Between March and May 2020 alone, there was a reported 6,000% increase in coronavirus-themed spam as criminals sought to leverage the uncertainty and confusion caused by the global crisis to manipulate employees and gain access to valuable data.
It’s not surprising, therefore, that companies are constantly seeking new ways to stay safe from cybersecurity threats.
So how can organisations best leverage their technology – and their employees – to stay safe?
To answer that question, our recent webinar saw ServiceNow’s EMEA Advisory Chief Information Security Officer, James Blake, joined by three other experts in the field: Jenny Radcliffe, an ethical social engineer and “people hacker”; Javvad Malik, Security Awareness Advocate at KnowBe4; and Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4.
Here’s what they had to say.
Make employees your first line of defense
When it comes to security, your organisation is only as strong as your weakest link. But while humans are often presented as a soft target, more often than not, it’s a combination of misguided tech and a lack of employee education that gives hackers an easy route in.
While it’s easy to fault employees for clicking on a link or opening an attachment, humiliating those who fall prey to attacks solves nothing – and is the perfect way to create a disgruntled employee.
“As a social engineer, if I can find someone who has been treated unfairly by a company, I can grow that resentment and turn them into a toxic insider,” says Jenny Radcliffe
Instead, Jenny advises creating a security culture with an objective of changing behaviours through a holistic program that incorporates technology, people, and policies.
“By getting rid of blame culture, you effectively remove a key weapon from a hacker’s arsenal as they rely on the fact that people are too afraid to say they’ve done something wrong and may hide it.”
“In creating a safe place for people when they make a mistake, employees are more likely to report their mistakes which can resolve situations faster. Ultimately, it’s about helping employees make better risk decisions, by making everyone a part of security instead of placing fault when something goes wrong.”
Security starts at the top
When PwC simulated phishing attacks on mid- to large- financial institutions back in 2019, they found 7% of recipients clicked on the malicious link. It may seem like a low percentage – but, it only takes one click for a costly phishing attempt to be successful.
The events of the ongoing COVID-19 pandemic have given cyber criminals a unique advantage to profit from. A shocking 47% of those surveyed by Deloitte had fallen for a phishing scam while working from home, while more than half a million people globally were affected by data breaches.
The immediate reaction for many businesses has been to ramp up security to the max – but this kind of knee-jerk reaction could severely jeopardise user experience, according to James Blake.
“Instead, we need to better understand the steps that led up to that moment of the employee clicking on the link. What processes were put in place beforehand? What training took place? And why didn’t it work?”
In James’ view, these are conversations that need to take place right at senior leadership level.
“IT leaders and CSOs play a key role in starting conversations around cybersecurity, arming employees with the right information, training them to spot suspicious activity, and, ultimately, building out resilience across the organisation – that is, an ability to withstand and continue to operate if something does go wrong – rather than just detect and respond.”
Focus on the threat, not the technology
How, then, should companies set themselves to respond better to security risks in the future?
Training is one aspect. But that training can’t be generic: companies now need to be proactive and tailor training around different departments to encourage security at every step. That way, employees are aware of the specific threats they may face personally, and will report those threats to IT when they see them.
“It’s all about communication,” adds Javvad Malik. “Having a clear communication strategy and being transparent about what is expected is absolutely key, as it eliminates uncertainty and reduces risk. By removing that ambiguity, employees are less likely to make mistakes, as they’re not left to fill in the gaps or make a guess about what the right course of action should be when faced with a given threat.”
Beyond communication, there’s also work to be done around how businesses identify their weak spots, according to Roger Grimes, “The best way to recognise specific weaknesses is by looking at historical attacks and identifying the root causes of those attacks, whether it’s bad passwords, eavesdropping, or something else. Usually an attacker was successful because a server wasn’t patched, or they were able to successfully socially engineer an inexperienced or vulnerable employee.”
James agrees. “Focussing on the threat first – rather than basing security plans around the newest, most innovative technology on the market – means defense plans are far more likely to succeed.”
“There’s no need to throw all your existing technology out of the window and spend huge sums on the latest, greatest tech if what you’re already using does the job. Businesses should use their existing tech where they can, and bolster it with need-driven tools that respond directly to any particular gaps they may have in their defences.”
Security is a journey, not a destination
At the end of the day, a one-off annual review will never be enough to counter all the security threats today’s businesses face. Technology advances far too quickly for that. Security has become a constant process of improvement, and businesses need to stay agile to keep up.
It sounds complex, but it doesn’t have to be. James leaves us with a simple recipe to finish:
“Understand the adversary and what they want. Build defence plans based on that. And then outline your people processes and tech methodologies to follow. If you stick to that guide, you can’t go too far wrong.”
To hear the full discussion, and access more tips on how your organisation can better fight cybersecurity risks, click here.