In the second part of our interview with Greg Sim, the CEO of cyber security firm Glasswall Solutions, he explains why we not only need to be careful about what emails we open but also what information we leave in the public domain…
“If an organisation comes out and says ‘we’ve not been attacked’ it really means they don’t know. We find things every single day when companies don’t think anything has happened. And the bulk of attacks come in a very simple form – emails and email attachments, PDFs, word documents, images, audio and video files.
With phishing you get a range of attacks, some of which are a product of simple human error where the email doesn’t even look right but somebody still clicks on a link or open an attachment, right through to the ones that appear to be from somebody you know but, in actual fact, come from somebody who has managed to get your email address.
Another problem is that we leave a lot of data lying around and information about ourselves through social media.
This gives a hacker the ability to build up a picture.
We did a demonstration for a large organisation that showed how we could hack into their system in 15 minutes simply by using social media.
The question was would the person that we targeted open the file that we attached to our email?
We looked on LinkedIn and our target had written a research paper for a certain publication.
For the publication where it appeared we fished out a domain name that had the same title but instead of ending it with .co.uk we ended it with .news. That cost us £25.
We looked at the research paper, because that was in the public domain, and sent an email that looked as if it came from the publisher to say ‘Dear Dr.XXXX. That was a great article. We enjoyed doing that. Here’s another one we’d like you to review. Please have a look and let me know what you think.’
So, I ask the questions again, do you think that person would open the document?
The hacker wasn’t after him, he was the entry point into the organisation that he worked for and the file we would have used was a genuine Russian ransomware attack file.
Cyber used to be a procurement exercise. So the techie guy got his budget for a year, and included within was security. It ticked a box and it didn’t hit the Profit & Loss.
In a relatively short period of time, it has become a completely different issue but the fundamentals are the same. There are far too many companies that are viewing Cyber as a technology risk when it is fundamentally a business risk.
What you’ll find, going forward, is that for big companies not only will there be Chief Information Security Officers but also Chief Information Risk Officers whose role is to understand the business risk to their organisation. You see that a lot more at the large banks.
And they will ask the same question, ‘what are we doing in terms of technology to protect ourselves against those risks?’
When it comes to cyber security, there is still a lot more education to be done.
Greg Sim, CEO, Glasswall Solutions
Greg Sim is the CEO of Glasswall Solutions, an award-winning UK company that specialises in providing online security for large organisations. He has appeared on a host of TV shows including Sky News as well as newspapers and news websites such as the Wall Street Journal, Huffington Post and CNBC to talk about hacking and data breaches.
Cyber security for business
The IoD have created a Cyber Hub as a resource for all things digital security. Whether you need to learn the basics with a glossary of cyber-terminology, step-by-step instructions on improving your online protection, or to simply stay involved in the latest conversations, you can find the help you need here to safeguard your business and employees.
Visit our cyber security for business hub
Get involved in the conversation or use the hashtag
IoD members can find more in-depth information and resources about cyber security in our factsheet