Seven cyber security experts talk to teiss about how training and awareness campaigns are critical strategies for strengthening organisational cyber security.
Every year, October marks National Cyber Security Awareness Month. This year’s theme is ‘Do your part. #BeCyberSmart’, because being aware of the threats of cyber-crime should never be limited to the IT team – every individual could represent a vulnerability, and should therefore be equally aware of the threat.
As the pandemic of COVID-19 continues to shake the world, it also opens up new opportunities for cyber-criminals to exploit vulnerability and uncertainty. Research shows that more than half (55 percent) of businesses in the UK suffered a phishing attack, while a third (36 percent) were on the receiving end of a ransomware attack.
In light of this, teiss spoke with seven cyber-security experts to get their thoughts and advice this National Cyber Security Awareness Month.
Stop cyber-criminals exploiting change and uncertainty
“As organisations transitioned into remote working almost overnight, security teams were left to quickly ensure their businesses were secure, while trying to fill in the cracks left behind by the introduction of new networks, new devices, and new cyber attacks,” said Gijsbert Janssen van Doorn, Director Technical Marketing at Zerto.
“It isn’t a surprise that cyber-criminals started taking advantage of this almost immediately, carrying out ransomware attacks throughout the pandemic as businesses did everything they could to remain operational. However, away from the private sector, where healthcare and public sector organisations have been facing huge pressures to manage and control the COVID-19 outbreak, bad actors have posed a significant threat. Keeping healthcare operations running in normal circumstances is absolutely critical, but in the middle of a pandemic that significance is only magnified.
“Employees, now more than ever, need to remain vigilant in protecting their organisation. Ransomware attacks can and will still occur, so cyber resilience is imperative. With a 72% increase in ransomware attacks during COVID-19, organisations need to be prepared for the inevitable.
“Once compromised, it’s too late to take any preventative measures. Organisations need to be able to recover data and get back to operating swiftly and painlessly, without paying a ransom. Key to this is leveraging IT resilience solutions that can quickly and effectively provide recovery after an attack.”
Andy Swift, Head of Offensive Security at Six Degrees added: “If there’s one thing you can say for cyber-criminals, they rarely miss an opportunity. In 2020, the coronavirus pandemic has offered cyber-criminals a myriad of opportunities to exploit victims’ fears and uncertainties, sow seeds of false hope, and persistently cause disarray in the aid of compromising data and making money.
“Many organisations throughout the world are fighting to remain operational, and cyber-criminals know this. They will continue to target organisations that are struggling as a result of the coronavirus pandemic, as they recognise that budgets for IT and cyber security resources may well have been reduced – making them easier targets for phishing and ransomware attacks.
“There is no magic bullet when it comes to cyber security. Whatever systems you are trying to protect, a well thought-through hardening strategy that follows the principle of least-privilege and minimises the potential attack surface should form the baseline upon which you can build defence in depth with firewalls, intrusion detection and any number of defensive layers.”
Enable your people with proper training
“Research presented at the USENIX SOUPS security conference last month shows that security and phishing awareness training wears off after only a few months,” explained Don Mowbray, EMEA RVP, Tech & Dev at Skillsoft. In the study, even security teams that were still able to correctly identify phishing emails after four months were not able to beyond six months.
“In the post-pandemic world, with a majority of employees working from home, the attack vector has changed. These employees are now the most vulnerable part of an organisation’s cyber-defence, with the possibility of social engineering, ransomware and other attacks targeting remote workers. Employees are also any organisation’s first line of defence against cyber-attacks. While no preparation can eliminate the risk of a breach, a core focus on developing your employees’ knowledge, skills and awareness can significantly mitigate the risk of succumbing to an attack.
“Whether it's enabling IT and security teams to keep pace with evolving threats and defense measures or increasing awareness of phishing tactics for even the most junior of employees, training needs to be comprehensive, ongoing and regularly reinforced for every employee.”
Andy Collins, Head of Security at Node4 added: “Regular training and awareness drives are vital to help employees recognise malicious behaviour – which is rarely static. Social engineering often extends to out-of-band communication, so employees need to remain vigilant across all channels – even on social media or the telephone.
“One of the most effective ways to prepare employees for an inevitable phishing attack is with non-destructive phishing campaigns – simulated campaigns that track and analyse behaviours to give you a clear understanding of how to fill the gaps in employees’ awareness.
“Analysing specific individuals or departments with selective spear-phishing testing means you can target training more effectively, from a department level right down to an individual member of staff. The key is consistency of training. As the saying goes: teach your employees how to phish and you can protect them for a lifetime.”
Implement the best tools and practices
“In recent years there has been a major shift in the way businesses conduct their operations and how employees do their work,” said Raif Mehmet, VP EMEA at Bitglass. “And then in recent months…the shift from office-based to home-based work, combined with a lack of adequate forward planning, has been a painful transition for many.
“Before the start of the year, the prospect of a fully remote workforce seemed far-fetched for the majority of organisations. According to research, only 29 percent of respondents claimed they were fully prepared for remote working when the pandemic hit. From a security perspective the picture is concerning, with 70 percent stating they were either moderately prepared or not prepared at all.
"Today, across many organisations, corporate culture has changed dramatically. Many people now access, share, and store data in a variety of ways, using diverse services and devices. For this reason, it is now more important than ever for organisations to prioritise security and be cyber aware.
“With the shift to remote working shaping to be long term, businesses can no longer afford to improvise when it comes to data protection. Instead, organisations must invest time and resources into finding appropriate security solutions that are capable of securing data in a remote environment. Fortunately, there’s a wide range of highly effective products and solutions like cloud access security brokers (CASB), and user and entity behaviour analytics (UEBA) that can quickly provide visibility and control, no matter how geographically dispersed a workforce is.”
Stephen Roostan, VP EMEA at Kenna Security, explained: “As in life, some IT security teams will win, others will struggle. From first-hand experience I know that the teams that have embraced data science, real-time vulnerability intelligence and automation will likely be the winners. The reason is simple: it enables them to cut through the noise and understand which vulnerabilities pose the biggest threat to their business. They can then create a prioritised and efficient approach to fixing the most important problems first, which frees up precious resources to address other IT issues, reducing some of the pressure put on the team.
“Although it only runs for a few weeks, the impact of Cyber Security Awareness Month is ongoing because it creates a platform for best practice and ideas exchange among IT security professionals. This can only be a positive development, helping to reduce wasted efforts, improve collaboration across teams and having a meaningful impact on risk profiles.”
Not just a process, but a mindset
Tim Bandos, VP Cyber Security, Digital Guardian concluded: “In today’s increasingly digital age, technology is a vital part of everyday life. But with the steady stream of cyber security breaches, leaks and hacks that dominate the news week to week - affecting almost half of UK businesses in the past 12 months - the security of our devices and data must also be ingrained into daily routine. National Cyber Security Awareness Month is a good reminder to organisations to do just that.
“Regularly reviewing system settings and disabling unnecessary services that may leave them open to attack is crucial. It is also absolutely essential that IT systems are constantly updated and free from known vulnerabilities. Whilst data protection solutions can help prevent data loss, successful security programs also require proactive training around employee awareness and their ability to comply. This includes educating remote workers about attacks via SMS and smartphone apps, teaching them to make informed decisions around the use and protection of data.
"This shifts the focus towards identifying, controlling and securing data, which will ultimately decrease threat risk - and hopefully the need to admit you should have known better.”
As we go into 2021, cyber security will undoubtedly be high on the to-do list for businesses of every size across every sector, and this awareness month should serve as a time to seriously consider what processes, tools and training need to be implemented.
Main image courtesy of iStockPhoto.com