The majority of workplaces have probably never had the misfortune of suffering a fire – but most will still have measures in place to protect people should things suddenly spark up. You’ll barely notice fire extinguishers, alarms, fire marshals, signage, escape routes and drills these days, but they’re there.
But how many offices can say they offer the same level of protection against cybercrime? Invisible hackers may present a more abstract threat than that of smoke and flames sweeping through your canteen, but in the hyper-connected 21st century, online attacks represent a very real – and raging – danger.
The risk of such attacks was thrown under a spotlight this past weekend after the several NHS trusts, and hundreds of others around the world fell victim to a so-called ransomware attack that put their computers out of action. Even today some patients are being told to steer clear of their GPs.
It’s a big blow to the health service but it shouldn’t come as much of a surprise given the number of attacks in recent months. Three Mobile and Sage both suffered major hacks last year, as did Tesco Bank, which saw around 20,000 of its customers lose money from their accounts. Overseas, Yahoo recently discovered it had been the victims of two huge data breaches: one in 2014 affected 500 million user accounts, one the previous year involving more than a billion.
If all this was unthinkable only a few years ago, the threat is only going to become much more familiar: tech research company Gartner predicts that, by 2020, 21 billion devices will be connected to the Internet of Things – that’s 21 billion computers at work in everything from phones and laptops to fridges, cars, traffic control networks and heating systems, sharing data with each other. The more devices are networked, the more sensitive data and important functions they’re fulfilling, the more hackers have both the means and the motive to attack organisations.
But if the risk to the integrity of a company’s data feels stark enough, these same attacks also pose a threat to the wellbeing of employees too. In 2013, Iranian hackers gained unauthorised remote access to the control room of the Bowman Avenue Dam, a flood defence system in New York State. Fortunately the facility was shut down for maintenance at the time. An Iranian nuclear plant had already become the first victim of Stuxnet, a worm that attacks industrial control systems. And then there was the public water company that was infiltrated by ‘hacktivists’ through vulnerabilities in its online customer-payment portal; the hackers changed the chemicals added to the tap water of thousands of residents. Meanwhile a German government agency revealed how hackers had breached a steel mill and wrecked one of its blast furnaces.
At this point it should be clear that cyberattacks are no longer merely an IT issue. As soon as employees and customers can be hurt by an attack, it becomes a matter of health and safety. As such, the Institution of Occupational Safety and Health (IOSH) argues that safety and health practitioners shouldn’t just be involved in meetings about cyber security – they should be running the programmes.
There are, at least, plenty of steps companies can take for protection, advises IOSH. First up – secure your systems. Everything should be password protected. Use different passwords for each system, and change them regularly. You could also look to two-factor authentication, where a password and ID verification are required to access your devices. And keep your systems up-to-date – the NHS attack seems to have come about because the trusts were using Windows XP, Microsoft’s now-unsupported operating system.
There are smarter solutions. The latest harness artificial intelligence to learn everything about a network’s normal behaviour in order to spot activity that could be threatening. External contractors can also be brought in to provide penetration testing, a benign hack where they break into your system to find out how easy it is and show you where your vulnerabilities lie.
Yet there’s one final measure any company can introduce to greatly reduce the threat from cyberattacks: educate your staff. It’s commonly held among security professionals that humans represent the biggest vulnerability in any network – failing to log out of public machines, being talked into handing over sensitive information or, as may well have been the case with Stuxnet, simply picking up an infected USB stick in the company car park and trying it on their machine.
Increasing awareness of cybersecurity risks goes a long way to preventing the fire. And while cyber resilience may feel like another unwelcome drain on resources, it can in fact be a valuable business tool: if you can prove your systems are secure, you will of course win more business and greater trust from customers. But there’s a greater benefit here too: you’ll also keep your team safe and secure. And research has shown how a safe and happy workforce can have a huge impact on your bottom line, through better staff retention, increased productivity and greater innovation. The alternative? You may end up getting your fingers burned.
For more ideas on how to build bulletproof health and safety, and for more on the government’s standards and guidelines, visit the Institution of Occupational Safety and Health