7m read time
Companies of all sizes are under attack. According to a survey from European cyber security agency ENISA, all types of cybersecurity threats showed an increase last year, with DDoS attacks rising 22% year-on-year and the cost of dealing with a ransomware attack doubling over the same period.
A British government survey had an even more alarming statistic: that nearly a quarter of businesses didn’t think that cybersecurity was a high priority – which could explain why so many firms are susceptible to even the most simple of attacks.
This all goes to show that, despite the growing maturity of the cybersecurity market, many organisations continue to see security as a technical matter, rather than a business one, despite the fact that data breaches often destroy brand reputations, damage customer confidence and even put some smaller companies out of business. And that is a huge concern in a world where remote and hybrid working has changed what good security looks like.
Here, we investigate how cybersecurity maturity starts with your workforce.
Embed security into your culture
Companies have to react to this situation, from the boardroom down. In its recent summary of the issues facing CIOs, consultancy McKinsey was forthright about the need to place security at the heart of any organisation and that security measures shouldn’t be seen as a necessary evil, or just a technical issue. McKinsey took this one stage further by pointing out that this isn’t merely a matter of upgrading products.
“The solution … lies in recognising that security is primarily a cultural and managerial issue rather than a technical one,” the report says.
Better companies recognise this and have made changes to the way they handle security issues. They’re the ones that make that CIOs and/or CISOs sit on board, instigate comprehensive training programmes and fight for better budgets and bigger resources. As we shall see later, these changes make a great deal of difference in not only embedding security into ‘business as usual’ – but also ultimately making these organisations less susceptible to attack and any resulting data loss.
Companies that don’t instigate these types of measures are vulnerable: cybercriminals know this. It’s why so many security breaches are driven by social engineering than by feats of technological brilliance, and why so often cybercriminals go for the ‘low hanging fruit’: in essence, exploiting the most victims through the simplest and easier attacks.
It’s a major problem: one survey estimates that as many as 98 percent of security breaches are driven by social engineering. And that, in itself, is an indication that the problem goes beyond technology.
** Conduct security awareness training to combat social engineering**
By far the most common form of social engineering attack is phishing, the delivery of some form of message by email. They work by engendering various emotions – sometimes curiosity, sometimes joy, sometimes fear – but the end result is the same: the recipient is tempted to click on the link, which could quietly download malware or take the unsuspecting victim to a website where cyber criminals hope to steal information or gain access to the user’s device.
Social engineers can be extremely clever and target recipients carefully. Someone can be sent an unexpected gift on their birthday; someone else could be sent an “exclusive first listen” of a new song. There are many ways of attracting the interest of users, such as tax notices; for instance, the UK’s HMRC detected a 73% increase in email phishing attacks in the first six months of the Covid-19 pandemic.
There are warning signs that employees can look out for. Does the sender’s email address match the expected address exactly? Indicators to look out for include the substitution of 0 for O or 1 for I or an unfamiliar TLD. The email may have a generic greeting, such as ‘Dear Customer’ or ‘Dear User’, while the email address itself may not look genuine.
So, bearing in mind McKinsey’s guidance that security is a managerial and cultural issue, what should companies be doing to protect themselves better? The clear answer is to tighten up its procedures, educate workforces better through security awareness training and set out clear policies in dealing with cyber attacks.
Look at your security policy
It’s essential therefore that organisations draw up a security policy that provides guidance to employees on how they can work safely, how they can avoid obvious traps and, perhaps, most importantly of all, how they can react if there is a security breach.
European companies have to be particularly mindful of the last point, given the duties placed on them as a result of GDPR. Businesses these days can be subjected to hefty fines if customer data isn’t adequately protected – as if the loss of sensitive data wasn’t penalty enough.
For a start, a security policy should cover acceptable use: what company equipment can be used for and what it can’t. This is especially important since employees have started working at home during the pandemic. By setting down in writing how laptops can be used, companies can implement a level of control. It also sets out policy on sharing passwords and allowing family members the use of company equipment, an issue that has caused problems during the Covid-19 lockdown.
Perhaps the most frightening statistic from that UK government survey is that Covid-19 has had little impact on companies’ attitudes to security. The research found that 84 percent of businesses had made no changes to security policies, even though there has been a massive increase in employees working from home.
Furthermore, as there are plenty of indications that there will continue to be larger numbers working from home in the future; these businesses are storing up trouble for themselves.
Issue guidance, enable multi-factor authentication
But a security policy can go a lot deeper. It can set guidance on passwords so that people are not using “123456” or “password” or, the only marginally better, children’s or pets’ names. It’s possible to set minimum character limits and regular changes. Companies are now looking at two-factor authentication to help improve security, with analysts at Gartner calling for a focus on identify-first security given the move to hybrid work.
There can also be firm guidelines on opening attachments and the use of devices like USB sticks that can be used to introduce malware.
Finally, a clear and well-defined breach policy should be set out. This will make clear a definition of a breach (and how serious it is), staff responsibilities and a clear reporting structure.
Nor should organisations ignore education. There’s a lot of misinformation about IT security and companies can provide some help here, even if it’s not directly related to its own equipment or services.
For example, social media can be a particular sticking point. There can be guidance on the levels of information that can be provided on personal accounts, for example making public birthday, mother’s maiden names, first address etc.
This is a harder one for employers to monitor but they can certainly play a part in providing education and making sure that people are aware of the type of information that social engineers will use.
Improve culture, and implement a new model for security
It’s clear that companies have to start thinking more holistically about IT security. It’s no longer enough (if it ever has been) to implement firewalls, anti-virus software and ensure that laptops and PCs are fully protected.
An organisation can have the best, most modern cybersecurity products in place but if the culture is not geared towards best practice, that business is always going to be vulnerable. At the same time, given the volume of attacks and the success of cybercriminals, any cybersecurity strategy needs to cover the spectrum of ‘detect, remediate and respond’ – rather than any one individually.
A process of user education and a comprehensive security policy isn’t going to make a company 100 percent protected, but they’re going some way to help make everything more secure.