Updated: Jul 16, 2019
This Tuesday, I was fortunate enough to attended to an ICAEW event (promoted by Australian and New Zealand Accountants in London) at Mazers. The event focused on Cyber Security with the key speaker being Neil Sinclair from the London Digital Security Centre. Neil detailed his bucket load of experience relating to Cyber Security, which provided for a very insightful evening.
The night was interesting (and scary), and focused on security awareness at home and at work. A couple of key takeaways from the evening (in my opinion) are:
Patching, firewalls and general website security
Not only does GDPR require businesses to have up to date patching and firewalls (amongst many other components), but its essential that these are in place to ensure hackers simply cannot take your data. The point was made that any patching updates (and even upgrades to your phone), should be done within the first 12 hours of the patch being released. After 12 hours, the hackers generally know what vulnerabilities exist, meaning we are more exposed.
Within the wokrplace, a general website scan can quickly show some security vulnerabilities. Companies such as Qualys offer a free website scan to show what vulnerabilities exist on your websites (https://www.qualys.com). These provide a great starting point, but should be used with caution as the results can be made public (depending on what checkbox is selected.
Apparently the old ‘change your password regularly’ rule has now changed, and new guidance has been issued. Guidance relating to passwords can be read here: https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks. A great suggestion raised during the evening was that IT should be providing new users a password, rather than a generic “p@ssw0rd” and forcing people to reset these. A longer password (16 characters) and including a ‘space’ is a more secure password, and if forced upon the end user by IT (i.e the password cannot be changed for a month), means people will generally find a way they can remember the monster password. A great activity played during the night resulted in anyone with a vegetable followed by a number as their password, having to stand up. To my surprise, half the room stood up. He pointed out that with your user name (which is generally your email and is on your business card), and a few minutes guessing vegetables and a number, there is a good chance hackers would be able to access some of your accounts online.
Bring your own devices (BYOD) and work from home
Obviously, being able to use your own mobile to access emails, and working from home (i.e. Office 365) poses a lot of risks. Firstly is the encryption. Mobiles should be encrypted if you want to access emails on them. For instance, some companies will force employees to download a specific app which will encrypt your phone if you wanted to access work emails on your own device. Other companies limit the risk by either giving you a phone which would be already encrypted before being provided to the employee. Alternatively, just don't let employees access emails or other work related information from their own personal device. The bring your own device and work from home risk was further strengthened when mentioned that, when accessing a public network (i.e. Starbucks), there is a risk that someone dodgy may also be accessing this network, or you have joined a ‘fake’ Starbucks network. This leaves individuals and businesses open to someone tapping into your device and stealing documents or data.
As a starting point, it would be highly recommended to check current company policies and rules regarding working from home and bring your own device.
A fellow attendee asked “How do we encourage good Cyber Security behaviours amongst employees”. It was mentioned that every second Friday, workplaces generally test the fire alarms, and if your workplace is very safety conscious, you may even have a mock evacuation once or twice a year. Generally, most people will never be involved in a workplace fire, but we still test for it. So why don’t we test Cyber Security? Phishing emails are a great start as a test, but we should also be testing things such as ‘fake networks’ to see who joins then, and monitor people who are signing up to sites with their work emails as opposed to personal emails.
Obviously, these are just a few key points which were raised during the event. Overall, it was a really informative evening and would highly recommend attending a similar event in the future.