Every day there is a new report of a data breach and, before the onset of the Covid-19 pandemic, cyber attacks were rife with even the largest conglomerates like GE having their defences breached in the last few months.
Stephen Burke is the CEO and founder of Cyber Risk Aware (opens in new tab).
Now, as organisations are forced into the position of having to rapidly adopt remote working practices as the norm, cyber criminals are rubbing their hands with glee. Employees working on an internal network were already a soft target for the cyber criminal. After all, over 90% of all data breaches are caused by human error, due to inadequate training in cyber security (opens in new tab) risks and potential threats. And now, companies with a remote workforce are even more vulnerable. With employees out in the wild, cyber criminals are banking on the gold rush that comes with the virtual Wild West.
- How to deliver effective workplace training in a virtual space
- Human nature: empowering employees through AI
- Beware - that email from HR might be a cyber scam
The need for cyber security training
The problem is, as many a beleaguered IT Pro will tell you, even the best technical solutions in the world cannot secure your IT infrastructure alone. Just one absent minded click from an employee in a phishing email can bring down even the most sophisticated and technically robust system. Hard working IT management (opens in new tab) will agree that one of their biggest challenges is helping the network users understand the risks, what a cyber attack actually looks like and what to do in the event of an attack. This is where organisations today need to turn that problem into a solution: make their staff the greatest security asset they have on the network by training and educating them in cyber security, literally as they work and critically not only on a training schedule, and supporting them while they face these threats in real time. This effectively builds the firewall (opens in new tab) - a ‘Human Firewall’.
The most common vulnerabilities start with Business Email Compromise (BEC) and Email Account Compromise (EAC) where attacks have cost organisations globally more than $26 billion since 2016 (reported by the FBI). In fact the FBI has just reported an increase in BEC fraud relating to Covid-19 with criminals using the virus as an excuse to reschedule or switch payments or make other business changes in order to steal money and data. The main culprits come in the form of phishing emails that look like they come from familiar or trusted sources. The criminals are getting increasingly sophisticated where they leverage the psychology of the moment exploiting the circumstances, posing as CEOs or trusted advisers and tricking even the most security-aware employees in well-executed and targeted attacks.
Most corporations recognize that training employees is a must and for cyber security issues the corporate mindset is changing and companies are now treating cyber security not solely as an IT problem but as a real business issue.
Cyber security education and training, even on site, takes time and effort: Planning and scheduling training is time consuming and can be like herding cats and you simply can’t cater for those who don’t make it to a session. Employees come and go and it is difficult to assess the level of cognizance within a changing workforce.
Building your human firewall
Today it’s important to recognise that with evolving work practices - such as remote working - training has to evolve too - especially with cyber security awareness training. Previous approaches such as scheduled training or random simulated phishing attacks are a good first step but don’t fully solve the problem. The cyber criminals are always one step ahead so a revision of any existing training methodology is critical and in most cases has to be taken a step further. Staying with the same methodologies will end up with the same net result: a compromised network.
Cyber security training needs to be part of the basic security set up on any network: Every computer, every communications device, is an open door to a criminal and at any moment unaware employees are not only opening the door - they are unwittingly propping it open and inviting them in. Every employee within any organisation large or small should be Cyber Security trained on how to spot risks and act on them.
The basics remain: employee handbooks and company policies should be adapted, into easy to understand, impactful and digestible messages to ensure that employees take cyber threats seriously. Training should be implemented horizontally and vertically. A cyber criminal doesn’t care what level of employee he targets or what department they work within..
Finally and most importantly, especially with a remote workforce, training must be continuous and it must be in real time: This is crucial and key to best practice security. Simulations of Cyber-attacks should run automatically and monitor how the remote employee responds with simultaneous alerts to vulnerabilities. The best networks allow for employees to automatically alert the IT department of any strange or suspicious activity with the touch of a button – effectively quarantining an attack. Taking steps like these creates the foundations of a cyber security aware culture within an organisation and ultimately the’ Human Firewall’. It is also easier than you think to implement and deploy with minimal overhead in resources.
The net result - the Human Firewall is the most expedient and efficient protection for any business - especially now that employees are spread across locations and geographies. All organisations need to recognise cyber security as a real business risk that is exacerbated by having a remote workforce.
Investing in your employees
As we have seen from recent events, cutting costs in the short term is a long term loss. Real time cyber security awareness training is inexpensive compared to the huge budgets invested in enterprise software solutions. Research has shown the cost per employee is 44% cheaper using an automated real time awareness training platform, as opposed to scheduled awareness training programs. Intervention provides immediate training reactive to employee behaviour, thus removing the time and cost in assessing risk and remediation through scheduled training and chasing staff completion. It is also fully automated in multiple languages, integrates easily with existing sophisticated network security installations, can be deployed rapidly and seamlessly and maximises the ROI on the overall network security investment.
There really are no excuses particularly when you take into account the reduced administrative overhead. Businesses can’t cut any corners on security - especially when workforces are so fragmented and attacks are increasing in sophistication. Arm your employees with cyber risk awareness and make them your first line of defence!
- Keep your business protected with the best antivirus software