Want to read more?
We value our content and access to our full site is only available on subscription. Your subscription entitles you to 7-day-a-week access to our website, plus a full digital copy of that week’s paper to read on your pc/mac or mobile device In addition your subscription includes access to digital archive copies from 2006 onwards
I was concerned to read the outdated cyber security advice offered by Business Gateway in last Friday’s Courier.
As an industry, we constantly review the guidelines and advice we give to businesses against the current threat environment, taking into account the human factors as well as the technical ones.
For some years now industry best practice has been to advise against regular changes of passwords, a view endorsed by (the then) CESG back in 2015 and repeated in the UK government’s cyber aware campaign.
The National Cyber Security Centre’s (NCSC) work on simplifying passwords – the #thinkrandom campaign – is straightforward and pragmatic.
A three year old child with a vocabulary of around 1,000 words can pick a memorable three word password from a billion combinations.
There is no specific requirement to add numbers to make it ‘harder to guess’ – that just makes it harder for people to remember. It is a fallacy that attackers break in by ‘guessing’ passwords – they just buy them off the shelf.
By simply choosing a different password for different websites, or, as a minimum – choosing different passwords for your most important accounts such as e-mail and social media – you can massively reduce the chance of those accounts becoming compromised.
Password managers are one way to achieve this, however it is another fallacy that they offer an ‘additional layer of security.’ National guidance is clear: do not to use them for your most important accounts – you shouldn’t put all your eggs into one basket.
‘Making sure that all software up to date’ is not obvious at all. Last month, vulnerabilities were announced where software updates alone are not sufficient.
In some cases – firmware updates, microcode updates and even changes in the way that software is used are required.
For example, users should now log out of websites once they’ve finished with them – instead of simply clicking to a new tab.
It seems odd that Business Gateway would forget to mention such important practical advice given that these are by far the most significant security vulnerabilities ever discovered in the history of modern computing.
The recommendations on phishing are also out of date. All research suggests that it is almost impossible to prevent a successful spear phishing attack against a business.
Directors and IT staff are among the most vulnerable, so businesses need instead to be given proper strategies to help understand and mitigate the risks – rather than glib advice to ‘not click on the links.’
My concern is that advice which is outdated is presented and flies in the face of established national guidance.
Back in November last year, Ciaran Martin – the CEO of the NCSC gave a very clear picture of the current national threat and also gave some clear priorities that businesses needed to follow.
Two of these, never even featured in the article, included:
1. Backing things up – and critically – keeping those backups disconnected from your computers. This is because ransomware seeks out backup files to destroy as well.
2. Using two factor authentication. This is because almost the entire population’s e-mail addresses are available for sale on the dark web, so passwords alone are no-longer considered sufficient in their own right.
It is bad enough that there is so much well-intentioned but flawed advice being offered to the general public – ‘Change your Facebook password because my account was hacked last night.’
Business Gateway should be promoting national guidelines and not regurgitating outdated security advice which is out of date.
When General Data Protection Regulation (GDPR) becomes law on May 25, all organisations will become accountable for any personal data which is lost or stolen – whatever the cause.
Last year, one small business was fined £60,000 after a theft of customer data from its website.
The year before, a nursing home was fined £15,000 after one of its laptops was stolen.
These fines will be significantly higher under GDPR, so if there was interest I would be happy to run a free cyber security workshop in Campbeltown to help local businesses and charities get prepared.