Your people are the most effective line of defence when it comes to Cyber Security. It’s a message that has been passionately expounded by cyber security experts for many years, but it has taken the recent hike in the profile of cybercrime for people start to really start listening.
Today’s webinar was a chance to gain a little insight into the topics of cybercrime and cyber awareness from two seasoned professionals with a wealth of first-hand experience. Nick Wilding leads the Cyber Resilience Best Practice division of AXELOS GBP – a joint venture between the UK Cabinet Office and Capita; and Vicki Gavin is Compliance Director and Head of Business Continuity, Information Security and Data Privacy at The Economist Group.
At Unicorn we are fortunate to count AXELOS among our strategic partners, and have worked closely with them to develop and continually improve RESILIA – an integrated best practice portfolio designed to put people at the centre of an organisation’s cyber resilience strategy. Ahead of the imminent relaunch of this suite, Nick and Vicki took some time to lend context to the need for cyber awareness training.
This morning’s webinar kicked off with a roundup of the latest statistics relating to cyber attacks:
“One thing’s for sure”, said Nick Wilding, “looking at the stats, it’s clear that at some point you will be breached.” The frequency and nature of these attacks are such that it’s easy to see where he’s coming from: over the past year alone we’ve seen everything from repeated attacks on the SWIFT network, to the sustained efforts of Russian hacking group Fancy Bear in their attempts to upset the US electoral process.
“To be honest, it’s easy to see why people end up with ‘security fatigue’, said Vicki Gavin. “We’re incessantly bombarded with frightening statistics to the point that sometimes these headlines end up just having the opposite effect. For me personally, I’ve found a way to leverage this kind of information, and the key is making it specific and relevant to the activities of your own organisation.”
“If we accept that people are our best line of defence”, continued Nick, “it’s shocking to think that in a recent study, we found that as many as 45% of organisations don’t do any kind of cyber security training, and of those that do, 81% are relying on mandatory training that is completed once a year or less.”
It’s about technology and people, not just bits and bytes.
– Vicki Gavin, The Economist
One of the anecdotes that AXELOS have come back to time and again is that of Jim Baines – a personal friend of Nick Wilding, and a CEO who has spoken at length about his traumatic experience at the hands of cybercriminals. Nick relayed this story today, and followed it with an extract from one of Baines’ letters that poignantly reminded others that none of us are invulnerable when it comes to falling foul of cybercrime. “Interestingly,” said Vicki, “what we seem to see time and again is the prevalence of this culture of blame. Whenever something happens, businesses are quick to want to assign blame – who’s fault was it? Who clicked on a malicious link? Who opened a phishing email? But when we’ve talked about organisations only offering cyber awareness training once a year, how are people supposed to learn?”
“They say it takes a minimum of three weeks to start developing a new habit,” she continued, “so what we really need is to start embracing this idea of continuous learning.”
When you consider AXELOS’ stats that of the firms supposedly running ‘effective cyber awareness training programmes’, no more than 50% of them had full completion rates, it’s little wonder that learning continues to be a barrier to resilience.
“In the simplest of terms, where it comes to awareness there’s too much stick and not enough carrot,” says Nick. “At the heart of it, people sometimes forget that cyber is an interesting topic – so engagement ought not to be something that’s seen as tedious.”
“The problem is often that people think just because someone is a cyber expert, that that automatically means they will be a good trainer”, asserted Vicki – followed by another acknowledgement that in order to achieve real engagement, it’s critical to make learning relevant to your target audience. Sharing her experiences of responding to attempted cyber-attacks mounted on The Economist in the past twelve months, Vicki pointed out that this is now becoming the norm for businesses operating in the digital age.
At the source of every error which is blamed on the computer, you will find at least two human errors, one of which is the error of blaming it on the computer. – Tom Gilb, US Systems Engineer
“I can tell you we’ve had 360 cyber events in the last year, of which 60 we might categorise as ‘incidents’, and 3 that were escalated to crises,” she said. “In the latter part of last year, we had a breach when an individual unwittingly gave away their user credentials by clicking on a link in a phishing email. Although the hackers then used this breach to send a further email to everyone in the business, of the 1400 people we have working for The Economist Group globally, only 50 people actually opened this email, and no one else clicked on anything. In summary, we had the whole thing contained in under 3 minutes. This is exactly the kind of compelling event that shows the true value of cyber awareness training to our board.”
