It was just gone midday last Wednesday, the ideal time of day for me to exercise. I’d completed a brisk (at least for me anyway) 4 mile run loop up and down the river, I felt good, I felt energised, ready for the afternoon work ahead of me. This positive feel good energy was then replaced with a sense of frustration and a slight bit of tech. anger – all directed at my smartphone. My run had not uploaded from my sports watch to my Garmin Connect App and would therefore not register on Strava. As those in the running community will know, this means that the run simply did not happen.
After several attempts to sync my watch, re-booting my phone, re-booting my watch, even un-installing the app, I received a message into a group WhatsApp forum – “Garmin Connect was down”
It offered a slight bit of relief, assuming that the service would be up and running again soon. 6 Days have since passed and as we now know, it appears that something more malicious is going on, reportedly with Garmin being held to ransom by criminals.
- has my data been stolen and exactly what data does Garmin hold of mine?
- What value do I place on the data and how personally damaging could this be for me?
- Who would want to target Garmin and for what purpose?
- Will my run ever register?
I pause to think about how important it is for my fitness (physical and mental) that I can see the progress I make with my weekly exercise and show-off my running activity to my friends on Strava for kudos – after all, I could just go for a run without the tech and likely receive the same physical benefits. (The performance related benefits with or without GPS devices is a debate in itself.) But no, this is important to me and I am now feeling frustrated again.
The cause of the problem no longer resides with my phone, or my watch, or even user error (which it often is!), but who is the culprit here, is it the criminals who have had the audacity to hold Garmin to ransom (allegedly), or is it Garmin themselves for failing to put in place adequate measures to protect their infrastructure and the data they hold of their customers. I’ll leave you to decide for yourself.
My thoughts turn back to remembering some high-profile cyber-attacks in recent history
- Equifax – in 2017 the company had a data breach where the records of nearly 148 million people were stolen. This breach will cost Equifax £1.38 billion to resolve customer claims and Equifax have already reported to have spent $1.4 billion on changes to their infrastructure and security.
- Canva – in 2019 a data theft of nearly 137 million users took place, which exposed usernames, addresses and passwords of its customer base
- Marriott – in 2018 over 500 million customer records were stolen, including passport and credit card details. This has led to multiple class action lawsuits being filed. In addition, Marriott has been fined £99 million by the UK’s Information Commissioners Officer (ICO) and there are likely more costs to come!
- Yahoo – in 2014 over 3 billion accounts were compromised, if you had a Yahoo e-mail between 2012 and 2016 you can take part in a class action settlement, which is currently valued at $117 million!
- British Airways – in 2019, hackers diverted 500,000 customers to a bogus website where their data was compromised. The UK ICO issued BA with a £183 million fine!
Now, I haven’t stayed in a Marriott for years and I made a promise not to fly with BA again a long time ago, but I know full well that both of those organisations would hold some record of my previous business with them. So, whilst there is no obvious immediate sign that I have been impacted by these breaches, I cannot say that it won’t impact me to some degree in the future!
The question is, is my data any more securely held with my preferred airline and hotel operators and will they be the next high-profile victim of a cyber-attack?
Then there are the non-commercial enterprise’s and the so-called cyber warfare carried out by government backed (allegedly) groups against defence, healthcare, public services and more recently reports of some groups trying to obtain COVID-19 research data by illegal means.
But it is not all about big stories, high profile cases, I’m sure many of us have heard of family or friends falling victim to a virus affecting their personal PC, in fact SME’s tend to make up the largest proportion of organisations attacked by hackers, seemingly because they do not have the resources and budget of that of larger organisations.
In a recent article produced by IT Governance it was reported that there were 8.8 billion breached data records in the month of May this year alone!
Where hackers strike?
Hackers look to exploit the weakest point in your infrastructure and will often take advantage of opportunities in markets and society when presented - the recent COVID-19 pandemic has reportedly seen an increase in attacks as much as 300% in some industries. This is especially true of those where the workforce has been working from home where business computers and networks are less robust.
The weakest part of most organisations is usually outside of the “IT department” where criminals will seek to infiltrate the network via Phishing, Social Engineering and malware/Trojan house style attacks.
