People at the heart of building a strong security culture

People at the heart of building a strong security culture
(Image credit: Shutterstock)

The pandemic, coupled with the ensuing fragmented workforce, has presented a unique opportunity for cybercriminals to breach the defenses of many organizations. This has made shoring up these defenses against cyber attacks increasingly important for companies and their workforces.

Examples of vulnerabilities include the significant proportion of employees working from home, who do so through unsecured home internet connections or through company solutions which were hastily rolled out at the start of the pandemic. Other companies have utilized Remote Desktop Protocol (RDP) instead of relying a more secure method such as a VPN.

A recent report from cybersecurity firm, ESET, saw a record 768% increase in RDP attack attempts last year. Although great progress has been made by many businesses to reduce the threat of cybersecurity and improve their digital transformation journey, it is clear more needs to be done. Businesses and leaders have the responsibility to keep all employees safe online, provide a strong security culture for their workforce, and ensure they are investing and updating in the right software to protect the company from attacks.

Multiple connections causing attacks

As most people who are able to work from home now do so, the lines of control and access have been blurred significantly. Instead of having one entry point, such as a firewall or VPN, which everyone in the company goes through, we now have multiple connections from different locations, including RDP.

From a security perspective, that makes it incredibly hard to manage because of the increased entry points into a company’s network. Because of this, protection is required at a user device level, such as the End Point Detection Response which is the most common software preferred by CISOs. If there is anything threatening on a user device, the software isolates it instantly, rather than having to solely rely upon the single point of entry security controls.

The use of personal devices also raises the issues of ‘Shadow IT’ creeping into the network. Shadow IT usually arises out of a need to address a business issue with employees reaching for their own devices, furthering the blur between the lines of control/access. Most of these devices are not under the jurisdiction of a central IT or IS department, and therefore will not be protected by the organization.

A business responsibility

Despite the tremendous progress made by organizations around the world and innovations in security, criminals are continuing to keep pace – and at many times – ahead of the latest security controls. As a result of this heightened online risk, it is imperative businesses continue to carry out basic cybersecurity processes. These can include applying software and security updates as soon as possible to keep their workers safe online and ensuring their security protocols are robust and updated frequently. Businesses should either enforce updates to keep devices protected, or facilitate user intervention, where the user is encouraged to allow updates to install or restart laptops for the latter purpose.

Many leaders look at AI, machine learning and all the next-generation technology as ways to protect their business and employees online. However, at Telstra Purple, we recently had a roundtable with CISOs on how they are implementing and using technology during this pandemic. Given that end points are sitting on home networks that might not be secure, this poses a big problem for businesses which then resort to implementing the use of AI through end point detection and response solutions. These solutions allow the disabling of laptops if any untoward behavior is detected i.e. from a hacker that might have compromised the laptop through a potentially unsecure home network.

Investing in your people

The most important thing that businesses can do is to invest in employees’ security hygiene while working at home, to embed a strong and robust security culture. Education and awareness from a security culture standpoint is the most important thing that businesses can do, and we will see much more emphasis on training and education to understand the change in the risks and threat profile during the pandemic. People are our key first line of defense and key for businesses in maintaining strong protection.

We have seen an increased burden on employees adapting to new ways of working over the last year. However, in many cases, they are doing so with limited knowledge and without the necessary training or resources to protect themselves from online threats. It is imperative that businesses now look at cybersecurity as an investment, not just a business expense.

Additionally, businesses must establish a ‘no blame culture’. A significant number of cyber attacks go unreported due to staff fearing embarrassment or punitive measures. Businesses should prioritize a culture where its employees are encouraged to report suspicious activity or possible breaches, even if they are the compromised employee. A culture of blame leads to a lack of transparency and therefore exacerbates the risks to organizational security.

People are at the heart of security, so invest in your employees, speak to them and build trust which in turn will keep your business safer from online threats.

Working together

A forward thinking and fit-for-purpose security strategy will only be as good as the day-to-day practices of the business and employees at large. Businesses must prioritize and provide their employees with informative and useful cyber training that feels practical and intuitive. Additionally, business leaders hold a crucial responsibility in promoting and following good cyber hygiene practices which will set the standard for the whole organization.

Ultimately, for businesses to effectively keep employees safe online, they must begin by working together with their security function. The conversations around cybersecurity and associated IT solutions begin in the boardroom – the relationship between the business, cybersecurity function and employees are symbiotic. CISOs, IT departments and business stakeholders need to work in tandem. It’s crucial the board and team get to know and understand each other when they aren’t under pressure or firefighting.

The security culture will drive the core security technologies and practices forward. All solutions and practices require human input, so people must be at the heart of security. Only then will businesses be able to make the most out of security advancements.

  • Manoj Bhatt, Head of Cyber Security Advisory & Consulting for EMEA at Telstra Purple.

Manoj Bhatt is Head of Cyber Security and Advisory at Telstra Purple and works with a range of customers across different sectors to embed cyber security into their digital agenda.