What are the Threats?

There have been a number of high profile attacks on prominent organisations, including the NHS and Marks and Spencer. However maybe you think being a small insignificant organisation makes you less likely to be a target.

Unfortunately criminals no longer need to be clever hackers. They can rent malware developed by others to mount their attacks. Large organisations may offer the richest pickings once breached. However smaller organisations are less likely to have the expertise and resources to resist. Voluntary organisations in particular may be vulnerable, as they are unable to afford the latest most secure systems and are heavily reliant on volunteers. Currently by far the biggest threat comes in the form of Ransomware.

What are the Vulnerabilities?

Most security breaches result from human error, usually someone being tricked into disclosing or resetting a password. Criminals are now using AI to conduct highly convincing ‘phishing’ attacks to persuade victims to provide passwords to someone they think is a trusted colleague.

Passwords are clearly a source of vulnerability, but are there any better alternatives? Well yes now there is: passkeys. They are both easier to use and more secure. Many major companies such as Google and PayPal have introduced them as a login option. For a full explanation of how they work and their advantages read here. I would recommend that you switch to using passkeys where available, and give preference to software and services that use passkeys.

If you are continuing to use passwords, out of necessity or preference, then you should adopt Two Factor Authentication (2FA). This requires an additional method of verifying the identity of the user after the correct password has been provided, This is usually based on something the user owns, e.g. sending a text with a code to the user’s ‘phone, or generating a code in an ‘Authenticator’ app on the use’s ‘phone. The latter is similar to the security devices that some banks use to generate a unique code each time you log on. If the software or services you use are not offering 2FA then maybe you should consider switching.

Note that there is a vulnerability on some ‘phones where (for convenience) text messages are displayed on the lock screen, visible without the need to unlock the device. This could enable a stolen ‘phone to be used to access an account without the thief having to know the PIN. Therefore you should ensure that all users’ ‘phones have this feature disabled (via settings). This has been used in some well publicised cases to access people’s Internet banking app and steal large sums of money. So it should be easy to convince users to take the right action, in their own interests!

Protection of Passwords

Obviously the best defence is to ensure passwords are never leaked. Staff and volunteers should be clear that a password should never be written down, and never disclosed under any circumstances to anyone else. Not even to someone they think is a trusted colleague or system Administrator. No-one, not even an Administrator should need to know anyone’s password. If an Administrator needs to access another user’s account, to investigate a problem or make some necessary changes, then they should either take over the user’s session by remote control, or temporarily reset the password to give themselves access. In the latter case the user may need to reset the password once the Administrator has finished their work.

Criminals often impersonate senior members of staff, to trick Administrators into resetting the password on that person’s account, so they can gain access. So you should have strict protocols in place so Administrators can verify the identify of the person making the request, e.g. contacting them via a known number. Note you cannot rely on the call appearing to come in from the ‘correct ‘number, as this can so easily be spoofed. You need to empower and support Administrators to follow the protocol ,even in the face of an angry VIP who has been inconvenienced.

“Do you know who I am? I’ve lost my ‘phone and I need this done now or the Company will go bust.”

“Yes I know who you are: you’re the person who will stand in court when we get sued for loss of confidential data. So sorry Sir, we need to do this properly.”

You should clearly instruct Administrators to never ask a user for their password. Therefore users will know that any request to disclose their password is either malicious or a breach of company policy, and can confidently ignore it.

Users can also be tricked into entering their password into a fake web site, that may convincingly resemble the real site. So users must be clear that they should only enter their login credentials on a site that they know for certain is genuine, i.e. the address they normally go to login. And if they are given some unusual instructions to go to a different address they should check with a trusted source, e.g. the normal helpdesk.

Remote Control Software

Another common way that criminals can gain access is by using remote access software. This is very useful for support technicians. It enables them to take control of your computer, to investigate and fix problems. Obviously you should never download such software and grant access unless you are 100% sure that the person requesting access can be trusted and has a legitimate reason for this.

Obviously if you have called the help desk because of an issue with your computer you can follow the technician’s instructions with confidence. However there may be occasions when a technician has to initiate the process, e.g. because they have identified a genuine issue with the user’s computer or need to make some changes. I would recommend that you have a protocol for such situations, requiring the user to contact the technician via a trusted route (e.g. known number) to verify the legitimacy of the request. And don’t forget that crooks can keep the line open after you hang up. So you might still be talking to them even after redialling.

Never under any circumstances should you grant remote access as a result of an unsolicited call, even if it sounds like someone you know and trust.