By Mark Blayney Stuart Run your business Protecting democracy from cyber-attacks 27 Nov 2017 Much ink has been spilled on arguing whether the outcome of the US election in 2016 might have been influenced – even to the point of changing the result – by alleged foreign interference. It was a private cyber-security firm, CrowdStrike, who discovered “the telltale tradecraft methods of two known Russia-linked hackers—what it calls Cozy Bear and Fancy Bear,” Quartz writer Steve LeVine reported. CrowdStrike said “the two Bears got into not only the DNC [the Democratic National Committee] but also the Joint Chiefs of Staff, the State Department, and numerous Washington-based think tanks.” So what can we do to ensure our elections and democracies are not compromised? “It’s about making sure information remains safe,” says Debbie Garside, CEO of cyber solutions provider GeoLang. “Information is the key currency in an election or referendum campaign and governments and political parties need to make sure their information is as safe as it can be, both by investing in the right technology and by tightening policies and procedures.” Keeping data safe is now an urgent business. The global cost of cyber-attacks annually is now estimated at $400 billion. The amount that was paid out in ransomware last year is estimated to be $1 billion, and the year-on-year increase in mobile cyber-attacks is 40%. And yet the stats show that cybersecurity is still not as seen as important as it should be. “75% of directors are not involved in the review of cyber security risks,” says Kevin Wright at IT Governance. Research suggests that ‘only a third of the UK’s top 350 businesses understand the threat of a cyber attack, [and] only a fifth of businesses have a clear view of the dangers of sharing information with third parties.’ Governments are worried. “The American political system is an open and vulnerable target,” said David Ignatius in the The Washington Post ahead of last year’s election. Let’s also bear in mind that there are several ways to attempt to influence an election by online means – it doesn’t have to be a security hack. Spreading fake news, leaking files designed to weaken a candidate and casting doubt on the integrity of the electoral process itself are all ways that interested parties can weaponise information, exploit casual readers online and destabilise the democratic process. Indeed, to take one of those examples, fake news is so prevalent now that within the space of a year it has become a recognised expression – we can refer to it without needing quote marks. Major shifts Is there are a role for Internet giants like Google and Facebook to play here? They, after all, are in a position to do something about the spread of misinformation online; and they can also better educate their readers to check their sources before they spread inaccurate or misleading information further. “I’ve worked on election campaigns in the past using advanced computer programmes to target specific demographics,” says Garside, “but it is so much easier to do it these days thanks to social media platforms – and those doing it often have underhand motives. You need to get Google and Facebook on board and working with governments and communities to tackle this proactively.” And in practice? Garside says, “You get propaganda in every election, but there should be a social media algorithm to spot fake news. Users need to be brought back into the equation; there should be a specific way for users to report fake news and propaganda during election campaigns on social media.” According to Garside, “the platforms concerned can then run algorithms to determine the veracity of the content and then start to block sources of fake news or warn users that it has been flagged as propaganda.” Garside believes all this is possible; “it just needs commitment to make it happen.” For governments – and indeed, for businesses of all sizes – the key is to have an action plan. Frank Sorrentino, Chairman and CEO of ConnectOne Bank (CNOB) suggests a plan for organisations to give themselves the best chances of anticipating and avoiding cyberattack – and being able to recover quickly if they still happen. “Preparedness requires a collective accountability,” he says, “an understanding that all affected entities – consumers, businesses, financial institutions, regulators, and the government – must prioritise cybersecurity so that together, we can create a safer environment.” Understand the evolving risks. Learn what the different types of cyber fraud are – ‘from phishing and spoofing scams, social engineering, malware, systems hacking, pharming, and everything in between.’ Develop a security policy that is ingrained in the culture. Defining what procedures you follow is only the first part of the strategy. ‘In order to be effective, the policy must permeate throughout every process, every decision, and the whole mentality of the organisation.’ This has to be ‘squarely embedded into [the] overall business strategy and how each employee operates.’ Employees are ‘the gatekeepers of your company’s information, making them the first line of defence against corporate account takeover.’ Educate your employees about the warning signs, responses to a suspected takeover, and how not to fall for scams. ‘Make sure they use complex, unique passwords and maintain a “clean desk environment” where personal and confidential information aren’t exposed.’ Keep software up to date. The recent Wannacry ransomware attack on the NHS, for example, was far worse than it need have been because trusts were allegedly running old Windows XP software, making them vulnerable. Have an incident response plan and practise it. Having a plan is crucial, but as you would with a fire drill, it’s important to rehearse it. Use the phone. Sometimes old-school can be best. If you are trying to avoid cyberattacks, can you circumvent the internet altogether when transmitting vulnerable information? Finally, don’t pull all your eggs in one basket – store important information on separate servers, and encrypt data that’s sensitive. Ultimately, stay alert – don’t open attachments that look suspicious, and avoid traps like time pressurisation – being told something has to be done immediately should set warning bells ringing. And for the future? Will attacks on democratic institutions and election security increase in the future? “Absolutely,” says Debbie Garside. “Now there’s evidence that it works – that you can influence the opinions of a large percentage of the population or even the outcome of an election or referendum – then more attacks will inevitably occur.” This won’t just be from external parties or hostile states, Garside says, “but also from within. And they will become more advanced and harder to spot as technology improves.” Mark Blayney Stuart is Business Journalist of the Year, Wales Media Awards 2017 and Former Head of Research at the Chartered Institute of Marketing.