Cybersecurity, according to Tech Target, is ‘the protection of internet-connected systems, including hardware, software and data, from cyber-attacks. In a computing context, security comprises cybersecurity and physical security — both are used by enterprises to protect against unauthorised access to data centres and other computerised systems.’
The tech world can often be boiled down to a series of buzzwords. As a prime example, the technology buzzwords for 2019 are, in no particular order – Immersive Experience, Artificial Intelligence, 3D Alteration, Internet of Things, Blockchain, Microservice Architecture, Quantum Computing and Mobile-First – and you can add Cybersecurity to that list.
In the first of a series of posts on cybersecurity, we’re going inside your business to focus on two key areas. First, how to build a cyber-resilient business from the ground up and second, looking at how effective cybersecurity starts with employee engagement.
Is Your Business Cyber-Resilient?
We can probably answer that for you. Or more accurately, Kate O’Flaherty writing in The Sunday Times can.
87% of organisations do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want.
So the answer is most likely to be no.
The thing about cyber attacks these days is not if you’re going to get done, but when and more and more businesses are finding out the hard way that this is true. Adobe, Marriot Hotels, British Airways, Facebook, Equifax, Sony, eBay, JP Morgan Chase…you get the point.
The point is that it’s now a business problem and since the average clean-up cost (if indeed your business is able to recover from a data breach) is around £4m, it’s something that needs to be factored into your plans, especially as ‘dependency on complex internet-enabled business models outpace the ability to introduce adequate safeguards to protect critical assets.’
What’s more, customer trust is now largely dependent on your ability to prove your business is secure.
In the old days it was easy. You built a ‘wall’ around your business data but in the age of perimeter-free BYOD and the cloud, this approach is no longer effective. According to Jamal Elmellas, CTO at Auriga Consulting, ‘firms need to know which of their applications is most important to the day-to-day running of the company and to ensure that this is resilient and can get back up and running should an incident happen.’
The more robust your IT is, the more options your organisation has. Your perimeter wall should be a deterrent but the determined ones who get through should be hit by network segmentation making it extremely hard to access your critical business data.
In addition, there’s your own security. You need to ensure your data storage methods meet increasingly stringent legal requirements as well as understanding the inherent risk. ‘We’re too small for anyone to bother with’ is no longer an acceptable business position and if that’s where you are, we’d urge you to re-think before you’re hit with a £4m bill.
The thing is, cyber-attacks are getting increasingly common and increasingly sophisticated but there is some very, very good technology available from the likes of ESET, Mimecast, Netskope, Okta, ZoneFox and Tessian that helps to detect threats including new tools that are taking advantage of developments in *buzzword alert* AI and machine learning that pick up abnormalities and odd behaviour patterns.
But, with the advancements in technology readily available, it’s often human error that allows the baddies in through the back door, like leaving your laptop on the train or dropping a flash drive while you’re rooting through your pockets to give a homeless guy a quid.
Depending on which way you look at it, humans are either the weakest link or the first line of defence (just ask Chelsea goalie Kepa Arrizabalaga which one he is after Sunday’s shambles…)
Which leads us very nicely and dare we say smoothly to the second part of this week’s blog which says that…
Staff Engagement Is Key To Your Cyber Defence
Every now and again, you’ll get a rogue employee who’s hell-bent on killing your business from the inside, so here are five key reasons why staff engagement MUST be part of your business’s cyber defence strategy, from Oliver Pickup (yes, really) writing in The Sunday Times.
Over 25% of cyber-attacks are perpetrated by insiders according to Verizon’s 2018 Data Breach Report. Moreover, one in five data breaches are down to plain old human error.
Cybersecurity expert at PA Consulting Luke Vile (yes, really) suggests that ‘the vast majority of data breaches can be traced back to one single phishing email whereby employees are used as targets to obtain data and it’s known as a ‘stepping-stone cyber approach.’
Educating employees to be more alert to the signals is a great first step and will make them more likely to report contact and stop a breach.
Happy workers are more productive. It’s hard to argue with that and there’s study after study to prove that postulation. More to the point, a happy employee is far, far less likely to turn rogue. By that logic, disengaged malcontents pose a clear cybersecurity risk, especially when they resign or get booted out.
‘Individuals who feel wronged by the company might feel they have something to gain from sabotaging intellectual property or conducting IP theft’ says Louis Smith, insider threat specialist at Fidelis Cybersecurity (and not the Olympic gymnast), and Jake Moore, cybersecurity expert at ESET agrees.
‘Employees are your best asset yet they are your weakest link. They are able to spot the signs that not even AI can see such as a begrudged staff member. Keep them happy and they’ll respond in kind.’
You’re all in it together. From the very top to the very bottom. Cybersecurity is a company-wide commitment and according to the Oracle and KPMG Cloud Threat Report 2019, 92% of cybersecurity teams said that individuals, teams or whole departments were in violation of their security policies for the use of cloud applications and in almost half those cases, the unauthorised apps resulted in improper access to data and onto the introduction of malware that can spread like wildfire.
One silver lining from the dark cloud of a data breach is that whole company engagement, awareness and training can often lead to the biggest improvement in the company’s technological security.
Given the fact that humans are often the weakest link, Aaron Zander, Head of IT at HackerOne says ‘it’s crucial to empower all employees and give them a reason to be diligent. Encouraging employees to question requests, double-checking on records and being just a little paranoid are all critical in improving overall cybersecurity posture.’
If your IT department are spending their time berating staff for easy-to-deduce passwords or bad email behaviour, they’re not doing their jobs properly.
Audra Simons, head of Forcepoint Innovation Labs said ‘engaged employees tend to be more conscientious, compliant and ultimately become a positive force within their organisations.’
Employees don’t respond well to the stick and carrot approach. Educating a workforce about cybersecurity shouldn’t involve cramming them into the boardroom with a talking head from IT and a 140-slide PowerPoint presentation. That’s likely to end in a mutiny.
‘One innovative solution is to go beyond mere cyber-awareness training and develop more gamified approaches, boosting the engagement of employees and leaders through exciting role plays and scenarios involving games with cyberattacks and attackers,’ says Thomas Calvard, an HR Management lecturer at the University of Edinburgh Business School.
This tack works. Adenike Cosgrove, a cybersecurity expert at Proofpoint used this method with RBS staff; ‘Through an ongoing programme of ethical phishing simulations based on actual fraudulent messages from the wild, RBS determined their employees’ susceptibility to real-world attacks.’
‘Users who fell victim to these fake phishing messages on multiple occasions received comprehensive training which led to a significant 78% reduction in the likelihood of users clicking on nefarious campaigns.’
So there we have it, part one of our look into cybersecurity comes to a close but part two will follow hot on its heels! Stay tuned for next week’s blog which will be jam-packed with facts, and some of them will shock you…!
To talk to us about cybersecurity and everything cloud-related, email us today on firstname.lastname@example.org or call 020 7078 0789.