Police officers in Northern Ireland are frightened and their families and friends could be “jeopardised” after details were published in error, a former NI justice minister has said.

Naomi Long said some officers would consider their futures with the force.

In response to a freedom of information (FoI) request, the Police Service of Northern Ireland (PSNI) shared names of all police and civilian personnel, where they were based and their roles. 

The details were then published online. 

They were removed a few hours later. 

More than 300 police officers were murdered in Northern Ireland during the 30 years of violence known as the Troubles and officers and staff remain under threat from republican paramilitaries.

The Electoral Commission has revealed it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.  The unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021.  Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year.  So, for over a year this data was available to cyber criminals without anyone knowing about it.  It frankly beggars’ belief that there weren’t significant protections in place so that even if they breach was stopped, it was at least discovered and known about in a timely manner.

Unlike the attack on PSNI, this one was described as a sophisticated technical attack.

Data belonging to the University of the West of Scotland (UWS) has been put up for auction by a cyber-criminal gang.  The university first said it was facing a “cyber incident” earlier this month and police have been investigating.  The data has now been ransomed by the ransomware gang Rhysida, demanding 20 bitcoin (£450,000) for the confidential data and says it will be sold to the highest bidder.  UWS said it was a “victim of a cybercrime” and the attack affected several digital systems and staff data.  It has been reported by BBC Scotland that the incident has affected staff laptops, shut off around half of the university’s IT systems, and affected student submissions.

There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

How much better if you can avoid getting hit in the first place.  Here I list some ways that you could perhaps use to avoid the problem.

1. Arguably, the biggest and most effective step an SME can take is Cyber Awareness Training for staff. It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.
2. The next reasonably low-cost thing that ties in with Cyber Awareness Training and a security strategy is robust, well thought out policies and procedures, that have been rolled out across the work force and are monitored to ensure they remain relevant and that they are understood by all. Giving an employee the means to check what they should do if they suspect there is something nefarious going on, is simply giving them support, it is not there to catch them out or to use as a stick against them.  Many SMEs don’t have any such policies in place and many others have downloaded specimens from the internet, topped and tailed them and expect them to be enough, which they very rarely are.
3. Next think about your backup strategy. Even when you are using a cloud-based provider, that doesn’t necessarily mean that your data is secure, although many providers would disagree, at least in their advertising.  How much better to have a strategy whereby your data is backed up overnight to a magnetic media storage point, which can be taken offline and stored in secure storage.  If you do that, then if you are subject to an attack and your data is locked up, you can have some or all workstations wiped and reloaded, and then have data restored from the tape, all of which would not take most SMEs offline for more than a day.  You then have a breathing space to sort everything out in the longer term.
4. Email remains the top attack vector for many attacks, and this is one of them. There are many products on the market that will tell you that they will block as many malicious emails as possible, and many of these are very good at what they do.  For an SME, it will nearly always come down to a matter of cost and some of these products are more expensive than others.  Unfortunately, there are still a considerable number of SMEs out there, either using the cheapest anti malware product they could find, or even a free product.  You get what you pay for and if its free, you’ve got a problem.  Any product you choose to use must be mitigating an identified risk.  If a risk hasn’t been properly identified and a product selected that covers that risk off, as well as it can be covered off, then you’ve quite possibly wasted your money.

There is a product on the market from a company called Platinum-HIT, which takes a very innovative approach to this.  Quite simply it blocks any executable not on your whitelist from running.  It takes a free 30 day evaluation for it to profile your network and build a list of executables that are in use daily by users.  So those that run your applications, email etc etc, and produces that list for human inspection.  Once agreed, that becomes your whitelist.  It’s extremely effective and so far, we haven’t found another product that takes this approach in blocking all forms of malware, including ransomware.

The overall message I would like to put across to all SMEs, is that you are just as vulnerable as anyone else, to this, and many other attacks.  Have you identified your risks?  Have you identified ways to mitigate those risks, enabling you to maximise your defensive spend.  Or have you just bought into an argument that says that you have a firewall and some anti-virus, you’re using a cloud provider and you’re therefore covered?  I’d welcome the opportunity to have that debate with you.

But is about defence in depth, marrying up people, process, and technology to give you the best protection you can afford.