Human-centric approach to protect against cyber security threats
By Anne Simpson, Marketing Manager, EMEA, Ava Security
The start of 2020 brought a huge change to businesses as the world found itself faced with a pandemic that would change the way we live, shop and work. Almost overnight, the office environment went quiet and the home office was introduced to a sea of employees who did not have the proper equipment or space to accommodate this new way of working. On top of not having a proper office chair at home, employees would be asked to work from a new network with new implications for the company they were working for. While some companies were prepared to accommodate remote workers, the rise in cyber attacks in 2020 is a strong indication as to the vulnerabilities that came into existence with the home office.
In a report generated by Interpol at the end of 2020, it was found that due to a dependency of online work and communication, cyber criminals found new opportunities to exploit companies with lower defences through a remote workforce. A majority of the cyber attacks they found at the beginning of 2020 were attributed to phishing, scams and fraud. These are attempts to infiltrate a company using an unsuspecting company insider. Meaning, any single employee that is left unprotected by their company can be a threat to that company. One misclick in a phishing e-mail can mean an open door to a cyber criminal.
This is not to say that there is malintent from employees within an organisation. Quite the opposite, employees are merely a victim of inescapable human error. In the 2020 Data Breach Investigations Report (DBIR) from Verizon, it was found that while hacking remains the most common action attributed to a breach, it saw a decline last year, while there was a steady increase in the frequency of error as the attributed action. According to that same report: “There is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you.”
While insider risks are understood to be a contributing factor to a breach, it has only recently become accepted as a categorical issue that can be addressed. Slowly, companies are adapting to find new ways to protect their employees both remotely and in the office.
Instead of pushing the blame onto employees who are working within their natural tendencies, companies should consider what changes can be made within an organisation in order to protect against outside threats that enter through inside means. Many companies maintain a data protection policy within their company handbook. The data protection policy is designed to be a guide for employees as they move about their general daily activities and assist when making decisions on behalf of the company. As important as this document is, quite often, employees review the handbook only on entering a company, even though handbooks tend to be updated periodically to keep up with ever-changing regulations and ideas. This dilemma is an inconvenient truth that is often overlooked but can make the difference between a secured company and a breached one.
Teaching and reinforcing positive cyber hygiene among employees is one way in which employees can help in defending against cyber attacks. This is the consistent and safe training of employees when they perform a manoeuvre that could compromise important data or open themselves up to a threat. This could be attaching a document with sensitive information to an outside source using a document sharing service, or clicking on e-mail without reviewing the source. With practice and consistent guidance, it is possible to train employees with new programs that help to curb unwanted behaviours, with notifications being made to the employees when one of these incidents is about to occur. The employee can learn in real-time why they cannot or should not perform this action. It can also be a comfort to the employees, who know they are protected within this system of alerts, with additional options to anonymise which employee is connected with each incident; full visibility while maintaining privacy. With time, these actions will become habits. Human error is always likely to occur, but with incident-based training, employees and companies can better protect themselves from outside risks.
The future of work has changed, with employees working both remotely and back in an office. In order to accommodate these changes, employers need to make changes now to better protect their employees to better protect their data. The cost of a breach can soar into the hundreds of thousands depending on the extent and industry. The educated workforce is a company’s best defence against this threat.
1. Interpol. “Cybercrime: COVID-19 Impact.” August 2020. Interpol.int, https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19#:~:text=From%20February%20to%20March%202020,by%20a%20private%20sector%20partner.
2. Verizon. “Data Breach Investigation Report 2020.” 2021, pp. 13 -14. https://enterprise.verizon.com/resources/reports/dbir/.