Cyber Security

Cyber Security is the protection of devices, services and networks - and the information on them - from theft or damage via electronic means.

There are three common myths concerning cyber security. Understanding why they're incorrect will help you understand some key aspects of cyber security.

Reality: You don't need to be a technical expert to make an informed cyber security decision.

We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works.

Reality: Taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce the risk to your organisation.

The vast majority of attacks are still based upon well-known techniques (such as phishing emails) which can be defended against. Some threats can be very sophisticated, using advanced methods to break into extremely well defended networks, but we normally only see that level of commitment and expertise in attacks by nation states. Most organisations are unlikely to be a target for a sustained effort of this type, and even those that are will find that even the most sophisticated attacker will start with the simplest and cheapest option, so as not to expose their advanced methods.

Reality: Many cyber-attacks are opportunistic, and any organisation could be impacted by these untargeted attacks.

The majority of cyber-attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of WannaCry on global organisations - from shipping to the NHS - being a good example. If you’re connected to the internet, then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation - including yours - will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.

A good way to increase your understanding of cyber security is to review examples of how cyber-attacks work, and what actions organisations take to mitigate them.

In general, cyber-attacks have 4 stages:

Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities.
Delivery - getting to the point in a system where you have an initial foothold in the system.
Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
Affect - carrying out activities within a system that achieve the attacker’s goal.

Employees, senior executives or stakeholders in organisations are often the target of cyber-attack, because of their access to valuable assets (usually money and information) and also their influence within the organisation.

Attackers may try and directly target your IT accounts, or they may try and impersonate you by using a convincing looking fake email address. Once they have the ability to impersonate you, a typical next step is to send requests to transfer money that may not follow due process. These attacks are low cost and often successful as they exploit the reluctance of staff to challenge a non-standard request from someone higher up in the organisation.

Good cyber security awareness throughout the University, security policies that are fit for purpose and easy reporting processes all help to mitigate this risk.  You should also consider how information about you (that is publicly available) could assist an attacker who is trying to impersonate you.