Education: teaching staff the principles of your cyberdefence
While almost three quarters of cyberattacks are perpetrated by people outside an organisation, more than a quarter involve insiders, according to Verizon’s 2018 Data Breach Investigations Report. Furthermore, human error is the root cause of close to one in five breaches. Education of the workforce, therefore, is critical.
“The vast majority of data breaches can be traced back to an original phishing email, or series of emails, whereby employees are used as targets to obtain data,” says Luke Vile, cybersecurity expert at PA Consulting. “This first contact is often a ‘stepping stone’ cyber-approach.
“Engaging employees on cyberdefence ensures they are more alert during these early-stage phishing attempts, and when alert they are more likely to report contact and stop a breach before it happens.”
Moreover, Matthew Buskell, assistant vice president at Skillsoft, believes organisations cannot rely on the IT or security departments. “A recent (ISC)2 -commissioned survey identified a glaring skills gap on the horizon,” he says, “projecting that the overall cybersecurity skills shortage is set to rise to 350,000 workers in Europe by 2022.”
Happiness: keeping an eye out for disgruntled staff members
It’s impossible to quibble with the logic that a happy worker is a productive worker. A happy, committed worker is also unlikely to turn rogue when it comes to cyberdefence. “A main reason for companies to invest in employee wellbeing and engagement is that discontented staff pose a clear security risk, especially when resigning or leaving the organisation,” says Louis Smith, insider threat specialist at Fidelis Cybersecurity.
“Individuals who feel wronged by the company might feel they have something to gain from sabotaging intellectual property or conducting IP theft.”
Jake Moore, cybersecurity expert at ESET, agrees. “Employees are your best asset, yet they are also the weakest link. They are able to spot signs that not even artificial intelligence can see, such as a begrudged staff member, and pick up on such signs,” he says.
Most employees demand flexible working and PA Consulting’s Mr Vile says organisations must ensure this policy, to boost happiness, is secure. “With many employees now routinely working from home, or working out of multiple offices, it extends the digital boundaries of an organisation far beyond its traditional office space,” he points out. “Whenever digital boundaries are expanded in this way, it makes it harder for security to stretch and cover everybody.”
Togetherness: getting the whole organisation on board with cyberdefence
Now more than ever, thanks to the introduction of cloud solutions, cyberdefence simply has to be a company-wide commitment, from top to bottom. “Some 92 per cent of cybersecurity teams surveyed in The Oracle and KPMG Cloud Threat Report 2019 said they were concerned that individuals, whole departments or lines of business were in violation of their security policies for the use of cloud applications,” says John Abel, vice president of cloud and innovation at Oracle.
“In almost half of those cases, the unauthorised apps being used resulted in improper access to data and the introduction of malware that can quickly spread across an organisation.
“The increasing number of connected devices and the growth in mobile working has led to an exponential increase in opportunities for cybercriminals, making it even more important for employees to be engaged and prepared to spot threats.
“Our research also revealed almost one in four companies that had been the subject of a cyberattack in the past two years said ‘increasing employee awareness and training’ led to the biggest improvement in the security of the organisation, showing just how powerful employee engagement programmes can be.”
Empowerment: engaging staff to be vigilant at all times
If an organisation’s cyberdefence is only as good as its weakest link, it is crucial to empower all employees and give them a reason to be diligent. “Encouraging employees to question requests, double check on records and be just a little paranoid are all critical in improving overall cybersecurity posture,” says Aaron Zander, head of IT at HackerOne.
“Companies that blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture.”
Behaviours need to change, says Mr Zander, who asks: “Is it normal for an executive to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.”
Audra Simons, head of Forcepoint Innovation Labs, adds: “Engaged employees tend to be more conscientious, compliant and ultimately become a positive force within the organisations.”
Motivation: make learning about cyberdefence engaging - even fun!
In the same way an organisation with a clear and inspiring vision is more likely to attract and retain talent, by educating the workforce about cyberdefence using a fun and engaging approach can reap big rewards. “Studies show that the stick doesn’t work,” says PA Consulting’s Mr Vile.
“One innovative solution is to go beyond mere cyber-awareness training and develop more ‘gamified’ approaches, boosting the engagement of employees and leaders through exciting role plays and scenarios involving ‘games’ with cyberattacks and attackers,” says Thomas Calvard, lecturer in human resource management at the University of Edinburgh Business School.
Adenike Cosgrove, cybersecurity strategist at Proofpoint, took this approach with Royal Bank of Scotland (RBS) staff. “Through an ongoing programme of ethical phishing simulations based on actual fraudulent messages from the wild, RBS determined their employees’ susceptibility to real-world attacks,” she says.
“Users falling victim to these fake phishing messages on multiple occasions received comprehensive training, which led to a significant 78 per cent reduction in the likelihood of users clicking on nefarious campaigns.”