One of the things we advocate for really strongly is a layered approach to cyber security.
We recently read a story online about a business that had spent £2 million on a state of the art security system. Someone was hired to test the system by bypassing it to gain access to the premises, and they managed to do so easily in broad daylight, sailing past highly trained security staff and security-conscious workers alike.
How? They relied on people’s natural instinct to follow the rules and be polite.
They gained initial access by smashing a van window from a distance and then a short while later driving up pretending to be a window repair service. This allowed them to drive a van straight past security, even being waved through as it was an expected visit. Then someone got out of the van, and stuck a sign to one of the company’s exit doors that simply said ‘please leave this door open’. As the company culture was pretty traditional and based on rule-following, the first person propped the door open and the following people who used the door didn’t even question it.
This then gave access to the building once staff had left. So a £2 million investment in presumably high tech security measures, and yet it was easily bypassed by playing on people’s assumptions (the windscreen van) and natural rule-following tendencies (the door sign).
Although in this instance we’re talking about physical security, it really is exactly the same with IT. We advise our clients to take a layered approach to their security. Absolutely pay for tech solutions to keep you safe from cybercriminals, especially with the rising use of artificial intelligence to make scams ever harder to spot.
But as much as we would love it to be, investing in tech isn’t enough. If you’re going to invest in tech solutions to protect you against threats (which we recommend) you also need to invest in training for your team. There’s a lot of focus on being able to spot email scams, but what if they receive a polite email from someone pretending to be you asking them to change some bank details or similar – would they question it? Or would they do it because their default is to follow instructions from their boss?
One notable thing about the above story is that it’s all so reasonable! Waving a van repair service through security because you’re expecting them is reasonable. Obeying a door sign asking you to leave it open is reasonable. But so is clicking on a link that doesn’t look suspicious, asking you to reset your email password due to suspicious activity. It’s also reasonable to carry out a request from a client to change bank details on an invoice. All things which could end in downtime and financial disaster for any business.
This is why we talk about a layered approach to security so often, we don’t want you to spend money on tech solutions, only for a member of your team to unwittingly let cybercriminals in through the front door after politely being asked to leave it open!
As well as things like antivirus, secure password management, two-factor authentication, firewalls, anti-spam, and advanced threat protection for email, we also recommend and provide training specifically tailored to the needs of your team, so you’re not paying for them to be taught what they already know, you’re paying to protect your business from cybercriminals with the gall to try and waltz through the front door.