Growing your own hacker
One of my favourite stories about how the world is changing is of the CEO of one of our leading technology companies being shown round a classroom. The great man stopped by the desk of a young girl using an iPad. “Who taught you how to use that” he asked? She looked at him in amazement “No one – I just turned it on and used it”.
There is a lesson in here for every business leader, of companies large and small. While you may think you have the most secure firewalls and software protecting their company, young people are instinctively spotting and working their way through its ‘holes’ and hacking money, information and contacts.
What can you do to protect your business?
In 1999 Dr SugataMitra, Chief Scientist at NIIT, the Indian Learning Management company carved a “hole in the wall” that separated the NIIT premises from the adjoining slum in Kalkaji, New Dehli. Through this hole the local people could access for free a computer. It was a huge hit, especially with the children. They learnt to use the computer on their own, no prior experience, no computing degrees were needed.
Dr Mitra concluded: “The acquisition of basic computing skills by any set of children can be achieved through incidental learning provided the learners are given access to a suitable computing facility, with entertaining and motivating content and some minimal (human) guidance.”
I was reminded of this when I read that TalkTalk had been hacked not by sophisticated terrorists, or by highly resourced teams of hackers employed by foreign governments but by a 15 year old.
Now, you may ask, why does this matter? Isn’t it just that TalkTalk was unlucky or hadn’t taken the proper precautions? Well, both of those things may be true but I think there is a more profound lesson that companies need to learn. Hackers are everywhere. They are often smart, young digital natives. You do not need a degree in computer science to be a good hacker, just access to a device.
Digital security should be on or close to the top of every Board agenda. It should account for a significant portion of spend on risk. If you doubt that for a moment, then look at what happens to the share price of companies whose customer details are hacked into.
So, let’s assume that you are a Board that takes this really seriously, what can you do? I’ll look at three types of organization.
Hacker targets – GCHQ
If you are GCHQ then you are up against some very nasty people with huge resources and great skill and you generally have the resources you need to counter what they are doing. If you are a major bank the same should be true although history has demonstrated that it is unwise to rely on that fact.
There are the large companies with IT departments. IT are handed the problem but IT are one of those areas that, except in the most enlightened companies, are generally overstretched and under-resourced to start with. Boards of these companies need to make sure that there is proper resourcing and that the systems are tested all the time. There are plenty of consultants who will try to break into your systems. Hire them and listen to what they find. It may surprise you. But don’t imagine this is a one off exercise – the hackers are very smart and move very fast.
But what if you run a smaller company without a well-resourced IT department, where IT is just one part of someone’s job – or possibly part of no-one’s job. If you are a smart Board or business owner then you need to do some lateral thinking.
You have limited budget and limited skills and possibly this is not an area you feel you need to focus on. The first thing you need to do is to realize that you are a target. You may not understand why, but you may have a disgruntled employee, an unhappy customer or just the lad sat in his bedroom down the road trying out his hacking skills.
Once you have understood this then look at what you can do
- Look at the processes for keeping your systems up to date and backed up. Security fails for the simplest of reasons “I just didn’t have the time to do the updates, change the passwords, I needed to leave the passwords where my colleague could find them etc”
- Make sure your systems are kept up to date. This generally costs time rather than money – it may save your business. After all, you would not leave the keys to the safe on the reception desk would you?
- Keep the minimum of information that you need to keep about your customers and your employees. Many companies keep far more than they need
- Back up, back up and then back up your data.
- The big companies pay expensive consultants to try and break their systems. You could probably achieve the same thing by finding that smart 15 year old
There is plenty of research around showing that cyber security is one of the top worries of chief executives, but what are they doing about it?
For more ideas, the Guardian wrote a piece last month summing up what experts say businesses should do. The first – raise the profile of cyber security in the boardroom – has to be the most critical?