Cyber security and the weakest (human) link

On Wednesday afternoon I found myself halfway up The Shard in the Shangri-La hotel, with a couple of guys, hacking a retail site and discussing ways of exploiting SMEs and their employees to access their IT systems.

No, I’ve not had a career change, I was merely spectating the work of ethical hackers from Pentest, who were demonstrating the vulnerabilities of websites and public Wi-Fi. The ‘white hats’ were just two from a roster of presenters at the Unlocked London event, part of the city’s Tech Week, which closes today.

The conference focussed on cyber security, a topic which has topped the news agenda in recent months. From the 2016 hack of Hillary Clinton’s email account, to the WikiLeaks revelation that the CIA can spy on you via your TV and most recently the WannaCry attack which affected NHS trusts across the UK; hackers seem to be showing no signs of slowing down. As Graham Cluley, blogger, author and security analyst, said at the event, “attackers are becoming more audacious and have no qualms about who they target.”

It’s not just the big players who these cyber crims are out to exploit, as SMEs are now also a major target, as Paul Harris from Secarma pointed out. And just as everyone is a potential victim, anyone can be a hacker too. The ethical hackers who demoed the ease of access to supposedly ‘secure’ websites weren’t clad in hoodies and balaclavas, operating from some Russian outpost. The hacking process, they said (or rather to paraphrase), was pretty mundane, with none of the noir and mystique seen in Hollywood films and TV shows. It is also a process which seemed not to require a hugely in-depth knowledge of IT. External forces pose a threat, but bear in mind too that employees –even with only a lay understanding of tech and perhaps with a grudge to bear – can also be a cyber security risk. As Cluley said: “Cybercriminals are not geniuses; they don’t have to be. We’ve made it too easy to succeed.”

WannaCry, for instance, highlighted how outdated many NHS systems are, whilst the live hack at Unlocked demonstrated the inherently insecure nature of the online domain. Perhaps of most concern though – and a major takeaway from the event – is the culture which pervades many businesses and means the employees, rather than the tech, form the weakest link.

Dr Jessica Barker, a world-leading expert on cyber security, drew our attention to the human side of cyber crime, and how criminals take advantage not only of technological weaknesses but attributes of and ‘flaws’ in human nature. Humans have both a logical and curious side, and it’s the latter which has opened up many individuals and businesses to exploitation. Phishing emails, for example, are designed to persuade recipients to give up personal information such as bank account details. Many scams have succeeded by playing on the curious, trusting nature of individuals, using language which is emotive and immediate.

Other attacks use targeted social engineering fraud, whereby information is gathered on an individual, a relationship is built up, and vulnerabilities are then exploited for a criminal’s gain. Cluley used the example of a new starter at a business receiving an email from their CEO – read, hacker – and giving up sensitive information, as a result of a culture of “not being able to say no to the CEO”. I joined Babel just six months ago, and doubt I would have asked too many questions of an email from the boss!

Again, it doesn’t take a genius to execute these attacks. Cluley even pointed to an online database where hackers can find all the required information to launch such a scam: when I started Babel, who the CEO is, the agency’s style of language and the subject matter the email could contain. This database isn’t concealed in the depths of the Dark Web: it’s called LinkedIn.

Unlocked London wasn’t all scares and warnings though, as presenters also offered sound advice on how to reduce instances of cyber breach. Yes, ensure that technology is deployed to protect and harden systems against attack, but more importantly, said Martin Knapp from Secure-IA: “Train your staff, as education is key.”

Both employees and the IT security industry need to communicate with IT users in accessible language, outlining how both tech and humans present weaknesses. Security isn’t something which operates separately, siloed from an organisation and office life. Cluley’s concluding words summed this up well and provided a lesson for all businesses: “Every member of your team must also be part of your security team.”