Cyber security : Developing a pro-active culture Photo : MindForest 

Cyber security : Developing a pro-active culture Photo : MindForest 

In 2018 every second company in Luxembourg was targeted by a phishing attack or malware infection, making cybercrime the 2nd most reported economic crime. In the next 24 months, 43% companies expect to be subjected to an attack. Faced with such threats, firms can neither afford to remain ignorant nor avoid taking precautions.

What is cybercrime ?

In step with digitalisation, cybercrime is multiplying and it is almost inevitable that one day a company’s website will be hacked, emails blocked or information leaked.

Cyber threats fall into three categories :

• Attacks on confidentiality: Stealing a personal identity, bank account details or credit card information.

• Attacks on integrity: Consist of personal or business sabotage/leaks exposing data and influencing the public to lose trust in the organization.

• Attacks on availability: Blocking users from accessing their data until they have paid a fee or ransom.

The consequences are an evolving danger to organisations, employees and customers, as an attack can result in activity interruption, loss of trust and customers and even lead to business closure.

Human Hacking: Social Engineering

“Social engineering” is a newer trend, which exploits the common weakness found in companies: human vulnerability and psychology to bypass security systems.

To give an idea of social engineering and how quickly a company can become a victim, here are five common forms : 1. Phishing: To obtain personal information by using link shorteners redirecting to suspicious but apparently legitimate websites, incorporating threats, fears or urgency to provoke a reaction. 2. Pretexting: Creating a pretext or scenario to build a sense of trust to then steal the target’s data or gaining access. 3. Baiting: Similar to phishing yet distinguishes itself by promising an item that the hacker uses to entice the victim(s). 4. Quid Pro Quo: A benefit is promised in exchange for information, a malware installed or passwords obtained. 5. Tailgating: A non-authorised person follows an employee into a restricted area, often impersonating a delivery driver or similar.

The main flaws in organisations

One problem is the lack of high IT security levels , even if management has become more aware of cyber threats and has installed protective technical solutions, but today most cybercrime is due to human error. An effective cyber security plan should not only rely on technology, but also on people making smart prevention choices. Consequently, a continuous information campaign directed at all employees and externals informing them about the challenges linked to cyber security is at least as important as the technical IT defence system.

The implementation of an extensive sensitisation plan needs to be accompanied with change management techniques to make employees understand the importance of cyber security, as well as their specific roles in protecting every type of data.

The human side of cyber security

At MindForest we believe that the only way to achieve success is by putting the human being first. This also applies when changing towards a cyber-safe environment.

Creating awareness is an ongoing process with attributed ownership and every MindForest project is analysed and tailored to meet the client’s requirements. A healthy mix of periodic and on-going actions are imperative to anchor a sense of cyber-safety and create winning habits. The periodic actions aim to raise awareness of security issues, while the carefully engineered cyber-safety community puts emphasis on developing ongoing actions for long-term training, understanding and prevention. Each step of the process involves real time examples, commitment and ownership to ensure comprehension of the company’s cyber-strategy.

Education and awareness are priority

Even though cybercrime is the 2nd most reported economic crime, many companies do not perform cyber-security due diligence nor have formulated training measures and awareness plans. However, everyone is at risk and it is crucial to include both technical and human measures in the preventive and post attack plan, as “humans are the first vector of cyber-attack and ideal prey for malicious individuals who want to compromise an organisation”. This factor is difficult to assess and the company culture and strategy needs to support a “cyber-safe” mentality. Only through preparation, training and greater awareness can habits be changed towards a culture of caution and alertness to identify and prevent misconduct by malicious hackers.

https://www.pwc.com/gx/en/forensics/global-economic-crime-and-fraud-survey-2018-summary-infographic.pdf [18.09.2018] WIRED Magazine, “The CIA secret to cyber security that no one seems to get,” December 20,2015. https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/ [08.09.2019] Kissel, Richard : https://books.google.lu/books?id=raLtcBTjYuwC&printsec=frontcover&hl=de&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false [15.09.2019] https://www.pwc.com/gx/en/forensics/global-economic-crime-and-fraud-survey-2018-summary-infographic.pdf [18.09.2018]