Companies must be aware that cyber risks can arise from within the business and employers may want to review how well-informed staff is of company’s policies and procedures, thereby putting into practice cyber security measures.
Cyber security measures include:-
- periodically changing the password
- logging out of systems when they are not in use, mainly when using remote access
- implementing constant awareness of the types of cyber attacks that may occur, and how to report them
Employers must make sure that updated information security policies and procedures incorporated in the latest standards.
Employers can draw on a range of recognized strategies and standards, including the following:-
- Australian Signals Directorate (ASD) which is an intelligence agency in the Australian Government Department of Defense. ASD has created Strategies to mitigate targeted cyber intrusions, particularly the four highest-ranked mitigation strategies, which address around 85% of standard cyber risks;
- International Organization for Standardization (ISO), an information security standard and International Electronically Commission (IEC), an information security standards: ISO/IEC 27002, titled Information technology – Security techniques – Code of practice for information security management.
Employees must be made aware on a constant basis of the different types of Cyber attacks and how cyber attacks occur. An internal or external HR seminar can structure Cyber security information for the company based on the following:-
Who carries out Cyber Attack:-
- Employees and other insiders
They are considered the most likely source of an attack and may be motivated for ideological or personal reasons, or for financial gain.
- Lone individuals
They commit fraud or small-scale breaches. However, they may have the potential to create significant disruption as an individual hacker.
- Corporate espionage
Cyber attacks included espionage by competitors, suppliers and trusted third-party service providers. Hacktivists They are motivated by political, ideological reasons and use technology to facilitate criminal conduct in a coordinated and systematic way.
- Organised crime
Financial benefits motivate organized crime and use technology to facilitate criminal conduct in a coordinated and systematic way. State-sponsored activity Attacks from this source are often highly resourced. They may focus on espionage, whether for commercial, political or ideological motives.
Manipulating the behavior of computer devices, network connections or connected systems for their end use (e.g., cracking passwords to access a computer). Identity and data theft Information harvested through a range of methods, including:-
- phishing (getting access to personal details or money by pretending to be a trusted source)
- card skimming (information copied from the magnetic strip of a debit or credit card),
- or through social media.
Hacking results in data breaches, where theft or compromise of personal information, particularly of staff or customers, to use or sell on the black market. Hacking can also result in denial of service. Attempts to make a computer device, system or network resource (such as bank or payment system) unavailable to its intended users through, among other things, overloading it with computer traffic, ‘malware’ or a virus. http://download.asic.gov.au/media/3062900/rep429-published-19-March-2015-1.pdf
- Malware, short for malicious software.
Malicious software to infect a person or organization’s computer, computer system or network—for example, through the use of ‘trojans,’ viral attacks spread via email, spyware, spam, and adware—enabling the perpetrator to monitor online activity or cause damage to the computer, system or network. © Australian Securities and Investments Commission March 2015 Page 46 REPORT 429:
- Unauthorised access
The unauthorized access of a computer device, computer system or network to obtain information (e.g., through cracking passwords)
- User tracking
Spying on a person or entity (e.g., tracking calls, emails, pictures, and messages, mainly through mobile technologies).
Cyber attacks brought on through unintentional participation:-
- Money laundering
Transferring money (g., the proceeds of crime) through online payment systems or e-cash facilities to make it legitimate. Financial consumers or entities may be unaware that their accounts or networks used as a form of laundering money.
- Online fraud
Illegal attempts to access personal details or financial information through phishing and email scams (e.g., money transfer requests).
- Pharming or ‘drive-by’ attacks
Web attacks occur where a user visits a malicious webpage which in turn infects without conventionally downloading a file, or re-directing users from legitimate websites to fraudulent ones. ‘Ransomware’ Attackers threaten the encryption of files or removal of data and files unless money paid.
Cyber attacks are brought on by indirect measures resulting from the following:-
- ‘Social Engineering’
The psychological manipulation of people into performing actions or divulging confidential information on or about an information system.
- Third-party providers
The poor cyber resilience of third-party providers such as business partners, service providers, contractors, and suppliers, or weaknesses that can arise from sharing networks and data—including offshoring and outsourcing.
- System vulnerabilities application or technological weaknesses
Failure or delays to update software or information controls (e.g., continued use of the Microsoft XP operating system, which no longer offers IT security support and updates).
- Operational systems
Lack of resilience of physical infrastructure that supports the information system, such as power generators and servers.
- Use of virtual platforms (i., cloud) and portable devices Increases the risk of access to confidential information if appropriate protections are not in place.
- Weak access protections
Poor access protections may make it easy for employees or hackers to get inappropriate access to confidential information.
The need to build cyber-security skills in non-technical disciplines, so cyber resilience integrated into the core business must be adhered to by all employers and staff on a regular basis. Employer and employee’s cyber security awareness, correct compliance with security protocols will increase the company’s security measures to cyber attacks.