Here’s What Mike Had To Say…
Recently, cyber security has risen to the top of the agenda for almost all businesses because of the increasingly frequent headlines about malware attacks, such as the WannaCry incident which impacted the NHS heavily, and the modern reliance on mobile working and flexibility.
Despite many business owners becoming increasingly aware of cyber attacks, many companies are still unaware of a threat much closer to home; their employees.
These threats are very real, and although business owners are investing heavily in new security infrastructure and software, there is a lack of investment in education and awareness amongst employees.
Chess' Own Journey
It took Chess 12 months of learning about our own cyber security and applying our findings to make improvements within our own business. Now we’re delighted to be in a position to offer our services to help others.
Cybersecurity is essentially a set of practices, measures and actions taken to protect personal information and IT systems from attack.
The three pillars of cyber security are:
- The technology (the IT department)
- The process (compliance)
- The people (the end user)
For cybersecurity to work effectively, all three pillars need to be robust and work together. Often, the weakest pillar of the three is the ‘people’ pillar and most vulnerable to attack.
One comparison to this is in the car manufacturing industry. New cars come with a host of security and safety features such as airbags, crumple zones and forward collision warnings. These features sit within the ‘technology’ pillar. New cars come with manuals, instructions and demonstrations on how to use these features - this is the ‘process’ pillar. The driver of the car is the ‘people’ pillar and, ultimately, it’s the driver that crashes the car.
Cyber security is the same. The business can put all the checks and balances in place, but often it’s often the end user that compromises the security of the business.
The most common type of cyber risk is from ‘phishing’ attacks. Today, 91% of all data breaches are due to employees responding to phishing attacks.
25% of all phishing emails sent to an organisation are actioned by an employee. The word ‘actioned’ is key. Opening and reading the email does not pose as much as a risk. ‘Actioning’ the email refers to clicking on a hyperlink or opening an attachment. This is the point that could either trick an employee into visiting a fake site or installing malicious software onto their device.
Once a phishing campaign is distributed by the cyber criminal, typically the first victim actions the email within two minutes.
In 2016, with the number of cyber attacks on the rise, Chess decided it needed to test its own cybersecurity and compare with the figures from the previous slide.
Casting The Line
In May 2016, Chess launched its first simulated phishing assessment to gauge how good we were at identifying phishing emails. We sent an email to our People, inviting them to change their password immediately by clicking the embedded link, which was an unsecured URL – an action that if done for real, could have landed us in hot water with the authorities and our customers. As a tech business, we were confident we’d score full marks.
What we didn’t count on was that 28% of our People would activate the link. Our first person to active the link did so within 46 seconds. We were above national average and a lot quicker than average at actioning an email.
We needed to act, so we rolled out a programme to bolster our own internal systems and procedures. The Chess Cyber Awareness Training Programme was born.
What the first test told us that our people were not aware of the security risks and how a simple email could leave the business vulnerable to attack.
Poor password management, insecure use of social media and opening unsolicited emails can all trigger a breach in cyber security, while remote working can lead to failures through the loss of physical devices such as DVDs and USB sticks. This gave us a focus and awareness of the topics our people must be aware of.
The first step we took was to roll out mandatory Cyber Education & Awareness Training for all our people. The sessions typically lasted 1.5hrs and were designed for small groups to make it more personal. They were highly interactive and include a short test at the end.
All our people had to attend a session within a certain timeframe and all new people attend a session within the first week of joining the business.
The aim was to highlight that users have a critical role to play in helping to keep the business secure, but they must also be able to effectively do their jobs with the right tools. We wanted to establish a security conscious culture.
Email still provides a primary path for internal and external information exchange.
Here’s a few tips on how to identify a phishing email:
Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address. If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.
Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar and legality. So, if a message contains poor grammar or spelling mistakes, it probably didn't come from a legitimate source.
Check the full email address of the sender – you can’t rely on the name that appears in your inbox.
You have received an email message informing you that you have won the lottery!!!! The only problem is you never bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.
Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it's probably a scam.
To avoid clicking on links embedded within emails, visit the site by entering the web address into an internet browser. View your account or profile to see if any changes have been made, as suggested within the phishing email. If nothing has changed, this will confirm the email was a scam and can be deleted.
Once our people knew what to look out for they were able to act accordingly and change our ways of working.
We didn’t exclude anyone from these tests. Cyber criminals will often target members of the Board of Directors and Senior Management Team, so we included these people in our tests to ensure they know what to look for.
One way of making sure your People keep engaged with cyber security is by using posters. A poster with the right message can be an effective and an inexpensive way to communicate with your people. Posters can be displayed almost anywhere and this means there are many places to draw a captive audience. For example, waiting rooms, shared communal areas, or receptions are great places to display posters.
And inject a little humour into your posters - this will always encourage engagement with the audience.
Office 365 users will be familiar with Yammer. It's a social networking service used for private communication within organisations. At Chess, we have a dedicated Yammer page that informs our people of the latest cyber security news, and we have regular blogs on our website that people can read and keep up to date with the latest products or events for our customers.
Chess’ security culture doesn’t just focus on social engineering. Another major part is the physical security of our business, including:
A clear desk policy
Improving user awareness was an integral part of our security strategy, especially in an age of unforgiving consequences resulting from ransomware and large corporate data leaks.
The core message we’d like you to take from our own cyber security journey is that education is key to creating a solid cyber safe environment. It’s taken us more than 12 months to get to the level of security awareness we needed and now we want to share our learnings to help our customers.