Speaking about the need to promote awareness learning that really works to change behaviours across businesses, Nick said: “What we come back to time and again is this theme of storytelling – making training relevant and relatable. Don’t just tell people what the policy is, help them to make that relevant, and to interpret and understand what you want them to do in order to support it. What we see instead is lots of ‘don’t do this, don’t do that’ – but what about the why?”
“Through our partnership with Unicorn, we have moved beyond the model of once a year training,” he continued. “We have built creative, innovative, engaging learning to help businesses design and implement effective training programmes for their organisations. The RESILIA suite gives you the power to build an adaptive, efficient programme of learning, utilising diagnostic tools to test current knowledge and then deliver only relevant content to address areas of weakness. The content is a mixture of online videos; refresher snippets and tests; games and animations – and in its variety is sympathetic to the notion that people learn in different ways.”
RESILIA is designed for businesses of all sizes to help them on the journey of developing a culture that recognises the need to keep abreast of the threats posed by cybercrime. As both Nick and Vicki explained today, a business is only as resilient as its people – something that unavoidably echoes the old adage about a chain being only as strong as its weakest link. “Critically, we want to get people talking about this stuff,” said Nick. “The more that people talk about it, the more resistant they become.”
If you want to find out more about RESILIA Cyber Awareness Learning – or book a demo – you can do so here.
This week, Emma Dunkley of the Financial Times published an amusingly titled yet insightful piece on the recent cyberattacks levelled at two major high street banks. Not to be misled by the lighthearted headline of the article, her account provided another chilling glimpse into the reality of what major banks and consumer organisations now face on almost a daily basis when it comes to protecting their data.
“The recent attacks on Lloyd’s Banking Group and Tesco Bank revealed the evolving techniques used by cybercriminals to expose financial institutions’ vulnerabilities”, she wrote, as she sought to explain the wider implications of what had happened. “The threat of cyber assaults is increasing. As banks roll out more digital services, and as more customers use technology to handle their money, cyber criminals have a greater number of entry points through which to access systems and customer data.”
On January 11th, Lloyds was hit by what is commonly known as a ‘denial of service’ attack, where hackers hijacked several of the bank’s servers and flooded their website with large amounts of traffic designed to cripple online services. Upon discovering that they could not gain access to online banking, many customers took to social media to vent their frustration, as Lloyds deployed a series of counter-measures designed to isolate the attacks and limit the damage caused.
Although large banks are typically targeted by denial of service attacks around once a month, the Lloyds incident was particularly severe – with this attack lasting far longer than the usual few hours.
“Denial of service attacks are happening 24/7 globally,” says Philip Halford, a senior adviser at financial services consultancy Bovill. “There are multiple perpetrators, often targeting the same trophy targets. They share the common objective to breach a control system sufficiently to allow or deny legitimate users access to it. The motivation can vary from criminal intent to mere bragging rights. The effect, however, can be crippling for organisations.”
Compared to the Tesco Bank fraud that took place in November last year, the Lloyds attack was relatively mild, with no customer data or money having been stolen. It is reported that the hackers behind the attack demanded a £75,000 bitcoin ransom, although it is unclear whether Lloyds bowed to this request.
Tesco Bank was not so lucky. Last year’s assault led to nearly £2.5m worth of payouts to 9000 customers who had money stolen by cyber criminals. This time, the data breach was facilitated by a weakness in one of Tesco’s mobile banking apps, which was exploited to access personal information connected to thousands of current and savings accounts. Thankfully Tesco Bank acted quickly to reimburse customers, but the incident still represents a significant and worrying reality of the risks posed by hackers.
What the attacks on Lloyds & Tesco Bank tell us about how online crime is evolving
Over the past twelve months, news of major cyberattacks has become increasingly commonplace – with 2016 seeing more sophisticated assaults than ever before.
Cyber crime is on the rise, with attackers developing increasingly sophisticated hacking techniques to break through organisations’ defences. It is one of the biggest risks to global banking, threatening to cripple lenders and defraud customers.
As the Financial Times rightfully put it, “the stakes are high”. When we consider the reputation of the UK banking sector amongst its customers, trust is a critical factor, and information security plays a huge role in this. Not only must banks consider their reputation in this matter, but also the potentially significant fines and sanctions imposed by financial regulators where institutions are seen to have failed in their obligation to protect customer information and assets.
Under the UK Data Protection Act, banks can currently be hit with a penalty of up to £500,000, but an EU directive that comes into force in May 2018 will mean companies can be fined up to 4 per cent of their global revenues for serious data breaches.
