October is Cyber Security Awareness Month, a whole month dedicated to this important topic in our ever more connected world. In this article, our Head of Cyber Security, Opeyemi Ore, reflects on the actions that we are taking to foster a strong cyber security culture within TLScontact, a culture that is essential to keeping our systems, our customers and our employees safe.
Members of the Cyber Security community are acutely aware of the dangers associated with the exposure of users’ email / password combinations. This often arises as a result of a hack on a web service they may have subscribed to.
One such high-profile case was reported in the press in February 2021, when a cyber-attack against a popular online service resulted in the exposure of its subscriber’s personal information, including email address (corporate and personal) and password combinations. These login details could potentially be used to access confidential information on other online platforms or attack business systems. Reading about this type of incident always sends a shiver down the spine of Cyber Security practitioners.
Having strong cyber security policies and practices in place makes all the difference. At TLScontact, we automatically force our employees to change their passwords at regular intervals. This means that in the unlikely event that any of our staff members were to be affected by such an incident, the window of exploitation would be reduced, as users are regularly forced to change their passwords. We also conduct proactive reviews of access logs to detect any unusual activity and take necessary remedial actions where required. In the case outlined above, our users would have been protected.
Winston Churchill once said, ‘Never let a good crisis go to waste’. Within the cyber security team here at TLScontact, we use high profile cases as teachable moments to allow us to reinforce relevant security messaging across our organisation. Using the case described above, we put together a newsletter and laid emphasis on some key do’s and don’ts. These are well established in cyber security circles and beyond, but it is worth restating them here:
- Use multi-factor authentication (MFA) whenever possible: for example, an email address plus a temporary log-in code sent to your mobile phone, to prove your identity. This significantly reduces the chances that your account might be compromised, even if your password has been exposed on a particular platform;
- Never use a professional email address for non-work-related services;
- Use strong passwords: that include at least 8 digits, alpha-numeric and special characters, and a mixture of lower and upper case; change them regularly too;
- Never reuse the same passwords across multiple systems.
While these guidelines are targeted mainly at our employees, they are also relevant for the applicants who use our online services and a useful reminder of the steps that they can take to protect their personal data.
Cyber security is everybody’s job
At TLScontact, while we have a strong cyber security team in place, we make it clear to our employees that cyber security is everyone’s responsibility. Over the past few years, we have built a strong cyber security culture which is emphasised through a comprehensive awareness programme covering everyone from our customer service agents to our C-level executive team. This programme utilises practical approaches and real-world examples to ensure that our users are not only informed on what to do, but that they also understand the ‘why’. This is a real differentiator from other awareness programmes in many other organisations.
We don’t just force users to watch cyber security awareness videos.
- Our targeted phishing campaigns help our users to remain vigilant as they interact with email services. They don’t want to get caught out by my team, and most importantly, by any hackers who might be trying to access our systems. Thanks to these campaigns, the number of accurately reported phishing emails has doubled within 6 months.
- Our ‘lunch and learn’ sessions expose staff to real-world demonstrations from the cyber professionals of how hacks happen and simple steps to keep everyone from harm. They have seen how quickly a weak password can be broken, so they go for something much stronger.
- Our newsletters, posters and bulletins are kept informative and use real-world examples to enable everyone to understand why certain protective measures are in place, and each employee’s role in keeping TLScontact safe. For example, our employees now know not to share their home address or full date of birth on social media as it may be used in carrying out an attack against them.
As with all things digital, cyber security is a fast-moving area and you need the right processes and tools in place to be able to identify and anticipate emerging threats and take the right actions to counter them. However, cyber security ultimately depends on people. They can be your weakest link or, with the right training and support, they can be your strongest defence against malicious actors. At TLScontact, that is certainly the approach that we are taking. With the measures that I have described in this article, we engage our employees on a daily basis in our efforts to ensure maximum protection for our IT systems and for the personal data that we manage on behalf of our visa customers and government clients around the world.
Article by Opeyemi Ore,
Head of Cyber Security