There is a popular illusion out there about IT security—we think it’s all technical. Today every user at least knows about antivirus and antimalware, firewalls and a few other things. We are used to passwords and PINs, if not always as careful about keeping them secret as we know we should be. But then some of us still fall for that scam ‘bank’ email saying our account is in danger of being suspended, so we click and fill in our details as requested.

That is phishing for beginners. What about that utterly authentic looking email from the financial director authorising a change of bank account for payment to an established supplier? All too many accounts department people have believed that one recently. All it needs is a look at some authentic internal documents and formats, a couple of names and guessable email addresses and a child could get away with it. Some time later when the supplier finally calls about missing payments the money is long gone into the ether — thousands, hundreds or even millions.

The point is that in all areas of security, people are the real front line. Careless, gullible or well conned, they can open the door. But they are also the defenders and well-informed wariness is in many ways at least as important as smart security systems. At a management level, people are sometimes avoiding decisions (or making the wrong ones) because they find it hard to believe that their organisations are really likely to be targets. That’s not just an Irish thing, by the way. Managers all over the world think they are too small or insignificant to be targeted.

But cybercriminals are no different from the real world. There are purse snatchers as well as bank raiders, sneaky domestic burglars and digital blackmailers with a cheap and cheerful ransomware set of code. Pay up or stay locked out of your own business and your own and your clients’ data. When the ransom is not actually exorbitant, guess what usually happens?

Criminals are constantly looking for anything of value. In the cyberworld, data is often more accessible and valuable than money. Your customers’ bank account details, of course. But addresses and occupations and luxury purchases could be invaluable to housebreakers. On the purely electronic side, even an amateur hacker can try thousands of ‘doors’ to corporate systems to find the occasional unlocked one and explore for target value.

“At a management level, people are sometimes avoiding decisions (or making the wrong ones) because they find it hard to believe that their organisations are really likely to be targets. That’s not just an Irish thing”

So, what are the answers? First, and definitely foremost, are awareness programmes for all users. Security awareness has to be an integral part of the culture. In any organisation, that means structured policies and procedures and regular updating of both systems (patching, vulnerability management) and employee understanding. That has to be formal, but in fact it can often also include a touch of fun. Tales of how other people got caught off guard are, alas, always amusing but also instructional. In-house, an incident or a good fright is often a healthy stimulus. A penetration test or staged ‘incident’ to see how people respond can give an invaluable insight.

What every organisation needs is a security framework so that all of the major threats are covered, for systems and people. There are many to choose from, from the NIST Security Framework to ISO 27001, SANS Top 20 or Cyber Essentials for smaller organisations. We use simple checklists with our clients, based on best practice and experience. The key point is that it is structured.

Success is not in the concepts. It comes from taking the actions, reviewing regularly and upgrading when recommended. We live, work and do business in a sometimes dangerous world — and the cyberworld is exactly parallel. Safety comes from being aware, being careful and taking the precautions. Not rocket science, often not even tech, but essential. Perhaps we should start introducing online security in schools?

Sean Rooney, Cyber Risk and Assurance Director Integrity360

Article courtesy of