Raising awareness of cyber security
Most people have heard about WikiLeaks, phones of important politicians being hacked, and fraudsters using sophisticated equipment to copy details of clients’ credit cards to then siphon off cash from their accounts. To those who have not been affected by such modern maladies these stories may sound like science fiction. But the chances of becoming victims to cybercrime are very real.
Cyber security has been defined as a body of technologies that focus on protecting computers, networks, programmes and data from unintended or unauthorised access, change or destruction. Government departments, the police, private organisations, financial institutions, and other groups collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers.
With the growing volume and sophistication of cyber attacks, continuous attention is required to protect sensitive business and personal information, as well as protect people from security and safety risks. Only recently yet another successful attempt was made to steal money from customers’ accounts through the ATM systems that our banks operate.
It is therefore worrying to read the latest NAO report that noted “that there is a general lack of cyber security awareness among government entities”. Some of the weaknesses mentioned in this report are quite alarming, the more so because it takes very little effort to adopt good practices.
Antivirus and anti-malware protection is so easy to implement and does not cost all that much to install on all government entities’ networks and computers. Equally important are disaster recovery and business continuity plans that need to be tested on a regular basis to ensure they will work in an emergency. In our hospitals, for instance, it would be totally unacceptable not to have a functional business continuity plan should the computer system that, among other things, holds the medical records of patients fail at any time.
The NAO report also pointed out that some small government entities outsource their IT function. This may be an ideal solution as it could reduce IT operational and maintenance functions carried out in particular entities. However, the ultimate responsibility for managing the outsourced services will always be a responsibility of the government entity’s management. The report goes further and states “that in most of the selected audited sites, best practices are not being followed in terms of password complexity, password expiry, password history and the need to force the users to change passwords upon first log-on”.
These are relatively simple procedures that can easily be followed if the will exists to do away with complacency to ensure cyber security. The risks of cyber security laxness are various. Among these dangers are viruses erasing entire systems, someone breaking into a computer system and altering files, someone using a computer to attack others, or someone stealing credit card information and making unauthorised cash withdrawals or purchases.
Even with the strictest cyber security controls, there is never a 100 per cent guarantee that some of these things will not happen to some people, but at least the chances of failures will be minimised.
The big challenge facing IT security personnel is to define processes that are user-friendly as otherwise many will fear using their computers to communicate with government departments, or to purchase online through e-commerce.
Banks invest heavily to make their digitalised services secure but also user- friendly. Government entities have no option but to follow suit.