Meet Jenny Radcliffe, a self-styled ‘human hacker’ who uses her skills to train staff how to stay safe online and recognise the warning signs of a cyber attack
The return to work is going to ensure that security expert Jenny Radcliffe is kept busier than normal. She soon expects to be talking her way into senior executives’ offices to either remove a computer, photograph a password left on a Post-It note or attach a device that will tell her everything that’s typed on a laptop keyboard. If she’s lucky, she may even have time to install a ‘pineapple’ – a gadget that can snoop on a Wi-Fi network to steal data and passwords when staff log on to their work system and share privileged information.
Fortunately, for any company involved, Radcliffe will do no harm other than to highlight where its people need to be supported with better training. While she spends most of her time training staff how to spot both online and face-to-face cybersecurity threats, her company, Human Factor Security, is being increasingly asked to supplement lessons with some real-life testing of how well employees perform face to face. “Trust me, the return to work is going to be a really challenging time for companies,” she says.
“I was sent to an office the other day and the security guy came up and asked me what I was up to. I told him I was running Covid checks and he should have received an email. I said I had to sanitise the equipment and so needed to be left alone. I even put down a yellow cleaning cone so I looked official. Sure enough, he left me to it and I was able to send the client photos from inside their offices to show they were vulnerable.”
Radcliffe predicts that cybercriminals will use this sanitising ruse to get a hold of laptops and smartphones, as well as planting listening devices, to gain access to private corporate information or customer details that they can either sell on or, more likely, return if the business pays a ransom.
Under attack online
This kind of trickery is not restricted to just physical premises. It has been happening online for years and has escalated during the past year or more. Radcliffe describes the pandemic as ‘the perfect storm’. People have been tired and distracted while using devices and Wi-Fi networks at home that aren’t as secure as those provided at work. It has made them unwittingly compromise their own security and, by default, their employer’s.
“People sometimes let the kids do homework or watch Netflix on their work laptops and have no idea if they’ve clicked on any pop-ups or links that might contain malware. We’ve all been tempted to, as it’s called in the business, ‘do a Hillary’ and answer emails on a phone because it’s easier. The problem is that phone is not going to be as well-protected as your workplace laptop,” Radcliffe says.
The other factor making the pandemic the perfect opportunity for cybercriminals is that people are working in isolation at a time when they are emotional and fearful. This means that, unlike in the office, they might not always make the best decisions when an email appears to be from a legitimate company address asking them to pass on a password or send money. These phishing attempts are the most common form of an attack on businesses and are now normally referred to as spear-phishing because a criminal will address the email to an individual and claim to be someone they know from within the organisation.
“As part of my training sessions, I show people how simple it is to find out so much about a company and its people that you end up knowing better than they do who’s working with whom on what project,” Radcliffe says. “It’s very easy to get personal information about someone from social media too. You can make it look like you really know them and then reference something they’re working on and ask them to send you some cash or the log-in details for the company’s network because you don’t have the password with you.”
Staff need to be trained to understand how sophisticated these attacks can be, to the point where a criminal will register a very similar domain name to the company they are attacking, perhaps replacing an l with a with a 1 or a 0 for o. When they send emails purporting to come from senior executives, these can look very realistic.
As cybercriminals have been honing their illicit trade, employees have had the problem of working from home, with nobody to run a suspicious email by. “In the office, you can always lean over and ask a colleague, ‘Did you get this? Does this sound like Bob to you?’” Radcliffe says. “There’s almost certainly an IT person you can ask for advice, too. But at home, people have been distracted and feeling emotional, with nobody to talk to, and that’s what cybercriminals prey on.”
To train staff to spot potential cyber attacks, Radcliffe has some simple questions everyone should ask whenever they receive an email, text, call or chat message asking them to help out a colleague.
“I have four red flags that I train people to look for and if they spot one or more, they need to stop and check it out with a colleague or call the person directly who is asking them to do something,” she says. “Whether it’s a call or a digital message, if someone is using emotional language, asking you to make a snap decision or saying it’s urgent and it involves money, those are all the signs of social engineering. So you should stop and ask for advice.”
Security self-help tips
Aside from training, there are practical steps Radcliffe suggests all clients and their staff should take to improve their cybersecurity. These actions may not all be new but they are hugely important, she insists. To start with, every piece of software on every employee’s computer, laptop, tablet and smartphone should always be kept up to date.
“People often don’t realise those updates are security patches. A hacker may have found a way to get into people’s computers through an app and the developer has updated it to keep them safe,” she says. “So, even though it’s a pain, the training is to always update software. If you can’t be bothered because you don’t use an app any more, that’s a good reason to delete it. But you’ve got to keep all programmes updated, as well as your security software.”
Radcliffe knows staff will have heard it all before but difficult-to-guess passwords are a must and these shouldn’t be shared across different log-ins. One solution is to accept the strong security password an app will suggest, which you have no chance of remembering, and use a password manager to log back in. Using two-factor authentication is another obvious step that she trains people to adopt. Typically, a website or app will only let someone in with the correct password as well as a code it has texted to the owner’s mobile phone.
Finally, her training comes with a stark warning about using public Wi-Fi. This should always be avoided in preference of sticking with a smartphone, which will hopefully have good 4G connection.
“People don’t realise how simple it is for anyone to set up a Wi-Fi hotspot in an area and name it after a coffee house to trick its customers into logging on for free,” she says. “There’s a really easy-to-use software package anyone can install and then set themselves up as a free wi-fi hotspot. All they need to do is call it ‘x coffee free customer wi-fi’ to sound convincing and the minute you log on, everything you do using that connection can be eavesdropped on by cybercriminals.”
If cyber safety during the pandemic was problematic, Radcliffe predicts that things could get a lot worse. Cybercriminals will undoubtedly use the partial return to office working to target staff with Covid-related ruses, such as the aforementioned sanitising scam. There is also the issue of devices that may not be working securely, and could have malware installed, being brought back into the office network. Additionally, people are going to be far more mobile and so the temptation to save data allowance and log on to free public Wi-Fi connections is going to be high.
With the right training, though, staff can work far more securely outside of the office as long as they know how to better protect themselves, spot a cyber attack and, just as crucially, know whom security concerns should be raised with.