The current narrative around cybersecurity is about businesses
needing to leverage emerging technologies such as artificial
intelligence (AI) and machine learning. A dystopian future of AI vs. AI
is our destiny as machines fight it out on the cyber warfare
battlefield.
But the reality is that 90% of all cybersecurity breaches are currently the result of human error.
Before we get too carried away with the 'rise of the machines',
most businesses should be focusing on the human side of cybersecurity.
It's not about pointing the finger of blame at careless employees or
accusing them of being negligent. For the most part, the average
employee is uninformed and unaware of the risks involved every time they
click on a link or attachment.
Social Engineering - employees under attack
The rise of social engineering
enables attackers to take advantage of the weaknesses in human
behavior. For example, anyone can see on LinkedIn or a conference
website that a CEO is out of the country and speaking at an event.
Hackers can quickly locate the email domain of a company from its
website and target the finance team with an urgent invoice request while
the CEO is away.
Another common trick is dropping infected USB drives in a staff
car park. Someone will always pick up the drive and plug it into their
computer and unwittingly take down the entire corporate network. This
simple tactic relies on exploiting human curiosity and has even been
responsible for closing an entire
hospital.
If a hacker knows you've been to an Ariana Grande concert on
Twitter, it's also easy to send a message saying, "did you see Ariana
Grande's new video just dropped today?" This personalised approach will
ensure a higher success rate when attempting to direct users to phishing
pages or malware exploits.
Equally, the ubiquitous Facebook quizzes that appear harmless at
first glance are often designed to extract personal information such as
your mother's maiden name. Buzzfeed's "What City Should You Live In?"
generated over
20 million unique visitors. It is relatively easy for an attacker to replicate quizzes like this and redesign them to extract personally identifiable information without users even realising it.
It's time to think beyond BYOD
Once upon a time, an IT department would provide every employee
with a Blackberry and a tightly controlled desktop PC or laptop. The
BYOD movement
changed all that. The guardians of corporate networks were forced to
accept that stopping a deluge of new devices such as iPads from hitting
the network was a futile exercise. Wireless connectivity quickly went on
to dominate the workplace.
Here in 2019, enterprises allow almost any device onto their
networks and also increase the risk of picking up malware through its
users' browsing habits. But this was just an early indicator of the
significant challenges on the road ahead.
Over the next few years, 5G is due to hit the UK and upon launch we can expect speeds of between 1Gbps and 10Gbps. But there are already reports in China of speeds reaching an incredible 20G per second. The current number of 8.4 billion
IoT connected devices is expected to explode at a phenomenal rate. A
new age of smart devices and sensors will begin to make the reality of
smart offices and
entire cities a reality.
The rise of personal smartphones, tablets, and smartwatches was
generally used in plain sight. If you thought BYOD was a challenge, you
better buckle up for an even faster ride. IoT device performance
management and enabling businesses to leverage value from technology is
just the beginning. Once again, there will be a significant education
piece around vulnerability risks.
Educating and motivating employees on Cybersecurity responsibilities
While maintaining essential cyber security features such as
firewalls, access controls, virus protection, and system monitoring
tools, many businesses are failing to engage with their employees. A
compulsory online cybersecurity awareness course where users
continuously click next every two years will not help employees retain
and apply good cyber practices to protect a company.
Security awareness training needs to be much more than a
box-ticking exercise. Employees need to be made aware of potential
situations they will encounter when working with emails browsing the web
on their lunch break with real-life examples. The role of education
should not just
be to raise awareness but also motivate employees to change their behavior online too.
There is a good reason why the success of many businesses has
been attributed to people, process, and technology. However, even the
most sophisticated technology solutions and processes are incredibly
vulnerable to human error. People must always come first, and yes, that
includes contractors too.
Empowered employees - your front-line defence against cyber threats
As employees, many of us are expected to be "always online and
available." We drift seamlessly between remote working and spending time
in the office. Unsurprisingly, 40% of smartphone users admit that their
devices are used for both personal and business activities. There is an
undeniable need for security awareness training programs that also
encourage users to be more guarded when online.
Every employee needs to play an essential role in your
cybersecurity strategy. By closing the human vulnerability gaps within
your organisation, you have a much better chance of keeping the bad guys
away from your corporate network and data.
We have come a long way from only having a corporate laptop and
Blackberry handset to manage our workload. As our digital world
continues to evolve and adapt in an age of exponential change, employers
need to think differently. Compliance learning isn't just a box-ticking
exercise. It should be a communication tool that empowers your
employees to provide a much-needed front-line defense against cyber
threats.