As we move into an increasingly tech-dependent world, banks and other organisations alike have an ongoing responsibility to stay ahead of the threats posed by cybercriminals – and as we so often hear, this isn’t just down to software.
Education also plays a huge part in cyber resilience, and equipping staff with the right knowledge can mitigate risk on a truly massive scale. We know that as much as 90% of all cyberattacks are mounted as a direct result of the unwitting action of a member of staff – whether that’s clicking on a phishing email, or falling foul of social engineering. Never before has it been so important to place cyber resilience at the top of your business agenda.
Interested in better understanding the implications of increased cybercrime for your business? Join our free webinar in partnership with AXELOS GBP and featuring Vicki Gavin of the Economist Group, as we explore the most effective ways to safeguard against cyberattacks. Join the webinar and explore more here.
For the full original FT article, click here.
Just last week we brought you news of a second high-profile cyber-attack on a major UK bank. With the Financial Services sector still reeling from the $81 million cyber heist involving Bank Bangladesh earlier this year, the second attack highlighted the growing need for increased cyber security across the industry.
With news that the Bank of England recently issued a request to all UK banks to redouble their security efforts when it came to all computers connected to the SWIFT messaging network, it’s obvious that cyber-crime is a very real threat to institutions across the board. “What we’re seeing is the very clear need for businesses to realise the potential cost of not only software security, but also cyber awareness among staff”, says Unicorn Training’s own Alex Prodromou. “With the increased sophistication of cyber-crime, more often than not hackers are able to access and wreak havoc across an organisation, simply because of the unwitting action of a member of staff who may have clicked on a phishing link, or opened an unsecured attachment.”
“Contrary to what we often read in the news, this isn’t anything to do with stupidity or negligence”, he continues; “but rather that organisations don’t always see the value in adopting a bottom-up approach, and educating staff about the potential threat posed by cyber-criminals.”
Indeed, the Bank of England’s alleged warning to the UK banks it regulates constitutes the first of its kind – and is the first time in history that a bank in a major economy has issued an alert of this kind.
It should be noted that The bank of England – one of the central G10 banks responsible for co-overseeing Brussels-based SWIFT – had no comment. However, it is undeniable that the Bangladesh theft has sent shockwaves through the established money transfer service for both commercial and central banks across the globe.
One thing is for sure – cyber resilience remains one hot topic for the industry, and institutions of all sizes ought to be taking concrete steps to safeguard their interests. Talk to us today about RESILIA, powered by AXELOS, and learn how Unicorn can help safeguard your business against cyber-crime.
It’s been another eventful few months for high profile cybercrime. In the wake of last year’s very public TalkTalk hack, SWIFT (Society for Worldwide Interbank Financial Telecommunication) has this year reported not one, but two instances of devastating cyber-attacks that have targeted high profile organisations in the commercial banking sector.
Back in February, a cyber-attack aimed at stealing cash from Bangladesh’s central bank at New York’s Federal Reserve was reported to have cost the organisation in the region of $81m (or £56m). In the investigation that followed, the extent of this attack was largely attributed to the central bank network’s lack of adequate security controls – including the fact that they had no functioning firewall, and that they were connecting to global financial networks using second-hand $10 internet routers.
Given the circumstances, it is incredibly fortunate that the bank’s total loss was in the region of millions; rather than the 1 billion dollars that the cyber-theives were allegedly out to steal. It was later revealed that a simple spelling mistake in one of the transfer orders was what had alerted staff to the attack, and stopped much of the money going astray.
However, to think that cyber criminals are only out to target financial institutions whose systems are clearly substandard would be a grave misconception. Last week, SWIFT reported a second attack that targeted a commercial bank in a similar manner. Although SWIFT and the wider media has not as yet revealed the organisation question – or indeed if any money has actually been taken – it did report that the techniques employed in this attack bore a remarkable resemblance to those used in the February attack on the Bangladesh central bank. What this shows us is that these attacks are not isolated in nature, but rather what SWIFT called, “part of a wider and highly adaptive campaign targeting banks”, that exhibit a, “deep and sophisticated knowledge of specific operational controls.”
