October is Cyber Security Month so it’s a great time to recap on the most common threats to our business, and what you can do to help.

As a business we see some of these threats almost every day. We’ve always worked hard to keep people’s data safe, and with new GDPR regulations and potentially millions of pounds in fines for breaches, it’s even more important to make sure that information doesn’t fall into the wrong hands.

“Information Security isn’t just management responsibility, it’s everyone’s responsibility” 

Pippa Wicks, Deputy CEO

Here’s what you can do:

Protect information before you send it

This is usually accidental, for example, you might ‘hide’ columns in spreadsheets and send them in an email, forgetting this can easily be undone. Or you might email files to your own personal email address to work on at home, which is a security risk. If you need to send or share information, always password- protect it and send the password separately.

Beware of phishing tactics to steal your data

We block over 14,000 infected emails a day, but some will always slip through the net, so you need to be on your guard. Some common warning signs are – the email trying to make you worried, make you think that something is urgent, or make you click a link out of curiosity.

If you have any doubts, make sure the message is genuine by contacting the sender directly in another way, either through their official e-mail address or on the phone – don’t just reply to the email.

Don’t make your password easy to crack

Over half a million passwords are freely available on the internet from previous data thefts across the world. People sometimes use the same password for more than one account, so if attackers successfully discover one password, they can use it to break into other accounts.

Recent security research shows that a ten-character alphanumeric password takes two hours to crack – add a special character like !,&,% and it takes a week.

  • Use a 12-character password wherever you can to make your account extra secure (attackers will move on to easier targets)
  • Don’t use passwords that others can figure out from things you share on social media (like pets names, the football team you support, or your home town)
  • Keep your password secret, and don’t write it down or send it in emails
  • Use a different password for each account, and if you suspect that someone knows it, change it straight away

Make sure you do your information security training

As part of our commitment to keeping people’s data safe, all colleagues have annual information security training.

Retail colleagues did a joint InfoSec-GDPR module earlier in the year, depot colleagues are currently having team briefings, and Funeralcare homes and all office-based colleagues will do training in October and November.

In the meantime, you can find more good advice at National Cyber Security Centre and the Government website.


Guy Sansom
Information Security Threat Intelligence Manager

Join the conversation! 9 Comments

  1. Unfortunately, space limitations in the article meant we couldn’t explain much of the ‘why’ behind the need to get colleagues interested in what a lot of people sadly consider a pretty dry or irrelevant subject, so just a couple of quick additions that hopefully make some of the advice a bit more real:
    1) A successful cyber attack that managed to steal one of our core databases would likely cost us upwards of £500M in a combination of fines, damages, fixing the issue and loss of trade as our customers wondered if they could trust us. So even if we didn’t have a duty of care for how we handle customer, partner and staff data (and we should ALL recognise that duty of care – we wouldn’t want our own information mislaid so it is absolutely right that we protect others !) we’d have a very strong vested interested just from a business stand point.
    2) Most cyber attacks start with an email to a member of staff. Whether that is just a simple effort to steal your personal banking details, a slightly more complex effort to steal a few million pounds from the Co-op by fraud or the start of a full attack looking to gain access to our core network then it really can start with one person at the desk clicking on a link or opening a file. So yes, you really do matter !

  2. Good advice Guy and Tony: If you’re not sure where to start we have an email address askinformationsecurity@coop.co.uk for all general queries

  3. Really useful article Guy – thanks very much for the advice

  4. “Keep your password secret, and don’t write it down
    Use a different password for each account”

    At a quick glance I have at least 12 separate accounts that require passwords, and that’s after logging in, obviously requiring it’s own.
    None of these systems allow you to re-use passwords. All of them ask you to change them at varying periods.
    If I don’t write them down there’s no way I’ll remember them all. I start to remember one or two, but then it’s time to change them again. I run out of phrases or sequences that are particularly memorable after a month or two.

    Give us single sign in and then we’ll actually abide by the General Data Pain in the Rear rules you’re setting. Until then, we have no choice but to break them.

    • Jon (and Empty), we absolutely recognise this and there is active work underway to deal with the issue of password overload. Until we get that sorted though we do need staff to be as careful as they can – and particularly between home and corporate systems. In the meantime, you might like to look in to a good password manager – we don’t recommend any but we know other colleagues use KeePass and LastPass (there are other reviews at https://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2018). There is also a helpful article on password managers from the National Cyber Security Centre at https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers. I hope that helps a bit.

      • I use one for my own accounts, 1Password. But not for work, as I can’t install the plug-in to automatically paste the password. I’ve got extremely long, complex passwords for all personal accounts, but I’m not going to sit and type them in to my work machine each time I need to log on, it takes ages and is easily entered incorrectly. This isn’t a solution, or even a stop gap, until then I’ve got not option but to use memorable words and numbers for my work accounts.

        • I feel your pain, I use LastPass myself, 60 character random passwords are great until you have to type one in by hand.

          Long but memorable is a reasonable compromise, use the old memory trick of crafting an image in your mind that acts as a memory aid. I used to use “Elephant $100 skateboard” as an example along with a cartoon of a skateboarding elephant holding loads of money. and this doesn’t take any longer to type than a random 10 character password.

          what works for you will vary depending on how your memory works, string together words that are nonsense and don’t use anything that can be linked to you on social media like the name of your school or pet etc.

  5. How many colleagues have Password1, Password2, Password3 etc. as their work password? I know several in my area.

    There are so many systems that require passwords, and so many force change at different time frequencies, so it’s impossible to remember them all, the only way is to have easy passwords, or to write them down. Both of which are frowned on.

  6. Great advice as always Guy,

    can I just add that every part of the business has an Information Security Business Partner (ISBP) and we are here to advise and guide colleagues on all matters InfoSec, So please get in touch either directly if you know who your ISBP is or via the Information Security help and support email address or tel. no. available on the intranet

Comments are closed.




, ,