Cybercrime will cost $6 trillion US dollars annually according to the 2017 Annual Cybercrime Report, says Sarah Arnold – but just how does this terrifying-sounding figure affect the EA on a day-to-day basis?
Cybercrime is rapidly becoming more advanced and calculated. Every day hundreds of thousands of new threats are created, whilst jobs in the cybersecurity sector are expected to reach 3.5 million by 2021 (a rise from just a million in 2016).
This can seem overwhelming and much of the time it’s easy to feel distant from the threat, especially when news headlines contain stories about nations using cyberattacks on one another. And, as an EA, it’s easy to be dismissive, assuming IT will take care of it and ensure threats are minimalised within your company.
Of course, this may be true, with many tech experts working hard on the matter. But what’s also becoming apparent is that every employee has a responsibility here.
Richard Walters, the chief security strategist at CensorNet, says: “Awareness throughout all levels of business is key. Cyber threats no longer solely affect IT – everyone within the organisation has a responsibility to be vigilant and possess sound knowledge of what constitutes good cyber hygiene.”
As an assistant, that also means being vigilant with the work of your boss, especially as high level EAs have access to confidential material hackers would most like to infiltrate. Beyond this, you also have some responsibility to ensure your executive is aware of, and following, security protocol.
Graeme Park, a senior consultant at IT strategy company Mason Advisory, explains: “It’s that EAs have a solid grasp of cybersecurity as they often have delegated authority to manage executives’ email, access their social media accounts and, in some cases, their domain accounts to manage activities on their behalf. They’re also the gatekeeper to the executive and, in such capacity, act as a human proxy. Just as an executive opens regular mail and filters out spam, the conduct of this function using information systems is key to enabling security.”
So, as experts warn that major cyberattacks are a case of ‘when’ as opposed to ‘if,’ it’s well worth being prepared.
What is cybersecurity?
The term refers to the controls and processes put in place to ensure protection from cyberattacks, which come in different forms and range from a one-person hacker in their home to large, multinational criminal gangs.
Cybersecurity that’s well placed within a company reduces the ability for information to be compromised but it’s almost impossible to say that a company is 100 percent risk free – if a piece of technology is usable then it’s at risk of being compromised. But it’s not all about the tech – although human error isn’t at fault for all attacks, in many cases, it can be a great contributor. In fact, as an employee, you’re actually one of the biggest threats to your company’s digital security.
Mike Gillespie, a specialist advisor at the International Institute of Risk and Safety Management explains: “Almost all of the organisations affected by a cyberattack will find, when they do their incident investigation thoroughly, that one of their staff has downloaded unauthorised software, clicked on a phishing email or attached an infected USB device to their network.”
How you can build a data security strategy
It may be next to impossible to fully protect a company from an attack, however, there are many EA-led actions that can prevent leaks:
Weak logins and passwords not being enough seem an obvious place to start but this is often how 80 per cent of hackers begin to get access to confidential data.
“Often it boils down to users repurposing the same passwords across multiple personal and business applications or accounts,” says Walters.
“It might be easier for you to remember fewer codes but if your LinkedIn password is exactly the same as what you use for your business email account, you’re making a hacker’s jobless complex and your data far more vulnerable.”
Walters suggests the implementation of Multi-Factor Authentication (MFA), a technology that uses several variables, such as location and IP address to validate users and ensure they are who they say they are: “This needs to play a prevalent role in any security strategy,” he adds.
Raise awareness among employees and senior executives Cybercriminals, whether in an organised gang or acting alone, are becoming more intelligent and their attacks more sophisticated: “Nowadays, all it takes is one carefully crafted email followed by an innocent click from an unsuspecting employee and your entire organisation could be at risk,” notes Walters.
Therefore, in this fast-changing threat landscape, relevant, regular and thorough training is essential to equip employees with the ability question emails, files or activities they feel are counter to organisational security – and this means senior board members, too. Mike Gillespie says these individuals boast “invaluable strategic skills, which, combined with other steps, will place an organisation on the front foot instead of the back one.”
Regular security briefings with all staff could be vital for updating them on what new measures have been implemented in the company. Employees should also be informed of breaches of security, especially those in the industry they work in or those that have happened as a result of human error and given tips on how to avoid the same issues.
Additionally, employees should be trained in how to deal with cybersecurity threats. There are multiple ways to do this. There are some government guidelines on security varying from country to country and some provide cyber security training. Alternatively, there are private companies who can come in-house to train employees on cybersecurity, or a plethora of free online courses.
