How to find your inner ‘cyber defender’
- 16 October 2024
A “back to basics” and “honest” approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif
“Put your oxygen mask on first before helping anyone else with theirs.”
We have all heard this during those aircraft safety videos and we may feel tired hearing the same advice flight after flight. But we understand how important this message is. The idea being that if you run out of oxygen you will no longer be able to help yourself survive, let alone anyone else. We all lose in this scenario.
Let’s apply this mindset to cyber security.
If we are not conscious of our personal cyber security behaviours, are we truly prepared to enforce these through policies, frameworks and all the mandatory training that we ask staff members to complete?
Our digital footprint
The use of social media and technology has radically changed how we operate. We tend to share our lives with others, sometimes by simply sharing our opinion online. Personal data such as our names and interests are all out there waiting to be discovered.
Our digital life is no longer a separate entity; it plays a pivotal role in our day-to-day existence. Business and leisure all on one device, commonly protected by an email address and password.
The state of cyber security
The healthcare industry has come a long way since the WannaCry ransomware attack in 2017.
The NHS is adopting the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), providing benchmarks to measure the effectiveness of our ever-evolving cyber strategies.
Organisations are incorporating business continuity and disaster recovery planning into boardroom agendas. They are also investing millions into new security systems as well as the workforce to support this.
Cyber security awareness is slowly becoming a hot topic in digital departments, and I love seeing cyber improvements taking place at an organisational and national level.
However, cyber incidents are still on the rise, both in and out of the workplace, often targeting the individual first before the organisation.
Master the basics
It is imperative that we master the basics of personal cyber security so that we can appreciate the larger improvements that need to be made.
Cyber security incidents often start with a form of social engineering, such as phishing. This is the practice of manipulating a target into allowing access to sensitive data.
We have all received phone calls claiming to be from our bank (asking us to confirm sensitive details), or unexpected text messages asking us to confirm our delivery details, or been bombarded by irritating pop-ups telling us our computers are infected.
You may have also won a social media competition without entering it or been invited to a group chat full of strangers.
Exploiting our natural human curiosity, phishing comes in many forms such as e-mail phishing, vishing (voice based), smishing (SMS based), spear phishing (targeted), whaling (high profile targets) and my new favorite: Quishing (QR codes).
These scams are all designed to catch us off guard as we go about our day. They aim to create a sense of urgency and panic so that we perform an action without really thinking about the consequences.
What can we do?
As individuals within the digital space we need to build and improve upon our own cyber resilience. It’s time to take more ownership of our digital lives.
Let’s go back to basics and be honest with ourselves. Here are some simple questions to start your cyber journey:
- Are you using unique passwords for all your online accounts?
If someone had access to one of your accounts, think about what else they could gain access to using this data. - Are your passwords complex or convenient?
Passwords containing known information about you and your workplace are easier to guess. - Organisations are enforcing multifactor authentication (MFA), but are you?
MFA provides an additional layer of security such as a unique code, so the username and password alone is not enough to access the account. - How often do you review account privacy and security settings?
Get into the habit of reviewing them and taking back control of what you are sharing online. This includes setting account recovery options, your personal disaster recovery plan. Make sure you know how to protect yourself so that you are in a stronger position to empower those around you to do the same.
Let’s focus on building and maintaining a cyber defender mindset, no matter where we are. It is only then we can become truly resilient.
Nasser Arif is cyber security manager at London North West University Healthcare NHS Trust and The Hillingdon Hospitals NHS Foundation Trust.