Fixing the weakest link in cyber security

Good cyber security starts with training and culture rather than expensive technology – as professional services firms should take note.

  • Cybercriminals take advantage of employees’ good manners and poor vigilance to gain entry to company networks
  • Security systems can also be compromised if users forget to change their passwords, have the same passwords for multiple platforms or use unsafe public wifi to access sensitive material

When Paul Harragan is asked to assess the cyber-security defences of a professional services firm, his first target is not the high-tech software systems that one might expect. A cyber-security specialist with EY, Harragan has another way of getting around the expensive technology and protocols that are usually deployed to protect the intellectual property and data of a firm and its clients.

“When executing a penetration test on a target we look for the low-hanging fruit first, and the findings usually lead to the human factor as the weakest point,” he explains.

Poor training and carelessness can leave law firms, accountants and other professional services providers vulnerable to the simplest attacks, such as ‘phishing’ expeditions in which emails are sent out with what Harragan describes as “a scattergun approach” to see who will click on a dangerous link and download some malware.

A well-executed phishing campaign usually returns some success in deployed malware and it can work at all levels of the organisation

The weakest link is often at the top

The greatest rewards often come from targeting the most senior members of the firm, the same people who are responsible for setting the rules and overseeing the protection of valuable data that can range from corporate secrets to bank account details.

“The top partners and CEOs are often the most targeted,” Harragan says. “The majority of the time they have administrator-level access and they often bypass security awareness training as they are too busy. They are the perfect people to attack.

“Social engineering techniques often deliver results,” he continues. “By preying on people’s best nature and impersonating someone of authority, you can manipulate people into revealing information, or deploy malware onto their system to gain access and elevate your privileges.”

Another successful approach for the cybercriminal is to take advantage of the good manners and poor vigilance of a receptionist or ordinary employee.

“Getting access to the corporate network is often the goal and in many cases the easiest way to achieve this is to either impersonate an employee (via badge clone) or pretend to be a delivery man or maintenance worker,” says Harragan. “We have seen success in gaining building access with badge cloning and employee tailgating [following somebody with proper credentials through an open door or into a lift] because people don’t want to be considered rude and close the door on you.

“I have worked as a contractor for some of the top banks in the world and I make a point of not wearing my ID badge to see if anyone enforces the IT security policy issued by the business, and I can’t remember ever being pulled up for not wearing my badge.”

The need for policy and procedures

Peter Wright, a member of the Law Society’s board and author of its Cyber Security Toolkit for law firms, agrees that inadequate staff training can undermine the best security systems.

“The most vulnerable people are at the two ends of the scale,” he says. “New arrivals might not have been trained yet and temporary workers might get no induction at all, but it is often senior partners or heads of department who authorise training for everyone else but think, ‘That’s for other people, not for me.’ They can be totally unaware of their own policy and practices, and a lot of them don’t have the natural familiarity with technology that the juniors have.”

The top partners and CEOs are often the most targeted. The majority of the time they have administrator-level access and they often bypass security awareness training as they are too busy

Paul Harragan
Associate director of cyber security at EY

Wright says the most expensive security systems are of little value if users forget to change their passwords, use the same passwords on multiple platforms or use a dodgy wifi service on the train home to access sensitive material.

The EU’s General Data Protection Regulation (GDPR) has helped to focus minds by imposing large penalties on firms that fail to quickly report breaches. “But it’s a double-edged sword because managers often think that is all they have to do, and compliance is not a one-off solution,” says Wright. “It has to be done constantly and you need to embed the right behaviours into the heart of your processes.”

Challenging attitude problems

Lyn Webb, the leader of Deloitte’s cyber-security training and awareness practice, says many professional services and law firms have finally realised over the past year that “it’s not just about investing in kit and technology; it’s about behaviour and culture as well.

“Good security is even more relevant to professional services than most other sectors because if they get it right it’s a point of differentiation that is attractive to clients,” she says. “It has to be seen as something that really helps the business attract more clients.”

Apart from regular training sessions, some firms have begun to operate cyber-security ‘drop-in clinics’ in their canteens or a ‘Cyber Security Week’ as an internal comms campaign for staff.

“Some companies hold a cyber-security boot camp, an immersive activity where you get to feel what an attack is like. You can make it a competitive exercise or just a good chat about various scenarios.”

Webb says the attitudes of different segments of the workforce also have to be addressed. “When it comes to challenging people who are not doing the right thing, like tailgating or leaving something sensitive sitting on a desk, junior people admit they are reluctant to do that, and senior people say they would not expect to be challenged,” she said. “But just having that conversation with both groups can help to shift those attitudes.”

Managing a mobile workforce

A common weak spot arises when staff are moved within an organisation.

“Their access privileges are supposed to be reviewed but that process can fall through the cracks,” says Webb. “The line manager, HR department and security team can all be unclear about who’s responsible for doing it so that can be a vulnerability, ending with people having access they shouldn’t.

“Contractors and temporary employees can be alive to that issue because they are used to leaving, but people who only move every few years might not raise it with anyone, so they can end up keeping access they no longer need.”

Workers can find security a chore when it becomes too onerous, Webb warns, making it important to design systems that are easy to use and do not distract people from their work.

Allowing people to work from home with mobile technology raises some risks, but Webb insists they can be mitigated with proper training, as can the perils of ‘oversharing’ on social media.

“There is growing concern about people blurring the lines between private and work lives on social media, and some employers are trying to lock down people’s digital footprint to stop them divulging things online,” she said.

“But we can’t un-invent social media. We just need to strengthen core attitudes to security, whether it is online or sitting on the train talking out loud about work matters. It comes back to the sort of training that helps people understand the right thing to do.”

It’s especially important to foster a culture in which staff are not afraid to ask for help or advice when they might have made a mistake, says Webb.

“You want them to bring any problems to your attention, so you should reward them for doing the right thing by raising their concern rather than punishing them for having done something wrong in the first place.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top