Most people in the building services industry will probably never consider a cyber threat as a potential attack on their business, ordinarily protecting against the physical threat of theft for example. But a cyber attack can occur at any time and can be enough to devastate a business, and it’s likely most in building services will have access to some sort of network.
Cyber attacks can happen at any time on any scale through any device connected to the network. The longer a cyber breach goes on for, and the amount of time it takes to contain, directly correlates with the amount of data lost and in turn the amount of money lost from the business.
If your business is in any way dependent or an active part of a supply chain, which it likely is in building services, then your cyber security is as important as all others in the chain – the capabilities of each business’ cyber security credentials in the supply chain all have a direct impact on every other business.
What is the scale of cyber attacks?
According to the Cyber Security Breaches Survey: 2020, 46 per cent of businesses overall have identified breaches or attacks in the last year. The survey details that the most common type of cyber attacks are phishing attacks, explained more by the survey:
“Staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by impersonation and then viruses or other malware. One of the consistent lessons across this series of surveys has been the importance of staff vigilance, given that the vast majority of breaches and attacks being identified are ones that will come via them.”
For small businesses and those that act as part of a supply chain, this passage from the report really makes it clear just how important knowledge of cyber security is, not just for the IT or security teams, but for everyone in the business with access to the network, as each person can be considered a viable target for attackers. The impact of these attacks can be seen in the image below, taken from the report.
We’re all targets: Phishing attacks explained
A phishing attack is a type of social engineered attack where threat actors masquerade as a trusted entity. This means that the recipient of an email, telephone or text message is misled into providing sensitive information, to what they believe is a trusted person.
This method of attack is usually accomplished by luring the victim into clicking a malicious link, which consequently can trigger the installation of malware, a ransomware attack or the revealing of sensitive data such as sensitive personal information, like passwords to banking and credit card details.
Some of the most recent and sophisticated phishing campaigns have come from those acting as the US Centres for Disease Control and the World Health Organization (WHO) targeting victims with malicious links.
Technology can only provide so much protection
Technology can detect when there is something obviously wrong, but it’s looking for facts rather than intent. In fact, studies show technology does stop about 999/1000 phishing and virus emails. But, sadly some still do get through – from the perspective of technology, these few phishing emails don’t necessarily look wrong. The emails contain text inviting you to a website, where you are asked to login, for all intents and purposes it’s pretty normal.
It’s only when the context of the message and website is read where we can identify it as a threat, the intent is lost on technology. However, technology support is coming and developing in the form of artificial intelligence active defence campaigns from governments. But right now it still falls on us, as users to identify the threat – this is why education for all staff is essential, because this is where technology cannot protect your business, only the people can.
.What you and your employees should avoid and the FIVE steps to take
Good passwords. Unique and long (More than 12 characters).
Use two-factor authentication wherever possible.
Education on the telltale signs of phishing.
Never share sensitive information with someone that rings you unexpectedly. Check who they are, find a contact number from some other source (e.g., invoice, web site) and ring them back. Legitimate businesses will be perfectly happy with this and grateful for taking precautions.
Double-check anything that seems unusual, especially when being asked to do something outside of the normal process.
The impact and benefits of good cyber security knowledge
If every employee in the business strives to do the right thing when it comes to cyber security, adhering to all of the processes that should be in place and remaining vigilant at all times, first and foremost over their own personal equipment that is connected to the network, then there is a 70 per cent less chance of getting attacked.
Education is key to keeping your business safe. Technology can only do so much to help, ultimately it will always come down to the staff to take ownership of security and any potential threats and know how to combat these in the right way. That only comes from education and investment in coordinated, strategic processes like adopting and installing the Cyber Essentials scheme into the business.
Colin Robbins, managing security consultant at Nexor.