The easiest commodity to hack is people. That’s the blunt assessment of Stephen Haslett, Director of Cyber Investigations and Digital Forensics at security and resilience specialists Optimal Risk.
“Preparing to hack a platform, website or physical infrastructure requires lots of time, effort and money,” he says. “So, much like the way water runs, cybercriminals look for the easiest passage. And that often involves targeting movers and shakers in the C-suite, through social engineering.”
Getting to know you
Senior professionals, Haslett explains, typically have a corporate online presence in the form of a LinkedIn profile, together with other, publicly accessible social media accounts – plus occasional announcements or comments to the media. However, he points out, they will also have a personal presence – and the two are inextricably linked.
“People are creatures of habit,” he says. “That manifests itself in how individuals operate their digital devices and behave in cyberspace. By learning a person’s interests, behaviour patterns and, in time, vulnerabilities, cybercriminals can tailor their attacks very specifically.”
Haslett characterises that part of a modern hacker’s modus operandi – the methodical process of sitting, watching and observing – as a form of online surveillance. And that painstaking work only needs to pay off once. “If you’ve mapped out an individual’s digital footprint, then you’ve identified the significant themes in that person’s life: their family, where they live, which football team they support and so on,” he says.
From that knowledge, he notes, the hacker can then build out multiple permutations of what the target’s passwords to business-critical systems could be, how to craft an approach for a spear-phishing email, or how to dupe the target’s staff with ‘CEO fraud’-type emails designed to impersonate that individual.
“It’s slowly changing, but there’s still a tendency among people at the top, particularly in smaller organisations, to want to retain control of a company’s digital security,” Haslett says. “So, they have all the primary keys to the prison. But if you lose one of those keys, you have to change all the locks.”
Left to our own devices
From Haslett’s perspective, many of the threat vectors that companies are facing – for example, malware, viruses, Trojans and worms – are so recurrent that they have become almost traditional. So, businesses are increasingly having to deal with refined versions of those established foes, coupled with new angles of attack on the hardware side.
Internet of Things devices – which are hooked up to the web on a permanent basis, routinely interact with the people around them and process information in real time – are particularly challenging. “Look at smart speakers,” Haslett says. “There may be some attractive reasons for installing them in an office setting. But when you think about the amount of background chatter they pick up, they could pose a significant risk if not properly managed.”
In the post-pandemic world of hybrid working, keeping the reins on employees’ personal devices as they cross-pollinate between home and office is another major management hurdle. Compliance measures around that activity must be rigorous, especially when promoting a bring-your-own-device policy. This mirrors the risks associated with a crossover between corporate and personal online footprints, which shouldn’t mix.
Haslett points out: “A lot of companies I’ve worked with will set up a portal through which employees can use their own devices – with appropriate safeguards in place to satisfy GDPR requirements. In the context of hybrid working, it makes sense not only to provide staff with the flexibility to use their own devices, but to do so in a safe, controlled way.”
Looking at how the DNA of traditional threat types is evolving, Haslett notes: “Sophistication in the way these things are written is building all the time. With the advent of artificial intelligence chatbots, such as ChatGPT, you can put in a few simple commands and it will write you a zero-day exploit. That platform was trained with a dataset of about half a terabyte – but if it’s able to do that with such a small amount of basic inputs, that dramatically lowers the barriers to entry.”
Hive mentality
For companies great, small and in between, the stakes are vertiginous. “To survive as a business in the modern world, it’s vital to have some sort of presence online,” Haslett says. “As a result, your reputation doesn’t just depend upon what people say about you in local pubs, clubs or churches – it’s much wider than that. And once your online reputation has been damaged, it’s extremely difficult to restore.”
As such, defending against cyber threats must be a team effort, encompassing the entire organisation. It is important to act as one, Haslett stresses, adding that a company’s people are both potentially its greatest liability and its greatest strength, so it is essential to keep them on side.
Haslett urges companies to build a hive mentality around cyber security, whereby everyone understands the part they must play in keeping the business safe. “If you have too much security, you can’t use your systems,” he says. “Too little, and you’re open to attack. So, it’s about maintaining a balance. That effort requires the help of all your staff – and must be led from the top. I’ve conducted many digital threat assessments, and the best organisations are those that have sat down with their employees afterwards and explained to them how attacks on the business could happen through them. It has to be ingrained into the culture.”
Haslett recommends that businesses should carry out staff-wide simulations, drawing on the insights of specialists who can issue dummy phishing emails and coordinate other types of cyber drills. To support that, every company should put together a well-considered business continuity plan to address the fallout of any real attack, complete with allocated roles. And in the event a business has been attacked, the subsequent ‘lessons learned’ debrief should involve every member of staff, rather than being confined to the C-suite.
But the foundation of all those measures is strong, clear communication. “It has to be simple,” Haslett says. “You must use a common, direct language around these issues. If you’ve ever watched the Marvel series Loki, there’s a character called Miss Minutes who pops up to explain complex plot points about time travel in a really simple way. That’s the sort of approach you must take: cut through the tech speak and focus on the human impacts.”
For more information, book a slot on ICAEW’s virtual course for Managing Cyber Business Risk for Accountants. There are three available slots running in June, October and November this year - the price will vary depending on membership status.