes it’s critical to use a combination of numbers, symbols, and characters – but you need to avoid using a familiar pattern. Many people use ‘@’ or ‘4’ instead of an ‘A’ – but this is really easy to crack. Also, try to use passwords that have no specific meaning. There are lots of password dictionaries out there that list the most common passwords and hackers can use these to run against your system to gain access.
3. How do you know if you have been hacked?
Dr Tooska explained that some malware and malicious activity goes unnoticed as it generates traffic that looks genuine. The solution for this is not your static anti-malware products, you need to acquire dynamic analysis products that capture and assess the behaviour of users. For instance, they recognise if a single user is acting in an unusual way, or if there’s increased traffic between two computers.
4. How do you prepare for incident management?
To be prepared you need frequent offline backups, so that if you do get hit you simply revert back to that copy. If you only backup every month, you could lose lots of information and if you back up online, this could also be affected by the malicious activity. Up to date patches (the updates we receive) are equally important. Those patches are there for a reason.
5. Do I need to change my passphrase regularly?
You need to change your passwords or passphrases every three months. It’s doesn’t matter how long they are, if they are common passwords or phrases that are in ‘the dictionary’ they are easy to hack.
6. How to handle the patching timing and planning?
Patching can sometimes cause chaos in a business, if the patch has an unknown and unwanted impact on systems, also in a larger organisation you may be faced with a staggering number of patches every day – however, they are vital in reducing your vulnerability. This is forever the big challenge to balance for IT teams. To determine whether you can hold off patching, you need to consider the impact of doing it versus the impact of not doing it. For Dr Tooska, they are always a priority.
7. What’s the advice to Board members?
The most important thing Board members can do is listen to their IT directors. It is always a balance to manage all of this, but IT directors have a comprehensive view of what is happening inside their organisation – where their weak points are and what could be done better.
Do you want to ensure you’ve minimised the chances of a successful cyber-attack? Golden Marzipan’s team of specialist advisors can help. From initial health checks to effective plans that will get you to where you want to be. Contact Peter at peter@goldenmarzipan.co.uk
