A few years ago I was stand-in news editor for a computing publication which had better remain nameless. I was asked to go and check the regular person’s database of press releases for stories. It was inaccessible unless you had the password, so I just tried p-a-s-s-w-o-r-d. I was in immediately.
It wasn’t a problem as the organisation wanted me to have the information, but what if it hadn’t? What if I’d been in HR or finance instead, and had malicious intentions? Presumably that little hole has been plugged by now but it’s indicative of the sort of managerial rather than technological issue people can face if they’re not careful. The Cyber Security Challenge UK laudably highlights the talents of young people when it comes to working out means of protection and the excellent progress of the Gsec team from Gibraltar is promising. However, two things stand out as needing to be addressed: first, the extent of the problem, and second, the basic errors people like my ex-client still make.
The extent of the problem is hard to pin down when you’re in the press. Walk into a room full of CEOs and ask who’s been hacked and regardless of the truth, nobody is going to confirm it’s happened to them because nobody wants it publicised. This is reasonable enough, and when someone like Sony a few years ago or Ashley Madison more recently suffer Cyber-attacks you can be sure these are just the ones the press has heard of. There is other data, though, to suggest the issue will continue to grow. This article is being published on Tuesday 9th February, designated Safer Internet Day, and to mark it security company Kaspersky Lab has published research that suggests 12% of 16 to 19 year olds in the UK know someone who has done something illegal on the Internet; 35% would be impressed if a friend hacked into a bank’s website and replaced the homepage with a cartoon and one in ten would be impressed if a friend hacked into an airport’s traffic control systems.
There wasn’t any data on how many teenagers would say any old thing to shock a researcher. However, the first point is the most salient – over one in ten suggest they’ve seen someone do something illegal electronically. So, if you’re a business owner or just concerned about your security it’s just as well to ensure that a number of previous clangers don’t affect you.
Security is far from just electronic. A handful of things can go wrong because staff haven’t been briefed:
You protect all electronic copies of every sensitive document and someone prints one of them out – and leaves it on the printer for an hour before picking it up. Or leaves it in a hotel lobby, on a train…all of these things have happened and hard copy print isn’t protected or encrypted.
You have visitors to your company and one of your employees nips to the loo. This is fine as long as their screen saver covers anything sensitive pretty quickly, and as long as the screen saver is password protected so someone wiggling the mouse or pressing a key won’t be able to get at all the details.
Pet names, partner names and the word “password” have never been good passwords and it remains poor practice to keep the default PIN that came with your phone’s voicemail.
Finally, back on the technology side, if you have a small network and it’s big enough to have a network administrator, don’t forget to ensure their administrator password is changed frequently and not easy to guess. There have been instances in which this hasn’t been done, and that password controls the system that can change all the other passwords and lock you out.
A lot of it is common sense. The Gsec team will be looking to defend people from more sophisticated attacks – but never overlook the obvious.
The New Statesman will be publishing a supplement on Cybersecurity in the issue dated 26 February.