“We are all vulnerable, regardless of role or seniority. An effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
–Mark Logsdon, AXELOS Cyber Security
As the growing prevalence of cyber-attacks such as these proves, cyber resilience rightly remains a hot topic for financial institutions. Mark Logsdon from our Cyber Security training partner, AXELOS, says: “The details of these high profile attacks remain subject to speculation, however they appear to be very similar to that carried out on Sumitomo Mitsui Banking Corporation (SMBC) in London back in 2005. In that attack criminals sought to create a series of SWIFT money transfer orders with an estimated value of £220M. Similar to these recent attacks they were only foiled by a combination of a vigilant member of staff and a simple error in the transfer order.
“An effective and consistent controls environment is key to preventing cyber-attacks”, he continues, “including those that are far less sophisticated than this one. This includes technology, process and critically people based controls. We know that over 90% of all cyber-attacks start with the unwitting action of a member of staff, i.e. they click on a link, open up an attachment contained in an email or innocently provide a critical piece of information to an attacker. The impact on the company or to us individually can be devastating.”
AXELOS is a joint venture between the UK Government (Cabinet Office) and Capita plc. They own and develop global best practice, including ITIL, Prince2 and RESILIA, used by millions of users in thousands of organisations around the world. Find out how Unicorn can help safeguard your entire organisation with our RESILIA cyber awareness learning here – brought to you through our partnership with AXELOS.
Alternatively, read more about Cyber Crime at the BBC website here.
Unicorn and AXELOS RESILIA working together to improve workforce behaviours through innovative cyber awareness learning
AXELOS has launched a comprehensive new suite of cyber awareness learning, in partnership with Unicorn, to meet the challenging demands all organisations face in managing their vulnerabilities to growing cyber risks.
Nick Wilding, Head of Cyber Resilience at AXELOS Global Best Practice, has laid down the gauntlet to firms in their fight against cyber crime, insisting, “Whatever you’re doing to improve cyber resilience and raising awareness, skills and insight amongst all your staff, you can never do enough.”
Upwards of 90% of successful security breaches are regularly being attributed to human error, regardless of a person’s role or responsibility. As organisations regularly evolve and adapt their technical security controls throughout the year so they need to be providing engaging, regular and easy to understand learning that will help to embed and sustain more resilient behaviours with all their staff.
AXELOS is a joint venture between the UK Government and Capita plc.
Its RESILIA cyber resilience best practice portfolio puts staff at the heart of an organisation’s cyber resilience strategy and gives companies the confidence to recognise, respond to and recover from cyber attacks effectively. The portfolio includes certified training, all staff awareness learning, leadership development and a maturity assessment tool. The RESILIA cyber awareness learning modules are hosted on Unicorn’s award-winning learning and development platform, SkillsServe.
Typically if companies have carried out any information security awareness training, staff have been put through an uninspiring annual eLearning course, which has little or no impact on embedding good cyber resilient behaviours within the workforce. But Nick believes organisations cannot continue to rely on this ‘compliance-based’ approach to cyber awareness if they are going to successfully manage their ever-changing cyber risks.
He said: “Every individual within an organisation can be a target. No one is immune so everyone has a critical role to play in protecting their organisations most valuable and sensitive information.
“Providing your staff with engaging and innovative learning programmes to promote genuine cultural change and understanding is critical. The learning should be ongoing and regular, short and practical, adaptive and personalised with the option to learn inside and out of work hours.
“RESILIA’s new cyber awareness learning modules include games, simulations, animations, videos, eLearning, posters, plus refresher learning and ‘up-front’ tests to meet the demand for both operational efficiency and learning effectiveness.”
Mark Jones, Commercial Director at Unicorn Training, added: “The cyber resilience module is designed to suit all individuals regardless of their preferred learning style or when and how they like to undertake their learning, with SkillsServe supporting 24/7 mobile just-in-time learning at the point of need.
“This approach gets to the heart of cyber resilience – enabling all staff to take personal responsibility for better protecting their employer’s most valuable and precious information.”
SkillsServe is the World’s top ranked LMS for financial services and fourth overall in the learning industry-renowned 2016 Top 50 Global LMSs Report. For more information visit www.unicorntraining.com/off-the-shelf-content/cyber-resilience/
As Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” Unicorn’s Mark Jones talks cyber resilience ahead of Learning Technologies 2016.
Tucked away in the Chancellor’s 2015 Spending Review and Autumn Statement before Christmas was a little, but not insignificant nugget, that would have been missed by most commentators.
The government is committing £1.9bn by 2020 to support a comprehensive programme of cyber security prevention measures.
Recent high profile cases, including TalkTalk and VTech, have again highlighted how the cost of cyber security breaches is rising dramatically. Yet too often technology is still seen as the solution, when in reality it’s regularly reported upwards of 90% of successful breaches are down to human error.
