Cyber-security for know-alls

We’ve been working hard at Nexer Digital to raise awareness of the myriad ways that we may suffer at the hands of increasingly determined adversaries seeking to target systems and data sources. We’re no different to any other company, so there are no particular reasons why we may be especially at risk. We have infrastructure, personnel, worth - and data.  

2023 saw a 72% increase in data breaches since 2021, which held the previous all-time record. In recent news, we’ve seen stories about cyberattacks leading to critical incidents in NHS hospitals, National Records of Scotland (NRS) data being published by hackers, and warnings after a spate of cyberattacks in Guernsey.  
 
Data has intrinsic value, and the smooth functionality of IT systems has never been more important to, well, staying in business. The message is simple: as the evolution of attack malware and ransomware continues, so must our capabilities to outwit, deter and enact a well-rehearsed response plan to make the adversaries go elsewhere or, at the very least, we can ‘slow them down’. 

Our people matter. So do our people defences 

I’ve heard it said the biggest risk in the cyber-security space is ‘people’. But what does that mean? As with anything to do with people, it’s both simple and complex. It goes beyond the threat of a system being brought down by the meddling of a former administrator holding passwords that no one has thought to change since their departure. It actually goes more like this: 

• Staff training in cyber-security is inconsistent (or non-existent) and insufficiently funded
• Individuals’ understanding of their own potential role as an attack enabler (being an easy way in, in other words) is insufficiently emphasised
• Complacent haste: many are unjustifiably confident about the security of their company systems, often ‘too busy’ to think twice about something that doesn’t look right
• Staff not being alert to the way phishing campaigns are changing in presentation and unaware that they’re not always lurking only in emails
• Staff not knowing about the increased use of dodgy QR codes, MS Teams phishing and subdomain hacks to enter company systems 
• People being unaware that their social media presence(s) could be access vectors to company systems, at least initially

The importance of ring-fenced, cyber-security budgets

We can all be better prepared, but it comes at a cost that often must be argued and that after all, could end up in a budget stream suffering cuts when finances are squeezed. The lesson? Separate cyber-security from IT system infrastructure spending and don’t merge cyber-security into a cost-centre where it could lose visibility. Indeed, According to Gartner, by 2026, 70% of boards will include at least one member with expertise in cyber-security.  

And it’s not just government departments and not-for-profits that look attractive to cyber adversaries lured by the promise of easy pickings: local authorities, schools and health trusts are increasingly under threat. Councils across the UK reported a 50 per cent rise in cyber-attacks last year (2023) and in 2024, many of these are putting in cyber-defence systems worth 6-figure sums. 

We’ve worked with The Department for Education’s cyber-security team and other partners including the National Cyber Security Centre (NCSC), to develop cyber security standards for schools, colleges and multi-academy trusts. The standards are referenced in the Department’s ‘keeping children safe in education’ statutory guidance, where it's stressed that education settings are directly responsible for ensuring they have the appropriate level of security protection procedures in place to safeguard their systems, staff and learners. 

These standards aim to help schools to adopt a more proactive approach to their cyber security by asking them to: 

• Conduct a cyber risk assessment annually and review this every term 

• Create and implement a cyber awareness plan for staff and students 

• Secure their technology and data with anti-malware and a firewall 

• Control and secure user accounts and access privileges 

• License digital technology and keep it up to date 

• Develop and implement a plan to backup their data 

• Be aware of the procedures for reporting cyber incidents and attacks 

These standards have been written for a non-technical audience, allowing senior leadership teams and others with accountability to better understand the actions required, and to work in partnership with their technical staff to do all that they can to protect their schools from cyber threats and to be able to respond quickly in the event of a disaster situation. 

Making the attack surface smaller, and more manageable

Aside from the human factor, there are a few manageable risk streams: 

• One of the most important is the vulnerability represented by deprecating or unpatched technology  

• Another is having an erratic, unsystematic approach to managing detection

• The third is a lack of resource to keep machine learning rules bang up-to-date, things that would go a long way to protecting an IT system’s membrane  

Simply telling staff that software updates are important may not be enough: a training video that demonstrates what could happen if they were not to let that time-consuming script run, might turn out to be an important investment. And timely patching and a robust set of procedures for creating back-ups from which to enact recovery are the must-haves in any cyber-security response plan.  

Retaining only the data you need is another sound principle, but storing everything in the cloud can’t be the only answer, as digital hygiene and awareness of your digital carbon footprint becomes more of an issue. It may just mean there’s more to keep an eye on. 

 
Neither is everything safe from harm if you have it stored outside your own systems, because cloud services are increasingly targeted now: threat actors pivoting from internal environments into the cloud – and back again, undetected. (Launching an attack from within legitimate software functionality in a company’s systems is called a ‘Living off the land’ attack. And it’s not just the ubiquitous and trusted tools, like Microsoft’s being leveraged by the adversaries, Mac OS has its own equivalent in ‘Living off the orchard’). 

