Today’s reliance on information technology presents a single point of failure and is as much an existential threat to business survival as it is an opportunity for growth. Considering Covid-19 and the ‘new normal’, businesses and employees are navigating uncharted waters with the sudden shift to remote working, furloughing of staff and changing work patterns. The complicated process is further agitated as criminals exploit heightened levels of both technical and personal vulnerability.
The pandemic, and the chaos it has caused, has led to an exponential increase in cyber-attacks globally. It is well known that employees represent the weakest link in a company’s cybersecurity system, with more than a third of data breaches involving company staff. This includes employees falling victim to email scams and unintentionally sharing data, as well more deliberate actions where a disgruntled current or former employee may purposely leak confidential data or compromise a company’s systems.
As employees shift from working within the secure confines of their office’s network to working from home the risk of insider threat – malicious or benign – is now more pronounced than ever. For example, hackers are compromising the hard work of stretched IT teams who have been diligently working, among the chaos of mass migrations to home working, to get employees quickly set-up with new software. By inviting employees to follow links to download new tools that are laced with malicious code, cybercriminals are attacking computers and potentially infiltrating company network.
Reducing this risk is simple – all it takes is education. Employees that are adequately educated on cybersecurity practices can reduce the rate of a successful attack by 80 per cent; employee cybersecurity education needs to be at the top of the agenda for every business.
Building awareness of cyber-hygiene principles
More than ever, businesses expect their employees to remain up-to-date in the face of increasingly sophisticated cyber-scams. The first step in the education journey is raising the awareness of the basic principles of cyber-hygiene.
Cybersecurity education will teach employees how to recognise the tell-tale signs of phishing and how to make safe and sound decisions when clicking on links or clickable media. Following even the most cursory checks will decrease the risk of being a victim of such an attack. Some of these quick and easy to do checks include:
- Scanning the appearance of the material and identifying whether anything looks unusual;
- Keeping an eye out for poor grammar and language;
- Evaluating the legitimacy of the source and domain name;
- Reviewing how the email has been addressed.
It’s important that employees are vigilant to suspicious communications. Running through the below questions can mean the difference between a system breach, near miss or continuation of normal business. Some of these questions include:
- Does a request for sensitive information sound odd?
- Does the email contain a veiled threat or call for urgent action?
- Are you being asked to do something unusual or outside of your remit?
Emails asking for payment or fund transfers to third parties and “click here” requests are clear signs employees must be wary of. Equally, oversharing on social media increases the risk of falling victim to phishing as this provides an easy place for hackers to collect information to tailor their attacks.
Of particular importance at this time is letting employees know that top-of-mind issues are commonly what hackers use, preying on concern about a current topic with a promise to learn more, to attack and compromise networks. An awareness of this can often help employees identify malicious communications.
Empowering employees to join the fight
It is not just about equipping employees with knowledge of cybersecurity. The second step in cyber-hygiene education involves empowering employees to take ownership of their – and by virtue the business’ – cyber-safety.
The first element of this strategy is creating a culture of caution where cyber-hygiene principles are baked into every business function and department. This is more than raising awareness and providing training alone; ensuring business leaders show a consistent commitment to cybersecurity while removing any internal attitudes of apathy is key to comprehensive and effective protection.
It is also important to ensure employees are engaged with their company’s cybersecurity journey. Often, we see businesses attempting to enforce policies and procedures with little explanation as to why they’ve been put in place. Employees should know why they need to change their passwords, why they need to undertake regular cybersecurity training, and ultimately, why their cyber-vigilance is vital to protecting the business.
An effective employee education programme does not need to be complex. Simply including on-boarding induction sessions on cybersecurity is a step towards cyber-awareness for new starters. Longer term employees can receive the same training, and this can be reviewed annually along with other aspects of employment. Providing staff with a basic understanding of cybersecurity principles, and why they are required, will provide motivation to follow policy more closely.
Every crisis or period of uncertainty creates new opportunities for hackers and cybercriminals. With the risk increasing on all fronts, the responsibility for cybersecurity can’t lie solely at the door of the C-suite but every security regime needs sound leadership to be effective. Cyber-hygiene must now be considered a mainstream requirement for every business, with leaders setting the tone, employees empowered to take responsibility, and implementation of an effective education programme is a critical requirement in achieving that.
Mitchell Scherr, CEO, Assured Cyber Protection