When it Comes to Information Security, Pobody’s Nerfect

When we think about security and vulnerability, it’s tempting to sometimes believe there is a ‘fix’ to security issues; that with enough energy and funding it is possible to banish even the possibility of an information security ‘incident’. Though there is certainly something to be said for proper funding, and indeed an energetic determination, we need only look around us to see how imperfect any effort will inevitably be.

A perfect example of this occurred early last year when it was discovered thousands of websites had been hijacked by a nasty bit of crypto-mining code, known as a “Cryptojacking” attack. Amongst them several UK government websites, including the Information Commissioner’s Office (ICO).

Hidden Cryptojacking Script

For the uninitiated, ‘cryptojacking’ in this case involved the insertion of script into a website via a plugin designed to help blind or partially sighted users. Once activated, the script essentially highjacks the user’s CPU power to ‘mine’ (perform complex mathematical computations) anonymous cryptocurrency.

This opportunistic piece of malware is thought to have affected over 5,000 websites; Student Loans Company, NHS services, councils and more, all website infected and used to execute perhaps the biggest attack of this kind ever seen.

Of all the potential targets of this fiendish plan, the ICO website is not the obvious choice, nor is it the kind of organisation that you would imagine to be susceptible to any sort of digital shenanigans. And though this particular exploit has been patched, just like every company, organisation or website – the UK’s data protection watchdog has weaknesses that can be discovered and exploited.

Secure Culture

Though not exactly the ‘fault’ of the ICO, this incident of malicious cryptojacking is an opportunity to consider the role that humility plays when it comes to information security and how we choose to defend ourselves from the persistent threat of digital criminality and exploitation.

Having engaged with information security, is not to say that an organisation is beyond the possibility of a security incident; though it is one of the best steps that can be taken to help mitigate the risk that faces us all.

An integrated view of cybersecurity is one that doesn’t merely view this threat as an issue of compliance, or even an occasional training session, but as an ongoing effort to continuously empower employees to propagate an information secure culture themselves.

No Longer Profitable

It’s clear that in 2019, a lax attitude towards information and data security is neither reasonable, nor sustainable. The viability of a company that neglects this integral element of security strategy will likely find themselves in hot water, not only from a GDPR perspective, but also with regards to their internal confidential information.

“Your organisation relies upon its intellectual property, reputation and finances to remain competitive”

Simon Fraser, Managing Director, Hut Six

With an estimated 77% of all UK employees not having received an form of information security training from their employer, a shocking proportion of UK organisations are taking a big risk in failing to minimise careless or negligent behaviour.

Given the prevalence and effectiveness of phishing attacks, as well as their increased potential impact, the avoidance of phishing emails, at very least, should be considered a basic by all UK organisations. With around 32% of all breaches still involving phishing, this kind of information security awareness training must be considered foundational for an organisation wishing to instil a secure culture mindset.