Keeping (everyone) cool - and aware of the form 

If an organisation should suffer a cyber-attack, the coolest of calm and measured responses is called for, but that simply cannot be achieved without the kind of planning advocated by the National Cyber Security Centre which helpfully tailors recovery guidance and advice to organisations by their size and complexity. They’ve even thought about the welfare of staff involved in a cyber-security crisis. 

This brings me to the business of reporting. Suffice to say that every minute counts if recovery from a malware or ransomware attack is to be achievable. Staff not only need to be encouraged (or even incentivised) to report suspicious behaviour in the cyber space, and it must be easy for them to do it. So, if there’s just one online form that needs to be designed with due regard to an employee’s state-of-mind at the point of interaction, this is it.  

We have a longstanding digital partnership with NCC Group, a global cyber security company trusted by the world's leading companies and governments. Much of our relationship has been focused on streamlining user journeys, so organisations can find the relevant preventative and incident services as seamlessly as possible.  

A staff member ought to be able to make a report on a colleague’s behalf too, if their own device is compromised or stolen. In some organisations, there may be scope to use this process as a way of gauging awareness. Employees could be asked what kind of security incident has been observed and given some options – when in fact, all responses go to the same place. But this way, organisations would be able to see the way in which employees think about incidents, and how many are correct in their assumptions.  

Where does AI come into all this? 

According to the CISO report, 70% of company Cyber Information Security Officers (CISOs) believe Artificial Intelligence (AI) gives the ‘advantage to attackers over defenders’, yet in 35% are using it themselves for malware analysis, workflow automation and risk scoring’. Other sources indicate that ‘at the moment’ it’s running about equal with regard to the balance between the value of AI to the criminal influence and its value to the potential victim of a cyber-attack.  

AI appears especially important in digital resilience, allowing, they say, for better decision-making in the face of something like a costly data breach. But it comes with some limitations, especially in justification for use, because: ‘while humans can easily discuss their reasoning behind decisions, fully explainable AI doesn’t exist yet.’ (source: How AI will usher in a new era of security and observability. Splunk >). Without a doubt, AI is powering digital resilience for those who have been able to harness it properly. Its ability to automate and reduce friction is palpable as certain (other) companies continue to wrangle, manage and monitor complexity using traditional digital defence methodologies - without the aid of AI. And digital resilience is just one aspect of it. There are numerous others.  
Ever-moving and ever-careless targets 

While gathering insight for a piece of content aimed at raising cyber-security awareness among the higher echelons of public life, I discovered more than I thought I needed to know about the evolving tactics of hackers. It’s that they’re lazy (no surprise there), but also that they’re opportunistic in the main; always look for easy wins, and they can reasonably easily be deflected from their trajectories if they come up against forbidding barriers.  

And although they’d seek to gain direct access to high-profile and influential individuals (and sometimes they do), hackers are increasingly targeting the tier below that. This means that they’re scouring the LinkedIn (and other social media) profiles of the private secretaries, administrators and executive support staff and, often, that’s where they’re finding the passcodes to the safe. It follows that because ‘work IT kit’ is usually far better secured than anything we use that is our own property, ever-enduring is the hacker’s dream that the VIP in question will do the thing they really want them to. That’s use their personal mobile to photograph or scan a fake QR code received on a work device and make a critical systemic jump that in governmental/personal security breach terms hardly bears thinking about. 

Take the training 

Not so long ago, I received an invitation to take part in Nexer Group IT security awareness training, something which is obligatory for all of us and associated with Nexer’s ISO certification. It’s also vital to compliance with Nexer Group policies and aims to reduce our risk of being exposed to ‘intrusion, sabotage, malicious code and fraud’.  

These exercises are both critical and salutary. I recall sailing through the first few sets of questions, getting the 100% correct scores I fully anticipated. But then came the faster-paced lessons and I noted that I’d failed to quickly enough categorise suspect domain and sub-domains, these being almost traditional take-overs for cyber criminals (though they didn’t use to be).  

Such aberrant clues are not easy to spot unless you’re looking for them. Yet, I was looking, and I didn’t immediately catch them in their suspect form. I needed this training. And so do you.  

So, next time your inbox drops you the invitation to take part in IT Security Awareness Training, don’t ignore it. You wouldn’t want to be the person who left the keys in the office door at the end of the day, would you? Well, there’s the equivalent in the cyber security world: if you leave a chink of opportunity for the cyber-adversary, they’ll be in stealing the company silver and all the goodwill that goes with it. It’s that serious. 
 
___

Nexer Group has released a 2024 Report on cyber-security. While the report focuses on trends and public perceptions in Sweden, there are still useful insights contained that are applicable to the UK. You can register to read the report here.