Commenting on today’s announcement that experts believe the Tesco hacking incident may be the result of an ‘inside job’ or a failure in internal processes, the Institution of Engineering and Technology’s (IET) cyber security expert, Professor Roy Isbell, said: “While it’s inevitable that everyone will now point the finger at Tesco’s leadership for this security breach, it’s worth bearing in mind that most organisations in the UK could find themselves in a similar position.
“Any organisation is at risk of being hacked today, however good their security measures. This is mainly because, while most have plans for how to cope with a hacking incident, few actually practice those plans or give sufficient thought to how to continually educate and train their staff – starting with the induction process.
“It’s not uncommon for organisations to invest millions in cyber security technology countermeasures and protection, to only have this technology bypassed by an unwitting insider who succumbs to a Social Engineering attack. All staff have to be trained in how to recognise these attacks. There is a tendency to forget that even the most sophisticated cyber security plans can easily unravel if people at all levels of the organisation, including its leadership, are not fully aware of the latest trends and threats.
“Another common mistake is that access to information within companies tends to be based on two or three levels, reflecting the internal company hierarchy, rather than individuals’ ‘need to know’. The result is that far more people can have access to information than is necessary or ‘safe’.
“Ultimately, organisations and their management need to prioritise understanding their own cyber security risks and requirements, and then develop an effective strategy. Cyber security risks today come in many guises. The most common are criminal in nature by hacking customers’ information and finances. But all organisations that use technology are at risk from hacking. For example, for manufacturers with automated processes hacking could result in a significant loss of production or intellectual property for the organisation – and ultimately its customers.”
