Security in arms

Travelex discovered on New Year’s Eve 2019 that it had fallen victim to a cyberattack in the form of a computer virus. As a precautionary move, it took its websites offline. By 3 February 2020, the issue had not been resolved and Sainsbury’s Bank, Royal Bank of Scotland, Lloyds and Barclays, who use the Travelex service, were still unable to offer online currency services to their customers.

We don’t know how the Travelex cyberattack started, but the majority of data breaches can be traced back to an original phishing email, whereby employees are used as targets to obtain data. But an organisation’s staff need not be a security problem, nor seen as its weakest link. They are in fact part of the solution and could be its greatest asset.

Here are some of the risks that a business needs to be aware of:

1. Opening emails from unknown people. Staff should be trained to avoid clicking on links, or opening attachments or emails from people they don’t know, or companies with which they don’t do business.
2. Having weak login credentials. Require staff to create unique, complex passwords of at least 12 characters, and to change them if they have been compromised. Password hygiene rules should provide that, if written down on sticky notes, they are at least kept in a locked drawer.
3. Weak access controls. Set up tiered access levels, giving permission only to those who need it. Don’t provide employees with admin privileges. Close the accounts of departing staff on their final day.
4. Poor controls over remote working or bring your own device. Every device should be password-protected. If a device is lost or stolen, have a point of contact for staff to report to and deactivate devices remotely. Software tools should be implemented to manage devices remotely, and staff should be warned not to use public Wi-Fi. Consider having some rules about printing at home.
5. Not investing in employee wellbeing. Happy, committed staff are unlikely to turn rogue when it comes to cybersecurity. Discontented staff pose a clear security risk, especially when resigning or leaving the organisation.

JMW has launched a data breach helpline to guide clients through the early stages of an attack or breach – putting people in contact with specialist lawyers and IT forensics experts, who can guide them through the initial steps to take, 24 hours a day, seven days a week. However, we also work with clients to provide lunchtime workshops for their staff on how to surf the web safely, set up their own mobile phones and devices, and help their children to do their homework. Raising staff awareness about internet safety makes them less likely to click on unsafe links or succumb to phishing attacks or social engineering. Statistics prove that employees who have been through this type of training are less likely to click on phishing emails or create other cybersecurity risks.