Earlier this year, the Government launched its new National Cyber Strategy in an effort to strengthen digital resilience across the UK. As part of this strategy, the Cabinet Office declared that it was committed to reducing cybersecurity risks to ensure that businesses can maximize the economic benefits of digital technologies, such as cloud computing.
Julien Soriano is the Chief Information Security Officer at Box.
The Government’s focus on digital risk reduction as part of its National Cyber Strategy is a clear acknowledgement of the severity of the current threat landscape, which is detrimentally impacting enterprises on a national scale. The DCMS’ recent Cyber Security Breaches Survey revealed that in the last 12 months, 39% of UK businesses succumbed to a cyber attack, demonstrating a clear need for intervention at a governmental, organizational, and individual level.
While the UK government is working to minimize national cyber threats, businesses have also been tackling their individual security risks at a more micro level. According to Verizon’s 2021 Data Breach Investigations Report, 85% of cyber-attacks involve a human element. This scale of human error is having a detrimental impact on corporate security, with 43% of workers admitting to making an error that compromised the digital security of their company.
But this begs the question - who is responsible for cyber breaches? Should accountability fall solely in the hands of the employee, or is the business to blame?
The threat landscape
It is now widely accepted that the shift to hybrid work has increased the risk of cyber attacks for businesses across the globe. In fact, 80% of security and business leaders said that their organizations have more exposure to cyber threats today due to remote working.
In the traditional office-based working landscape, malicious actors would exploit the vulnerabilities of an organization's centralized IT system in order to gain access to business-critical data. To mitigate such threats, companies would have a perimeter-based security approach that was the responsibility of the IT team to implement and execute.
However, the normalization of remote working has ultimately seen this responsibility shift to the employee. According to a recent Tenable study, 71% of security leaders lack visibility into remote employee home networks, meaning that the majority of companies are now reliant on individuals to observe cybersecurity best practices in order to prevent a breach.
As such, a modern security strategy must now focus equally on the following three pillars: Technology, Processes and People. Their complementarity is vital to reduce attack surfaces based on the current threat landscape.
Employees must take responsibility
If the shift to remote work has taught us anything about cybersecurity, it’s that employees are the first line of defense. A startling 67% of business-impacting cyber-attacks targeted remote employees, proving that individuals must take personal responsibility for their company’s security.
While attacks can be extremely sophisticated, compliance with and reliance on strong security policies (such as acceptable use and data handling) is a must for workers. It is the employee’s responsibility to do the right thing and comply with that policy and understand their role and responsibility in keeping their access safe.
For example, if an employee breaks policy and decides to disable security features and use their company laptop to connect to malicious environments where their laptop or data could be compromised, it is the employee’s failure. Similarly, if a staff member doesn’t patch or update at-risk software after reasonable guidance from the company and still continues to access critical data with a vulnerable system, it is the employee’s error.
It’s a business problem
But while staff certainly are the first line of defense, they should by no means be the only one. An employee cannot conduct best practice if their employer does not implement comprehensive security processes first. By centralizing content in the cloud, a business can centrally manage access to content inside and outside the organization while minimizing the risk of loss through full visibility over files, policies and provisioning.
Enterprises have a responsibility to utilize technology that mitigates the new threats that have arisen from remote working. Not only do online collaboration tools support the mobility of remote workers, they are also highly secure and easy for IT teams to manage.
Companies should also deploy technology that provides guardrails, reminding staff about the classification-level of their content. For example, with cloud content management products such as Box Shield, security teams can add reminders about sharing permissions before employees potentially expose sensitive data outside of the company.
Similarly, employers must recognize that most employees are not security experts by trade. In the ever-changing threat landscape, it is the responsibility of the employer to create a security-first culture by providing adequate guidance, continuous training, and a well-outlined security policy with their employees.
Achieving a security first culture
Given that 85% of cyber attacks last year involved a human element, businesses should develop a strategy that not only evaluates the security of its technology, but also the mindset of its staff. Mindset and culture ultimately underpin a company’s security position.
Training and education is an imperative part of creating a security-first culture. However, it’s important to tailor security training based on the employee’s role and data they have access to. For example, a sales person will inevitably need different training to a production engineer, as they have access to different sets of critical data and different sharing requirements.
Through tailored security training, enterprises can better educate users and raise their awareness accordingly. Employees must realize the responsibility on their shoulders, and individualization based on role is a great way to educate them on potential consequences.
Ultimately, cybersecurity must be interwoven into the very culture of every business. The onus falls on businesses to create a security-first culture that their employees then have a responsibility to uphold.