If, like me, you managed to tune in to the final episode of Mr. Robot season 4 when it was released on 22 December 2019 (Merry Christmas, us), then you’re probably still mulling over the emotionally distressing – albeit, dramatic - events of the final season.
Full disclosure – Mr. Robot is a dark, disturbing show with some pretty violent scenes. But as it turns out, it’s also full of informative lessons about how hackers operate that could help strengthen your organisations’ cyber security protocols.
For the uninitiated, Mr. Robot follows Elliot Alderson, a young computer programmer with severe social anxiety who uses his hacking skills to try and take down the world’s largest global conglomerate, ECorp.
While ECorp may be a far larger, exaggerated example than most of the organisations operating in the UK, the tactics used against them by the hacker group F Society are still applicable to smaller organisations.
With this in mind, I thought I’d spend the remaining hours of my annual leave pulling together some of the key things I learned about cyber security from the show – although (personal opinion pending), if you haven’t already, you may still want to catch all four seasons on Amazon Prime.
Warning: Spoilers ahead
Lesson 1: You could get “phished” at any moment
While most people are already aware of what to look out for in a phishing email, it only takes one employee to fall for a particularly convincing scam to allow hackers to infect your entire network - especially if the hackers are casting their net wide and targeting your entire employee database.
As an example, in season 1, episode 6 of Mr. Robot, F Society attempts to carry out a simple phishing hack by offering an unsuspecting employee a $100 gift card in return for answering a few simple questions – which is actually just a ploy to give them enough time to carry out the hack. Luckily in this instance, the organisations’ anti-malware software kicks in just in the nick of time - but if it had been a few seconds longer before the employee had cut off the main power source, it would have been too late.
A few seconds. That's how long it takes for an organisation to fall victim to a phishing hack.
So maybe I’m scaremongering a little here – mostly because Mr. Robot has given me serious fear about this stuff – but phishing scams really are everywhere, and it’s important to have clear security processes in place so your employees understand how to recognise and deal with phishing emails.
Lesson 2: A complex password is key
One thing I noticed while watching Mr. Robot is that it’s not always the CEOs and the CTOs that are being targeted by hackers – because they’re not the ones that are handling the truly sensitive data on a day to day basis. No, it’s the managers and general employees that are most vulnerable when it comes to a cyber attack, because it’s their passwords that will be of most use.
Social engineering is usually an important part of any cyber attack, and it really doesn’t take much for a hacker to figure out someone’s password. Most of us will use something memorable as a password, such as a pets’ name or parents’ maiden name - we’re only human after all. But this is also easy information for someone to guess or find via social media, meaning you could be making light work for a hacker wanting to access your accounts.
That’s why educating your employees at all levels – including CEOs and volunteers - on the importance of a complex password will strengthen your organisations’ defence against cyber threats.
Lesson 3: Staff education may not be enough.
The cold, honest truth is that even educating your employees and having stringent security processes in place may not be enough to protect against persistent cyber attacks.
But it can also expensive and time consuming to hire someone to monitor your system full-time and manually combat threats to your network – which is why most organisations will invest in some form of cyber security software, so you can focus your attention (and funds) elsewhere.
There are many different types of software available that will protect against similar cyber risks - such as anti-virus or anti-malware software, firewalls or system monitoring software. Do your research to ensure the software you install is robust enough to protect your network. With a potential $20 million (or 4% of total global turnover) fine for a data breach under GDPR regulations, is it worth the risk to not have cyber security software in place to ensure you don’t fall victim to a hack?
But as demonstrated in lesson 1, anti-virus software still may not be enough to protect against a particularly malicious attack (yes, we have to use these dramatic terms when comparing the situation to Mr. Robot).
Remember, a cyber breach doesn’t just affect a few days’ worth of income while you get your network back up and running – it can cause severe reputational damage to your organisation, and even affect future earnings as a result.
Cyber insurance can provide additional protection for your organisation in the event of a cyber breach, including cover for loss of income or third-party compensation claims following a cyber attack or data breach. You can also access legal advice and expertise to help minimise any damage resulting from a cyber breach.
Written by: Naomi Soanes, Digital Executive
Sources: Mr Robot, Seasons 1 – 4 (created by: Sam Esmail, distributed by NBCUniversal Television Distribution)