In the wake of their breach, Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” and moves like the Government’s budget pledge merely serve to reinforce her view.
Last summer, we partnered with AXELOS – a joint venture between the UK Government and Capita plc – to help raise awareness of the critical importance of staff engagement in countering the threat of cyber crime following the launch of AXELOS’s RESILIA Cyber Resilience Best Practice portfolio.
The aim was to provide a platform – SkillsServe – for RESILIA’s suite of cyber resilience learning modules to help address an issue that is infinitely more about people and training than computers and technology. Critically SkillsServe’s ISO 27001 security rating confirms its status as a secure portal, free of the vulnerabilities experienced by other open source, higher risk solutions, while SkillsServe’s position as the World’s top LMS for financial services adds further credibility the learning.
In this month’s T-C News, Unicorn’s Commercial Director Mark Jones analyses how effective and engaging training can help firms better manage their ever-changing cyber risks.
Backed by the expert insight of Nick Wilding, Head of Cyber Resilience, AXELOS Global Best Practice, Mark observes how “no matter what you’re doing to improve cyber resilience and raising the awareness, skills and insight amongst all your staff you can never do enough,” before concluding, “The impact of not engaging all your people is too great a risk to take for most – are you ready to make a change?”
Meanwhile if you want to learn more about getting your staff up to speed with cyber resilience come and see us at Learning Technologies 2016 conference and exhibition, at Olympia, London on Wednesday 3 and Thursday 4 February, where Unicorn will be on Stand P14. Register for free entry to the Learning Technologies and Learning and Skills 2016 exhibitions and seminars at www.learningtechnologies.co.uk
Unicorn, the global top five LMS provider, is taking a central role in helping tackle the global risk from cyber-crime by working alongside AXELOS – a joint venture between the UK Government and Capita plc – to raise frontline cyber awareness to up to one million users worldwide.
With over 110,000 cyber-attacks happening every hour, cyber-crime is one of the biggest threats to the global economy. Breaches in IT security and its expensive, often crippling consequences, make the news almost daily, from high-level global violations to localised infringements.
AXELOS Global Best Practice has recently launched its new Cyber Resilience Best Practice portfolio – RESILIA – aimed at putting employees at the heart of an organisation’s cyber resilience strategy and providing companies with the confidence they need to recognise, respond to and recover from cyber-attacks effectively. As part of this, Unicorn has partnered with AXELOS to host a comprehensive suite of learning modules on Unicorn’s award-winning LMS SkillsServe.
For those with an existing LMS, Unicorn supports with an LCMS option This will allow users to adopt a learning method that suits them, encourage positive cultural change and gain the necessary information to fight cyber-attacks. The modules include gamification, animations, video, eLearning, posters refreshers/reminders plus a test element.
Nick Wilding, Head of Cyber Resilience at AXELOS, explains: “Everyone has a role to play on the frontline of cyber-crime prevention, and RESILIA helps firms recognise and accept that through delivering compelling content that goes over and above traditional Information Security training to create real cultures of cyber awareness.
“Organisations have typically been happy doing once a year IS awareness training and haven’t invested considerably in solutions as nothing is mandated to say they and their employees must do X, Y and Z. But the costs, financial and in terms of reputational damage, customer confidence and operational stability, of a cyber-breach can be catastrophic and this threat is increasing on a daily basis worldwide.”
Mark Jones, Unicorn, Commercial Director, continues: “This project gets to the heart of supporting learning about the cyber risks that staff face, their personal responsibilities for their employee’s cyber resilience, and how we can all develop a positive culture of cyber awareness across our organisations.
“The design innovation has been carefully considered to meet the needs of all individuals regardless of preferred learning style or when and how they like to undertake their learning. SkillsServe supports 24/7 mobile JIT learning at the point of need. Meanwhile, depending on their experience and knowledge, learners can do a test first, which can equate to large time, and ultimately cost, savings for a business.”
RESILIA Awareness will continue to evolve in line with changing conditions, needs and possibilities, including role and sector specific learning. Through its scope and flexibility it can become the core of a tailored programme to build cyber resilience awareness across your organisation. RESILIA supports organisations in showing best practice towards FCA regulatory requirements or ISO standards requirements.
SkillsServe is ranked fifth overall and number one for financial services in the learning industry-renowned 2015 Top 50 Global LMSs Report. For more information visit http://www.unicorntraining.com or contact firstname.lastname@example.org