Written by Mark Lomas, technical architect, Probrand
We’re constantly told that we need to improve our cyber-security measures and, during the Coronavirus lockdown period, things have been no different. But, it’s for a good reason.
Hackers haven’t been showing any displays of good conscience during the Covid-19 pandemic – the opposite is true. The most significant challenge, however, has come from a rapid shift to home working, on a massive scale.
This has exposed a huge amount of people, who are more familiar with an office environment, to new remote working tools. That has been worrying because the most common cause of a data breach lies with mistakes made by those within an organisation.
The Information Commissioner’s Office (ICO) conducted research between 2017-2019 which revealed that approximately 90 per cent of attacks and breaches can in some way be attributed to user errors or mistakes. The cyber criminals know this and, while workforces have been forced to quickly learn new ways of working, they have upped their game.
A recent study found that almost half of UK home workers have been targeted during the pandemic. Unsurprisingly, hackers have been going after the collaboration tools, such as Zoom and Teams, which have been most widely adopted during this lockdown period.
They are seeking to coax staff members into lapses in judgement – for example, clicking a seemingly innocent link that turns out to be hostile. If this happens, it could lead to a devastating attack that results in a corporate client wanting to know what went wrong, with demands to see proof-of-investment in better policies and processes.
It’s vital, therefore, to mitigate as best you can against this threat. That might be through sophisticated technology (which I’ll speak about lower down), but the first step has to be educating the workforce about current threats.
Educating the workforce
There has been lots already said about the importance of educating the workforce on cyber security, which can be distilled into two key lessons. First, that it is the responsibility of everyone in the organisation to know what a cyber threat looks like – not just the IT department. Second, that this type of education is a continuous process. The techniques and methods used in a cyberattacks are constantly changing. So, user education needs to be updated and delivered regularly to be effective.
In a recent survey commissioned by Chubb, 70 per cent of respondents said their organisation has “excellent” or “good” cybersecurity practices. At face value, that looks like a healthy percentage. But when the survey asked those respondents where they learn about cybersecurity, only 19 per cent answered through their employer.
What does this dichotomy tell us? To me, it says that the remainder of these respondents – a massive 81 per cent – don’t know how to protect their business, because they lack the necessary knowledge on where the threats lie. This is where organisations need to come to the aid of their employees and enable staff to deal with threats and maintain their knowledge through regular training.
Beyond education – technology to quell the threat
Of course, education can only get you so far. Your employees are human, which means they have the capacity to make mistakes. So, beyond good education practices, here are a few security tools that are particularly easy to access, especially for those who have made the jump to the cloud.
- Multi-Factor Authentication. Together with conditional access policies, this technology provides layers of barriers to hackers by requiring multiple authentication checks of the user, ensuring they comply with policies that place conditions on who has access to certain services and data sources.
- Data Leakage Prevention (DLP). This solution enables the user to label and encrypt data. This secures sensitive data and prevents ‘snap-sharing’ from exposing your business.
- Unified Endpoint Management (UEM). This technology affords the user management across all endpoints, protecting your systems no matter what operating system is being used. You can also add a Digital Workspace to ensure your workforce doesn’t turn to their own consumer services, which can result in shadow IT.
Ensuring the data flow is water-tight doesn’t just stop direct exposure, it also makes it tougher for hackers to get inside your processes and exploit them for financial gain. At the same time, by focusing more on the data itself, you can actually enable greater convenience for users without compromising security.
Remote working and cloud-based solutions come with their own unique cyber threats, requiring encryption of data and the management of security keys, for example. But if you conduct proper employee training, and put security protocols and products in place, you can take the oxygen away from hackers and give yourself less cause for concern.