Its time to stop being confused about cyber security

Grant Barnes, Threat and Vulnerability Manager at Cantium Business Solutions explains how a shift in mindset from feeling like a victim of cyber-attacks to a proactive defender of our digital assets can help raise our educational awareness of cyber security threats

The public sector manages vital infrastructure making it a high-value target for cybercriminals. A cyber security breach can have far-reaching consequences, including compromised national security, disrupted public services, financial losses, and a decline in citizen trust.

So, it is understandable that public sector organisations and teams can feel vulnerable even before an issue has occurred. How can we shift the mindset from victim to proactive defender? From my experience, it’s through acknowledgement and understanding. It’s OK as an individual and even as an organisation to be confused about cyber security. We see endless headlines about data breaches and hackers, and we hear changing and conflicting advice about what we should and shouldn’t be doing, all while technology and cyber risks are evolving.

To navigate this, it is important to lean on your security team, whether that be internal or third party, who can explain your organisation’s exposure clearly. This is where you need not be afraid to say that you do not understand. Your professionals can explain in a way that works for you as an individual. They can compare the situation to common themes or other areas of the business, and take into consideration not just the impact, but the probability.

Not all hackers wear hoods

Common misconceptions widely reported and shared online have contributed to the confusion around cyber. The biggest one in my experience is that a cyber-attack is usually initiated by a hooded individual in a dark room, furiously tapping away at his keyboard and performing incredibly complex software coding. When in reality, what tends to occur is that sensitive details are listed on the dark web for sale. Someone takes the opportunity to purchase these details and then tries their luck to see if anyone is using the same password for multiple services. No real hacking is involved in gaining a foothold or entry point to your infrastructure, it is just a manipulation of human psychology.

The main challenge teams face when it comes to admitting their defences fell short is the financial implications. Customer perception of the business may change and could result in a reduction in revenue. There could be fines from the Information Commissioner’s Office (ICO.) There could also be further investments required to now react to and bolster cyber defences.

Managing fear and uncertainty

Education and awareness can contribute to reducing the stigma associated with cybercrime and breaches. Cyber security teams as a whole are responsible for not only the defence of the organisation but also the source of truth. It is our responsibility as a team to escalate the correct risks for acknowledgement and decision-making but also to assure organisations that the day-to-day operations can react too.

For example, a CEO reading about a Checkpoint 0-day attack knowing the business uses checkpoint products should be aware that his team receives a weekly executive security report. That there are processes and procedures in place to react to 0 days and can therefore be confident in reviewing the executive security report to address any concerns and understand if further information on the risk is needed or not.

In the UK, we are lucky to have the National Cyber Security Centre (NCSC), a public-facing entity of GCHQ, the UK’s intelligence, security, and cyber agency, who actively work with organisations to bring awareness to this issue and to help businesses react and navigate incident response as well as best practices.

As well as this fantastic resource, there are proactive steps individuals and organisations can take to reduce their vulnerability to cyber-attacks before they occur. This comes back to acknowledgement and education. We need to move away from cyber security being a complex and hard-to-navigate area. Here is what we need to focus on to improve our awareness:

• Education on phishing and what ALL your corporate login pages look like.
• Protections on email systems and changing email habits; education on why we should pause before sending and run through a security checklist.
• And very importantly, invest in your cyber defence tooling, understand your exposure and the steps as an organisation you need to take to protect citizen or customer data.

Fail to plan and you plan to fail

There are potential long-term consequences for departments that delay investing in cybersecurity until after experiencing a breach, particularly in terms of reputational damage.

For public services, one of the worst-case scenarios is a lack of trust. You’ll see your relationships with your end users quickly disappear, and your organisation will soon be viewed in a negative light.

And this is just the worst-case scenario for the service itself. If you are an executive responsible for the posture of the service, or you are an employee working for this organisation, you are then met with negative bias in interviews or other developmental opportunities.

While cyber threats continue to evolve, we are also constantly learning about new ways to protect our digital assets. So the only way we are going to combat future attacks is through education and awareness, and that support will come from your professional security team.