After another challenging day at the office, you come home to find a letter from the school that your child attends. Concerned, as they normally email, you open it and are shocked at what you read. The school has suffered a cyber breach the consequences of which are that data about your child has now found itself onto the dark web and is being traded by criminal gangs. The source of this breach has been traced to a member of staff who had their password compromised.
Shocked by this news you contact the school for further details and explanation. You attend a meeting with member of the school leadership team and a professional digital investigator who is assisting the school with mitigating any further risk. This investigator is part of the team that is provided by the cyber insurance cover that the school (thankfully) had in place.
During this meeting you learn that the password policy at the school was the identified weak link, as in the past staff had routinely complained that remembering complex passwords was ‘a pain’ so they were only changed once a year, at the start of term, and most staff wrote them down on Post-It notes for all to see. This one teacher had provided their password to a pupil as that pupil ‘couldn’t log on’ one day and rather than go through the process of getting IT involved ‘just this once’ it seemed ok.
As the story unfolds you learn that this pupil then bragged about it on social media and even posted the password, just for fun. The investigation team believe that this password was then obtained by a criminal gang who scour social media and placed it on a dark web password trading site. From there it was obtained by ring of criminals involved in child exploitation, but who are outside the jurisdiction of UK laws, they look out for passwords emanating from educational establishments as they can be soft targets in cyber-crime. This criminal ring then used this password to access the schools cloud based virtual learning environment and school management system obtaining then the names, dates of birth, addresses, school records and school photographs of children.
You are informed that this information could be used to fraudulently apply for lines of credit, or for the gangs to try and infiltrate the social networks of the victims as potential grooming targets. You feel understandable sick. All of a sudden this ‘cyber security’ that you have heard of at work, that you have given a cursory glance to when stories about it has appeared in the Sunday Paper, has just got personal – all because of a Post-IT note and a belief that ‘just this once’ it will be fine.
Although fictitious this explanation of how a cyber-crime can unravel would give any parent an uneasy feeling on the genuine security of data about the most precious elements of their lives. However, it’s only when something like this actually happens do changes occur. Conversely most of us have sat in seminars, lectures or updates in our places of work where the individual responsible for IT has discussed password policy and we have all tuned out for a while telling ourselves that that is an ‘IT’ issue, not really mine.
So why in our business lives do we get frustrated by ‘IT’ forcing us to secure our work, our passwords and our data, yet at home when we use our personal IT we treat it differently. As an IT professional I was always amazed that in the workplace IT security was perceived as difficult and hard to understand, it would impede workflow and just get in the way, but at home staff can buy products on Amazon, book a holiday online, sell things on eBay, set up and secure a PayPal account and even protect their social media accounts with passwords all with relative ease. Is that because there is a different motivation there? A personal motivation that wants to obtain benefit so does not mind the security overhead.
Why do we treat our personal and business lives with regard to cyber security so different? Ultimately we are trying to do the same thing: protect information so that it doesn’t fall into the wrong hands that may lead to financial, reputational or personal distress. Is it that at home it is our responsibility, yet at work that responsibility has been assumed by somebody else?
Cyber security is personal, regardless if you are at home or at work. At home it may be just about you and your immediate family, but at work it can be about others and their families. You would like to thank that all those companies that look after data about you protect it with as much care as possible and I’m sure that their IT teams and policies say that they do – but does every member of staff do that? We all know that what makes the difference in life is the personal touch, just going that extra mile to make sure that things are as good as they can be. It’s time to do that with cyber security. Time to take it seriously, it’s time to take it personally.