2020 has been something of a pivotal year for cyber security. As the pandemic took hold, businesses scrambled to a work from home model; the lens on cyber security focused elsewhere as employees grappled with a different silent risk entirely.
As we all entered a new normal of remote working, social distancing, and Video calls, cyber attacks flooded businesses across a multitude of industries, using the pandemic itself as “bait [...] impersonating brands and misleading employees and customers” (Deloitte). As businesses dropped their defences, phishing attacks spiked - sometimes at a cost of millions. As nation after nation locked down, cybercriminals continued to capitalize on the crisis with malicious corona and COVID-19 domains. In April alone, Google found more than 18 million daily malware and phishing emails related to the coronavirus - all this in addition to a perceived opportunity by cybercriminals to attack whilst our collective gaze rested elsewhere.
The risk of a cyber security attack has never been more prevalent - and with it, the need for a cyber security mindset becomes increasingly imperative. Previous attempts have been made to foster a ‘cautious culture’ in the workplace, usually in the form of a scare campaign from the top down - leading to employees deleting emails and avoiding apps - or a mandatory programme undertaken during induction; once completed, never repeated.
Rather than learning about, communicating, or reporting potential cyber security threats, the vast majority of employees are left unchecked; their attitude, beliefs and practices differing from one employee to the next. So how do you build a cyber security mindset - and a human firewall - to protect your business?
Step 1: Choose progress over perfection
Aiming for a thorough education on cyber security - the different types of attacks and how they may appear, a clear understanding of malware, ransomware, phishing, APT and DoS - might sound like the perfect solution, but we live in the real world.
In order to foster a permanent culture with a retained ‘cyber security mindset’, awareness must be promoted and present in all day-to-day operations; not as a fear campaign, but as a part of working in the modern and digital sphere. Proactively enlightening all staff with regular training (over a one-time tickbox exercise during employee tenure) will not only guarantee progress, but empower end users as individuals to report any potential attempts.
Aiming for progress over perfection takes the sting out of cyber security awareness scare tactics, fostering a culture of natural caution without fear of blame or repercussive action. If you don’t have them already, pinpoint leaders within the business to promote regular reminders that are short, sweet and simple to understand, with the ability to resonate with different employees. Lastly, invest in a good cyber security course, make it mandatory and review annually to ensure your human firewall are consistently up to standard. Look for courses with interactive modules and games - think I Spy with spyware - to engage, enlighten and empower employees, rather than the outdated classroom-test-tickbox approach.
Step 2: Adopt a ‘Share What You See’ Mantra
Instead of placing onus or blame on employees should they fall foul of an ever sophisticated cyber threat, shift the focus to raising awareness, communicating with the wider team and reporting any suspected attempt as quickly as possible. In some cases, employee inaction - for example, not engaging with an attacker via email or leaving a suspicious link unclicked - is unwittingly the best course of action, but leaving an attack unreported does not diminish the threat.
A ‘Share What You See’ approach empowers employees to raise their concerns so that they can be supported and assisted, rather than expected to deal with a potential cyber attack themselves.
Setting up a dedicated mailbox guarded by your cyber security or information technology team is a great way to manage this while so many businesses continue to work remotely - simply ask employees to send an urgent email detailing the attempt and commit to a rapid response within 24 hours.
Ultimately a cyber security mindset must be focused on the ease and convenience of the end user - your employees. Without this, cyber security best practice - such as regularly changing and protecting passwords, is disregarded. This subtle shift in defining values, attitudes and behaviours in the workplace needs to become an unconscious habit; motivating your employees to consistently and proactively prioritise their personal security - and that of the company’s - throughout all online behaviour.
Step 3: Prepare for the Next Normal
Remote working is here to stay, and with it new cultures and ways of working.
Anticipating and adapting to the next normal - be that continuing to work from home or a phased return to the office, or perhaps a mix of remote and office based operations - brings different business challenges to the fore. Businesses should consider the following as a foundation to support their new cyber security mindset:
- Dynamic Security - Utilise real-time anomaly detection with automated prevention and end-point-detection-and-response systems
- Automated Prevention - When was the last time you reviewed your DLP solutions? Are there planned contingencies in the event of an attack?
- The Cloud - Any company that chose a mass migration to cloud-based computing must focus on their security and utilise the expertise of cloud providers to ensure business activities remain secure
- Secure Environments - Clear desk policies and locking screens may sound basic, but are often forgotten - at home as well as in the office
- Password Protection - Automate password protection and authentication with a password management system, with regular compulsory password changes
- Device Security - From employee mobiles and laptops to IoT devices, potential cyber threats to your business can be targeted via any end-point device - identify and review any end to end leakage points
- The Human Factor - Balance reactive responses with proactive training courses - your people are your new perimeter, so invest accordingly
stc’s Cyber Security packages offer customised services for 24/7 monitoring and reporting, advanced threat protection, and industry standard compliance. When it comes to keeping your business operations secure, we’re right by your side.