After Massive Twitter Hack, UK Cybersecurity Expert Shares Tips On How Businesses Can Protect Themselves

After Massive Twitter Hack, UK Cybersecurity Expert Shares Tips On How Businesses Can Protect Themselves

Cybersecurity has come to the public’s attention after the recent hacking of social media platform Twitter TWTR.

The rise in the number of cyberattacks on companies and public institutions has become a huge concern.

Peter Yapp, the U.K.'s former deputy director at the National Cyber Security Centre  and a partner at law firm Schillings, shared ways that businesses of all sizes can protect against an attack and make sure all hardware and software systems are up to date.

Prevention Is Better Than A Cure: Many businesses focus too much on threats and not enough on identifying vulnerabilities and their attack surfaces, Yapp said. It’s important to know your weaknesses and have an action plan, according to the cybersecurity expert.

We read a lot about cyber threats and attacks but, if they don’t directly relate to our organization, we tend not to take much action, he said.

And yet, when it comes to a breach, he said prevention is so much better than the cure.

“It might not have been your business today, but the odds are it will happen at some point — even if you’ve already been attacked in the past.”  

Every single organization should not only know where they’re vulnerable, but should have an incident response plan in place for when the worst occurs, Yapp said.

The most sophisticated IT teams will still make mistakes every now and then, and even the newest software services might not be as secure as they should be.

“If you just look at this incident and think, ‘I’m not a pharma company, so I see no threat from this,’ then you’ve really missed the point. You should be proactively protecting against every hacker and every kind of attack,” he said. 

Protect Your Data: As more businesses need to track customers, they are dealing with unprecedented amounts of data and often hope that their small size will protect them from being noticed by criminals.

Yet a lack of security infrastructure puts businesses at risk — so how can businesses best protect their customer data and their systems?

“Across the hacker community, people are always looking for ways to monetize things. So, if you have a vulnerability and they come across it, then they’ll take that opportunity,” Yapp said. 

The COVID-19 pandemic means more customers are parting with their personal data than they’ve needed to before, handing it over to pubs and restaurants that haven’t necessarily had to hold on to that information in the past, he said. 

“It’s personal data that tends to equal money. So, if you happen to be holding it anywhere unsecure — then that’s a massive red flag and you’ll likely be a target,” warns Yapp.

Update Your Software: The best way businesses of all sizes can protect against this is to make sure all hardware and software systems are updated, said the former NCSC deputy director. 

“While people often view software updates as a nuisance, they’re not. They are incredibly important in keeping security updated, and to plug existing holes in any systems,” Yapp said. 

“It’s also very important all staff who have access to customer databases have very strong passwords. The NCSC recommends picking three random words for this. Furthermore, the most business-critical applications should be supported by two-factor authentication, even if none of the other systems are.” 

It might take some time and effort to make sure that these practices are in place, but they will be invaluable in the long term, he said. 

Businesses must also take the time to educate their workforce and let them know they should report when something looks odd.

“They can either be your strongest or weakest link, so make them your strongest. Even in a team that’s had thorough security training, one in 10 people will click on phishing emails, so let them know they can come to you and tell you if that’s happened. Tell people how to stop them, how to notify you, and to let them know they can tell you without getting in trouble.” 

Don’t Treat Cybersecurity As An 'IT' Issue: It’s important to note that cybersecurity is a business risk like any other, and not just an IT issue that should be left to one particular team, Yapp said. 

“Unfortunately, we’ve grown up thinking that it needs to be left to very technical people, and it’s seen as a niche skill. That means that, as business leaders have progressed through the business, they’ve not tried to understand cybersecurity or seen how fundamental it has become to the whole of their business.”  

As these people came up through the business, they tend to leave security to someone else — the tech team — expecting them to sort it out.

But that’s wrong, Yapp said, as security is such an integral part of business now. It needs to be a boardroom issue, and the people at the head of the business need to take responsibility for it, he said. 

"It should be treated like any other risk in the risk portfolio.”

Posted In: CybersecurityTop StoriesTechInterview