Monitor all incoming data Kroll’s cyber investigations practice leader Tim Ryan stresses the need for regular cybersecurity due diligence and suggests that checks should be performed on all data received, especially when it comes from a third-party source – although it may have passed their security requirements, they’re likely to be a different set from yours.
This is important for EAs handling information on behalf of a high-level executive, so always ask yourself if you’ve considered the potential risks of any data you receive – and whether your company’s current cybersecurity protocols are strong enough to handle it.
Threats to watch out for – and where we’re at with them
- The Cloud
In recent years, there’s been a swift move to holding data in the cloud – in other words, data is stored on servers, such as Google Drive or Dropbox, that are not on the same site as your business. The cloud is ideal for removing the hassle of data storage and having multiple copies in different locations but, as relatively new technology, it also saves hassle for hackers. Those providing cloud services are creating new tools to combat this but regular leaks in 2017 show this isn’t yet the perfect solution for businesses.
o EA solution: Protect yourself by comparing providers of cloud space, checking if they’ve had any breaches and how they have handled them.
Attacks on networks happen from outside but may also happen from within, especially as unsecure networks are an easy target.
o EA solution: EAs can tackle this by encrypting confidential files and by having firewalls on their systems. Anti-virus software should always be updated to the most recent model and, now, artificial intelligence (AI) machine learning has been introduced to assist with deciding which threats need to be dealt with urgently.
- The Internet of Things
The Internet of Things (IoT – a term used for items that are connected to the web and, subsequently, to each other) means most devices are now online (from printers to fridges to Google Assistant) and with this comes risk of attack.
o EA solution: Ensure you’re connected to a secure network and passwords are changed from the default.
In addition to devices generally being quite open to attack, companies behind them often collect data about their customers (generally listed deep within the terms and conditions). This leaves that data at risk of being access illegally, where hackers may use it to impersonate their victim, usually for financial reward.
o EA solution: Remember that personal data stored with a third party may be compromised if their network security is penetrated – be careful who you share data with and, if you do share, ask for their cybersecurity protocol.
Malware is short for malicious software and encompasses viruses, worms and ransomware, among other things – and they’re rapidly increasing by the million. Everyone is susceptible to this threat. Meanwhile, ransomware is a malware attack in which the hacker withholds information or an asset until a ransom is paid – as you hold some of the company’s most valuable information you’re liable to be a target for this.
o EA solution: There are many options to minimise these threats: keeping devices and software updated, using a pop-up blocker and firewall, avoiding links on emails you’re not fully sure of and using strong passwords.
Phishing is when attackers try to obtain sensitive and confidential information by disguising themselves as the genuine source, for example showing themselves to be a bank to obtain credit card information, whilst whaling is when these attacks are aimed towards prominent and wealthy individuals (the ‘big fish’) as the reward is much higher. Whaling is a particularly prominent threat to EAs and their executives and assistants need to be eagle-eyed gatekeepers.
o EA solution: Graeme Park warns: “They should be able to see the tell-tale signs before opening emails or even forwarding them on for action. Once it has passed one set of human screening it is likely to be given credence by the next.” And watch out for social media Andrew Rogoyski, head of cyber security at CGI UK explains: “Posting on Facebook that your boss is on holiday or travelling may be spotted by an attacker who will engineer a whaling attack, for example.”
- Social Engineering Attacks
Social engineering attacks are an extension of phishing, where hackers pretend to be someone known personally and trusted by to the user to get sensitive data from them. Why hack a computer, when you can hack a human instead?
o EA solution: be careful – Hiwot Mendahun, product manager at Mimecast gave an example of this tactic at the Enterprise Security and Risk Management Summit: “You can use LinkedIn to find out most information you need to understand the internal relationships at a firm an we had someone emailing the CEO’s PA, pretending to be the CEO.” The email in question appeared to come from the CEO using the company’s internal domain but, on closer inspection, the domain was actually a character different to the genuine one – understandably very easy for a busy EA to miss on first glance.
EA point of view
EA Natalie Sands works for a global investment firm that decided early on that they needed to be at the forefront of data security: “Our company takes data security very seriously; constantly investing in new technologies and rolling out mandatory learning for all employees on a regular basis. Any files were sent internally or externally have to be encrypted, password protected and monitored by a central team that checks each and every attachment; flagging to management if there’s anything outside of policy. Given the amount of data we hold, our chief risk officer led a project to raise awareness of cybersecurity, which is also something we offered to our clients to help make them more aware of the risks to their businesses.”