Phishing in particular is still a very widespread mode of attack, with fraudsters posing as a trusted source via email – your ‘bank’ sending you a request to authorise a recent update on your profile for example. This method has been in place for decades, but the level of sophistication is increasing, with fraudsters able to masquerade as your boss requesting you to send some urgent (and sensitive) data asap. (Never trust an email from your boss again right?) We’ve now started to read reports of even more advanced methods, such as Deepfake videos – the utilisation of Artificial Intelligence in which a person in an existing video is replaced with someone else’s likeness. Replacing the audio of someone’s speech for example – check out top 10 deepfake videos - https://www.youtube.com/watch?v=-QvIX3cY4lc
So, the question is, do you really know who you’re talking to?
Whose job is it to keep us safe?
I wonder why not more is done to educate employees and citizens to protect against cyber threats. I suggest two main reasons:
- the mantra of “I’m ok, it won’t happen to me/us” is at play
- the cost to implement appropriate training, as after all such training does not lead towards revenue generation or serving customers better.
It is becoming ever more obvious that in the Digital world we live in the cost impact of being on the receiving end of a cyber-attack will far outweigh any investment in protecting against the attack in the first place. Large fines for mis-handling of data or lack of adequate controls, loss of customers as a result of an erosion of trust, drop in share price, the cost of recovery – these factors are all contributing to the decisions being made and the investment being placed in protecting against cyber-attacks.
Analysts predict that in the 5 years leading up to 2021, $1 Trillion will have been spent on cyber security products and services (https://cybersecurityventures.com/cybersecurity-market-report/)
Currently, there is a huge demand for skilled cyber security professionals, with an estimated 4 million vacancies worldwide by 2021. The key positions include:
- dedicated resources to ensure applications and programmes are built in a secure manner. Recruitment or upskilling of programmers with secure code skills
- architects to design infrastructure without vulnerability
- engineers to monitor networks for penetration
- and of course, an experienced Chief Information Security Officer to lead the strategy for data protection.
However, Cyber security is not a technology problem, what is required here is a behavioural change a mindset adjustment that organisations need to invest more in the education and training of ALL their employees. We are, as ever only as strong as our weakest link.
Education – our best tool to defend against attacks?
It is crucial that the workforce is educated and trained to protect against and be able to identify threats to the most valuable of modern-day commercial assets – Data.
- Most people are caught out by a suspicious email in tests by their employer
- Passwords need to be stronger than ever before and are nearly always duplicated for all business AND personal systems by users
- Company-wide 20 minute on-line tutorials, followed by a multiple choice questionnaire is no longer sufficient to embed knowledge and impact behavioural change
- Cyber crime techniques do not stand still. An organisations ability to continually monitor, react and educate its workforce on a continual basis is crucial
Educating the workforce, like all good learning interventions should be an iterative process and one whereby a close link between traditional learning and on-the-job application meet with close proximity.
- Is there a process in your organisation whereby cyber alerts are distributed across your front line teams?
- Do employees have access to learning modules that can be accessed at the point in time when needed the most?
- How much is invested in keeping the material current and in context to every day working practices?
- Does your organisation utilise micro or nano learning as a means to efficiently deliver on-time and focused training?
- Is there a clearly defined learning pathway for your cyber security professionals and how does this marry with your recruitment plan?
Just like with physical security, everyone has their part to play. It would be impractical to allocate building access cards to your facilities team and ask them to usher all other staff in, around and out of the building each day. Just as it is unrealistic to expect your IT department to be your sole source of defence against cyber criminals. I believe that it is imperative that at a basic level all employees understand the role they must play in protecting your organisations greatest asset – your data.
- Revisit your Disaster Recovery and Business Continuity plans to ensure that you have regular and thorough testing scenarios in place. Focus on data security and review what resources / organisations are available in industry to help
- Assess your recruitment and upskilling plan to ensure your cyber security professionals are ready to defend against the inevitable cyber attack
- Ensure you have an appropriate company wide awareness and education plan in place and one that will drive behavioural change
Good luck and I’d love to hear what learning interventions you have or intend to put in place.
Meanwhile, I’m anxious to hear in the coming days how Garmin will emerge from their cyber attack and to what extent my personal data has been compromised, I wish them luck! For now, I’m off out for a 10 mile run, honestly…