A recent study by ISC² found that when it comes to cybersecurity, over half of British companies are “chronically understaffed” without the right number of IT specialists to deal with online threats.
Worryingly, the same research said that the global shortfall of cyber security workers was set to reach 1.8 million in the next five years, meaning businesses in the future look set to be ill-prepared for cybercrime.
With hackers constantly finding new ways to crack security systems to uncover a company’s sensitive information, it’s unsurprising that many UK companies feel underprepared for cybercrime; it evolves constantly and often preys on inattentive, inexperienced or under-trained staff or companies with poor cybersecurity technology.
Unfortunately, there will always be hackers willing to exploit naïve workers. But these external threats aren’t the only dangers companies need to be on the lookout for. Insider threats, which come from employed members of staff, are just as common. This can be either a malicious or thoughtless employee, who, inadvertently or not, leave their company and its data open to threats. However, do businesses need to invest in new, highly-skilled staff to fight against and prepare for these potential hacks, or is there a simpler, better way?
Hackers prey on the inexperienced
Hackers are exploiting the naivety of employees more than ever. Should an employee unwittingly share their login details with a hacker in response to a phishing email, it can be very bad news for the individual, the company and even their clients. Recent high-profile examples from companies such as Dropbox, Sony, eBay and Three, where compromised credentials were used to gain access to sensitive information, prove that any firm can fall victim to such an attack. Don’t make the mistake of thinking that just big companies suffer breaches from compromised logins. It’s just that breaches of small companies don’t get reported about in the media.
ISC²’s report recommends businesses combat such threats by employing more staff specifically trained in this area. While it’s true that a highly-trained cybersecurity expert would be more aware of threats, what about the rest of the company’s employees who won’t be quite as savvy? It’s far more likely that a naïve or poorly trained employee will be a bigger weakness and inadvertently hand over their company login credentials to an opportunistic and malicious hacker.
There are also cost implications involved. Larger organisations are far more likely to have a big budget to put towards interviewing, employing and training new staff, but the same cannot be said for SMEs. It wouldn’t be very practical for these businesses to justify the cost of a dedicated IT security professional on their payroll.
Once this outsider has access to your system, there is no end to the damage that can be caused. Whether it’s stealing sensitive information such as customers’ bank details or leaking a new product spec, when a hacker uses legitimate login details to snoop around, even the most vigilant of experts could miss the signs.
Cybersecurity is everyone’s responsibility
With the workers, themselves, identified as a big weakness in a company’s defence against cybercrime, employing a specialist to oversee this side of things can seem like the most logical solution to best protect the firm and its data. But does it really make sense for something so important to be the duty of a small team or even an individual?
Instead of investing in more staff and making the company’s online security one person’s responsibility, every member of the company should be involved to create a security-aware culture throughout the organisation. If any business's biggest vulnerability is the internal people, every single member of staff from the receptionist to the CEO should have a role to play in protecting the business.
The role of technology in fighting online threats
Hiring the right staff for the job is a key challenge for any company. When that individual manages the IT department and oversees securing sensitive data, it’s particularly imperative that the employee has the right expertise.
However, having the right technology resources in place is equally, if not more, important. No matter how attentive that individual is, they are still human and therefore likely to make mistakes. In contrast, technology is far less likely to miss suspicious behaviour and the traits of a hacker.
One example of this technology is context-aware security, which uses information in addition to the user having the right password to grant or deny access. This information could, for example, be the device the user is logging in on, the geographical location of the user or the time of day the access attempt is taking place.
These details allow the security system to build up a strong profile of the person attempting to log in and will then either grant or deny access immediately based on pre-set access rules, which can be set up by the administrator. This not only ensures that hackers are not allowed to access sensitive documents, but also frees up the time of the IT administrator to focus on other activities.
Benefitting the business and the individual
Context-aware security technology may not make you a cup of coffee like a new colleague would, but it does have several benefits to the individual user and the business as a whole. Just like a dedicated employee, the tech works silently in the background to ensure a fluid, user-friendly experience and can even improve security working practices in general.
Organisations can even take context-aware security one step further to encourage good behaviour within their teams. A company can only do so much to ensure the training staff receive from the IT department is retained and good behaviours become habitual. Context-aware security can nudge users in the right direction, by alerting them of suspicious uses of their own password.
By training current staff to be vigilant to danger and investing in intuitive technology to stop hackers in their tracks, companies can ensure their files and data remain safe and that everyone in the company is cybersecurity savvy, no matter how well the team is staffed.
François Amigorena, founder and CEO, IS Decisions
Image Credit: Den Rise / Shutterstock