It is important to note as we enter Q2 2020 and our second month in lock-down that:
- Cybercrime is still increasing in the number of attacks and lost value,
- Staff education and corporate culture is still the weakest link in the security process.
The current virus pandemic makes point 2 extremely important as the number of attacks increase and the workforce is socially distancing and home working. This means the security burden is increasingly on the shoulders of each employee.
The risk
Companies are reportedly losing millions, billions and, in 2020, trillions of dollars. The figures are increasing – let’s just accept the risk is increasing and significant and not worry about the absolute value. Varonis put together a list of 110 stats relating to cybersecurity in 2020. It makes shocking reading, and everyone would be wise to look at it at least once.
Building a wall around your IT systems is no longer considered the best approach; someone will find a way through. Especially if you have older systems that cannot or have not been updated. One unlucky company has to be first to succumb to a previously unknown weakness. And if that’s your company you have to have another plan than just a taller wall.
The traditional approach – Prevent-Detect-Respond – is not adapted to today’s world.
Selecting the best approach
If you succumb to an attack it is essential that you know where your valuable systems and data are. Then you can protect them and prepare for the attack. And when it happens your need to know as soon as possible and your employees need to react. Then after the attack you can start the recovery process. The new approach must be:
- Identify
- Protect
- Detect
- Respond
- Recover
These steps are discussed further in the NIST framework.
The employee’s role
In order to identify an attack your employees need some understanding of cyber-security. It seems logical therefore, especially today, that the solution starts with employee education. Follow this initial step by keeping your systems “patched” and up to date.
Getting employees on board
Accepting that the risk of attack is always there, employees need to think security. This applies everywhere, adding a new printer, starting a new project, recruiting a new team member. And it applies all the time. It must become second nature.
Some statistics from security company egress give some backup to why employees are key. In Aug 2019: 4856 Personal Data Breaches reported to the Information Commissioner’s Office (ICO) between 1st January and 20th June 2019, 60% were the result of human error.
Also last year the data breach investigations report, from Verizon highlights the role of insiders in breaches. It ranges from 5% to 59% with an average of 32%. Add to these numbers the outsiders who target employees, for example, by email, and you can see why employees are so key.
Corporate culture, from the CEO down, drives engagement and compliance to the security policy and makes it part of everyone’s day job.
We are looking for simple changes to show that the change is underway. We no longer just click on links, open an attachment in an email, no longer pick up a flash drive and plug it in. If they do hopefully, a tool that tells the user immediately that they are taking a risk. And at this point there needs to be immediate feedback and training for the people involved. Everyone needs to know that security does not just apply to the desktop office environment. Also
Home working:
Flexible working practices and home working is critical to everyone today. At home employees should at least be using the Prevent-Detect-Respond model with a firewall in their wireless and/or broadband access point. Better check this though, and those default passwords. They may also have a cloud service or 2 and more often several connected IoT devices in their home, which also connect to a cloud.
On the road:
When employees are on the move, in a hotel, airport, coffee shop the security model is unknown. Here we need to act appropriately. Mobility and IoT are potential vulnerabilities where employees have to be on their guard.
Smart phone:
Users will use their personal device in the office in the same way they use it at home and resist any attempts to restrict this. The Verizon report indicates that “18% of people who clicked on test phishing links did so on mobile devices”.
Trust and Openness
Let us avoid finger pointing, witch hunts, shaming if someone reports a breach. There isn’t time. Companies only have 72 hours to report, to the relevant supervisory agency, certain types of breach involving personal data. This timeframe is already included in legislation such as the European GDPR and Californian CCPA.
Cultural Change
Education for all, shared responsibility, build in security and zero trust into everything. Prepare and practice recovery procedures, and monitor all the time. However, it is fight and often you’re behind. You are naturally focused on your core business, not cyber security; your enemy is totally focused on this. And solutions do not come with 100% security guaranteed. The day will come when its your turn: prepare, plan and practice.
