If the Covid-19 pandemic had taken the world in its grip in 1990, how would that generation have responded to the crisis? There would have been no Teams platform to keep businesses running, no family WhatsApp group chat to maintain social contact, and certainly no Tik-Tok videos to while away the hours in lockdown.
We’ve been forced to stay apart physically, but technology has allowed us to remain together virtually. It has truly shown its worth over the past year – particularly to cybercriminals who have discovered that our existence in the online world is a lucrative hunting ground.
The switch to online activities and people working remotely led to a surge in cyber-crime in 2020, with an estimated 80% of businesses reporting a rise in attacks.
It is believed that one cyber-attack took place every 39 seconds last year: cloud-based attacks increased by a staggering 630% in the first quarter with phishing attempts up by 600%.
This tells us in the most unequivocal terms that cyber-crime is no longer only a problem for multinational corporations or those in possession of high-value intellectual property. In fact, small-medium-sized enterprises are often a target for hackers as they see the supply chain as an easy and profitable route into large organisations.
Companies of all sizes – and operating across all sectors – need to seriously consider how they keep their IT systems and data safe as we continue to drive forward with the digital transformation agenda and remote working becomes the new normal.
At Mintra, we are fortunate to have access to our suite of online training courses, including cybersecurity awareness. Our cybersecurity eLearning course is applicable to all business personnel who need a general awareness and understanding, but do not require detailed in-depth information on dealing with threats.
I acted as the subject matter expert for the course content, but I recently found myself on my own learning journey when Mintra decided to undergo assessment for Cyber Essentials Plus certification.
Cyber Essentials Plus – a UK Government initiative - aims to demonstrate a company’s commitment to ensuring the safety of its IT and data security. The process involved a rigorous external audit: staff within the IT department were interviewed, auditors tested our processes and randomly selected devices for physical verification.
Gareth Allan, Group IT & Service Delivery Director
We passed all the requirements with flying colours and while that gives us and our customers an assurance that we are adequately set up to prevent a cyber-attack, it gave me cause to reflect on how cyber security has changed over the years. "
Most organisations are aware that their first line of defense – their people – is often the weakest part of the security chain. Indeed, this is borne out by 2020 statistics which show that fewer than one in 20 breaches exploit system weaknesses.
Many system breaches are achieved through social engineering – when cybercriminals use people within your organisation to unwittingly help them gain access to your networks. It works in the virtual world the same way as it does in the real world: criminals manipulate people in such a way as they give up information including passwords and commercially sensitive data.
This tactic may not tie in with the Hollywood image of a hacker using sophisticated computer equipment to breach security, but it’s the reality. It’s far easier for cybercriminals to exploit our nature to trust than it is to put time and effort into hacking a network.
And, of course, there’s the good old-fashioned phishing scam where a member of staff is sent an email and encouraged to click on a link or attachment. In many cases, the link will contain a virus or enable malware to be installed on a PC. Quite often the emails may appear to come from a genuine source, such as a customer or supplier.
It’s estimated that around 19% of the subject lines in phishing emails appeal to employees’ desire to be compliant with cybersecurity – for example, a request to perform a password check – while 16% related to orders with online retailer Amazon. Offers for free goods account for 10%, while those purporting to come from online banking make up 8%.
Despite human error being the root cause of many breaches, statistics would suggest that only 20% of businesses provide dedicated staff training on the theme of cybersecurity.
It’s a risky strategy. Medium and large firms put the average cost of a cybersecurity breach at £5,220. That’s not a figure you would happily write off when the expense could have been avoided, but most companies can absorb the cost and chalk it up to a bad experience.
But, really, what is the actual cost to your company’s reputation? Have you considered the consequences of having to contact a customer to inform them their sensitive data may have been compromised? It’s difficult to win back trust and the cost further down the line is going to be lost revenues.
Investment in education, helping your staff to identify potential cybersecurity risks, should be a fundamental part of any mitigation strategy. Indeed, earlier this year the International Maritime Organisation (IMO) officially called for maritime companies – one of our largest customer sectors – to address cyber risks in their systems and this resulted in an upswing in demand for training.
The auditor assessing our Cyber Essentials Pus certification noted the training that we provide to all Mintra staff, including regular testing and mandatory training when our people cannot identify simulated security threats.
But we recognise that even when people are aware of the risks, mistakes still happen. That’s why we have robust additional measures in place to protect Mintra when the first line of defense fails.
Using extra security such as antivirus software and endpoint protection gives that further layer of confidence that, even when an employee clicks on a link in a suspect email, our systems will not be breached.
The Cyber Essentials Plus audit justified the investment and focus that we have put on our IT and data security in the past two years. Although we have a very high level of knowledge and understanding in our team, we simply cannot know it all and to have that partner endorsement – an extra set of eyes scrutinising our measures and verifying that they offer protection – was very important to us.
Any organisation that recognises the need for adequate cybersecurity and the growing threat posed by cybercriminals should invest in an audit. Knowledge is power – it is only by identifying the weak points in your systems that you can begin to properly address them.
It’s thought that around half of all businesses have carried out an internal or external audit in the past year, but the quality of the process varies greatly. Some, it seems, are part of a broader financial audit that does not actually examine cybersecurity in depth. Be careful not to pay lip service to it.
Although we now have Cyber Essentials Plus accreditation, this is the higher-end audit available within the scheme. A great starting point for any organisation new to the process is the entry-level Cyber Essentials certification. This does not involve external auditors carrying out a hands-on investigation, but it does demonstrate a commitment to good cyber health.
More than that, the certification is something that many companies and the UK Government will look for when selecting a future partner or supplier. Dedicating the time and effort needed for the audit makes financial sense on so many levels.
For Mintra, the success with Cyber Essentials Plus is a stepping stone towards bigger things. Our next target is to achieve ISO:27001 for Information Security Management Systems – an even more in-depth assessment of our IT and security processes to internationally recognised standards.
An intuitive eLearning authoring tool to simplify knowledge sharing across organisations and fuel employee-generated learning.