By Timothy J. Zammit - Inspector of Police, Cyber Crime Unit, Malta Police Force
In an increasingly connected and digital landscape, no one is immune from cyber crime. The past months have been, understandably, dominated by the COVID-19 pandemic. The simplicity of some of the basic preventative measures communicated by the health authorities has been an eye-opener: wash your hands regularly, clean objects and surfaces frequently, avoid crowded places and stay away from others when you are sick. These are steps that we have been taught to follow from a very young age and, yet, we needed to be reminded about. This brings me to what I believe is any organisation’s silent killer: complacency.
Organisations operating in financial services need no introduction to the term “risk-based approach”. This model can also be applied to cyber crime prevention. Whilst there is no magic checklist that can be applied throughout, organisations should - as a minimum - be asking themselves some very basic questions. The rest of this article will discuss what this risk assessment process should consider.
How important is the information I am handling? Why should I protect it?
Data can take the form of client lists, financial information, employee details as well as security documents. Unauthorised access to such information can have devastating consequences to a company both on a commercial front but also from a regulatory point of view. Furthermore, one of the most long-lasting effects is the reputational damage following a cyber incident.
What policies should I put in place?
Having no policies in place is a recipe for disaster. An organisation should lay down the parameters that regulate how, who and why its information is accessed. Policies about the use of personal devices, passwords, and Information Security are amongst the most common policies that organisations implement. Organisations must also, however, have clear policies in place outlining procedures related to the disclosure of information (both internally and externally), authorisation of financial transactions and employee resignations. As well as aiding consistency, policies are also beneficial to an organisation since they instil accountability.
Are users aware of their duties and responsibilities?
The human element has long been considered as the weakest link in the cybersecurity chain. Some cybersecurity specialists now consider this as a misnomer since they argue that employees can be a powerful asset in the fight against cybercrime. By regularly providing training and engaging them in improving policies, employees are key determinants in an organisation’s overall attitude, culture and security.
What technical measures am I implementing? Who am I engaging to do this?
Organisations need to ensure that all devices connected to their network and having access to their information are up-to-date and protected with security software. Technical measures, such as the use of dashboards and alerts, must also be implemented. These ensure that policies are being observed. The deployment and monitoring of an organisation’s ICT infrastructure, especially when outsourced, must be entrusted to reputable entities with a proven track record.
What should I do when something goes wrong?
An organisation’s ability to detect and recover from a cyber incident can determine its long-term survival. As well as having in place escalation procedures and incident response protocols, technical staff must be within easy reach of staff who may want to double-check any suspicious activity they notice.
In such a fast-moving environment, organisations are tempted to overlook basic precautions which can reduce the risk of being victimised through cybercrime. Indeed, the maxim “Not If, But When” should serve as a constant reminder that, in an increasingly connected and digital landscape, no one is immune from cybercrime.
The Police Cyber Crime Unit can be contacted on telephone numbers (+356) 2294 2231/2 or email address [email protected].