Reducing vulnerability to growing hacker practices

Darren Hockley, MD of eLearning provider DeltaNet International, discusses how the public sector can protect itself against the latest generation of cyber crime such as social engineering and man-in-the-middle attacks

Just under a year ago, the NHS was hit by one of the largest cyber-attacks reported in the public sector. On the morning of May 12, hundreds of NHS employees turned on their computers, only to be greeted by a message stating that their files had been encrypted and could only be unlocked by paying a ransom. A media storm ensued, until a cyber security researcher ‘accidentally’ managed to stop the spread of the WannaCry ransomware attack.

Though NHS England said no patient data had been compromised or stolen, and praised the staff response, the breach was not without its consequences. According to the BBC, more than a third of trusts in England were disrupted and at least 6,900 NHS appointments – including operations – were cancelled as a result. The same article reports that NHS Digital carried out an assessment of 88 out of the 236 NHS Trusts before the attack, of which none passed the required cyber security standards.

As a result of the news, a spotlight was shone on ransomware attacks and The National Cyber Security Centre published guidance on how to protect IT systems from a malware infection. The threat still remains, with a recent report claiming that there are around 38 new ransomware attacks detected each day. And there’s more bad news – ransomware is just one of many tactics that hackers employ in order to encrypt, or gain access to, an organisation’s data.


Why is the public sector so vulnerable?

There are many reasons why a hacker would want to target a particular individual, business, or organisation – and no one is immune to the threats. The financial and public sectors may be the most vulnerable purely because they’re sitting on a goldmine of data that cyber criminals would love to get their hands and exploit.

Another reason why the public sector is so vulnerable is because one in four (23%) public sector organisations in the UK are unprepared for a cyber attack. Many do not have adequate security measures in place, are still using old, outdated systems, and/or have not yet made the transition from paper to digital-first.

This sector cannot afford to let cyber security fall by the wayside because it’s already causing widespread concern among the general public. In February, a survey revealed that most British adults (83%) are uneasy about sharing their information with sites including HMRC and DVLA, as well as the police and local government.


What measures need to be put in place?

As mentioned earlier, ransomware is just one of the many ways in which hackers can exploit an organisation’s IT infrastructure. The best thing that an organisation can do is keep on top of the news and take note of any emerging or growing hacker practices. It’s all well and good that senior management is trained on cyber security, but every single member of staff should have an understanding of the different types of cyber attacks and how they can identify them.

This is vital because human error is the leading cause of the vast majority of data breaches. Here are two hacker practices you need to be aware of, and what you can do to prevent falling victim to them.

  1. Man-in-the-middle attacks

It’s true that some hackers are opportunistic, but others are more calculating, conducting attacks over time so they can harvest valuable data. One such approach is the ‘man-in-the-middle’ (MITM) attack, which involves the deliberate interception of communication between two systems (i.e. email, social media, web surfing). An example of this is where MITM attackers gain access to your customer lists and then email your customers, pretending to be your organisation, and directing them to pay into a bank account of their choice.

You can help prevent MITM attacks by asking employees to avoid working on company laptops (or phones) from unsecured, public Wi-Fi networks. Employees also need to understand how to spot unsecured websites, and why you should be aware of websites with the ‘http’ protocol (as opposed to the ‘https’ protocol), particularly when sharing sensitive data or making payments online.

  1. Social engineering

Like MITM attacks, social engineering is becoming more and more widespread. It’s the art of manipulating people so they give up confidential information, like their passwords or bank information. You may think you’d never be tricked into doing this but it’s surprisingly easy to fall victim to when the hackers’ methods are so convincing.

Poor passwords are a particular problem because people tend to reuse the same one over and over, which gives a hacker access to many different sites. Ideally, passwords should be unique and made up of letters, numbers and characters Apps like LastPass are highly recommended because they act as a vault for your passwords while also having the functionality to create randomised combinations.

A lot of social engineering issues can be avoided if your employees simply check that things like emails, calls, software and USB sticks are from trustworthy sources. Not doing so puts your company risk of baiting, a common technique hackers use to fool people into downloading malware, which can then capture confidential information.

Unfortunately, this article is only really a starting point when it comes to cyber security. Once you’ve got a list of the most common types of hacker practices it’s important that you get awareness training sessions in place at the earliest convenience. Once delivered, make training material readily available to staff so that they can refresh their knowledge at any time. It’s also useful for new employees and should be continually updated to reflect the new and updated regulations.

Darren Hockley is MD of eLearning provider DeltaNet International, which offers a wide range of courses for businesses including training on cyber security.

Related reading