It’s a common misconception in many workforces that their organisation is at low risk from threats to online security.
Thinking you’re unlikely to be a target is the biggest security mistake you can make. Even those who do recognise the potential threat may think they can’t do anything about it personally and it’s something for IT to worry about. And of course, as an IT leader, you do. You might welcome, then, our thoughts on how to galvanise employees and enlist them as allies in your cyber security strategies.
It is easy to understand why people can be an easy attack surface if they aren’t sufficiently engaged and prepared. Phishing is one of the most common threats used to target people rather than technology and the attacks continue to grow in number. A study by cyber security company Proofpoint found that, in 2021, 83% of organisations they surveyed across Europe and the US had experienced an email-based phishing attack, resulting in a variety of security breaches. As that was during the pandemic we can expect that some of the scams played on widespread health concerns. In the first quarter of 2022 we’ve seen many unsolicited emails claiming to raise money to support Ukraine – but actually trying to collect both money and data.
Because these scams are social engineering at its most exploitative, even the more tech-savvy aren’t immune. Who among us might not succumb to a message ‘from Cadbury’s’ offering free Easter chocolate?
No blame culture
It’s essential to establish a ‘no blame’ approach to online security issues, not least because scams and attacks are becoming ever more sophisticated and difficult to spot. A genuinely strong organisational security culture will involve relevant, accessible training, advice and effective communication about risk and prevention for every employee from the shopfloor and post room to the very top. The aim is to encourage a ‘relaxed alert’ mindset where individuals aren’t anxious or stressed but know how to spot when something doesn’t look right, and understand the actions to take when they do. This approach will help to protect their private online interactions as well as their ones at work. This is a powerful message to help you achieve high levels of buy-in – this knowledge can help you keep your important personal accounts safe and secure too.
There’s plenty of free and timely information available to help you anticipate, communicate and respond to specific threats. For example, the UK Government’s National Cyber Security Centre (NCSC) provides weekly threat reports that will keep you bang up to date on trends and emerging threats. It also offers free resources such as its 10 steps to cyber security. At Jisc, we work closely with the NCSC and our cyber security services are matched to each of these ten steps. Step two focuses on the fundamental importance of staff engagement and training.
No- and low-cost steps to boost online security
“Most cyber attacks aren’t personal. They are automated and speculative, essentially ‘drive-bys’,” says Jon Hunt, cyber security service delivery manager at Jisc.
“Fraudulent phishing emails are a very common form of attack and underline why multifactor authentication (MFA) is so important. With MFA you use something else to log in alongside your username and password, something only you have, like a passcode sent to, or generated by, your mobile phone. With MFA, even if an attacker manages somehow to obtain your password through a phishing email or some other means, they still can’t access your account.
“Attackers scan public-facing services at scale, looking for weak passwords, so using a strong, unique password for every account is another simple but powerful thing that everyone can do as a first line of defence.”
It’s essential that people understand the importance of having different, completely unconnected passwords for different accounts, otherwise a scammer who accesses one account via a weak password can quickly access others if the same password has been used elsewhere. It’s obviously impractical to memorise large numbers of complex passwords and current advice is pragmatic on this point; it’s much better to write passwords down than use the same password everywhere, but clearly any list of account passwords absolutely must be kept safe and secure. Better still, encourage use of a password manager, albeit with a super-secure password of its own acting as the gatekeeper.
What other behaviours should you encourage? Certainly, MFA will give security a massive uptick. So will making sure everyone keeps on top of updates and security patches and ensuring that devices are replaced when they are no longer supported by the manufacturer. If your organisation has people who use their own devices this can be a challenge, so communication and education will be very important to encourage good practice.
“Developing an informed, security-aware workforce, on constant ‘relaxed alert’, gives you strong foundations to build further security layers on,” says Jon. “The risk landscape is always changing and no organisation is immune to threat. But to see a massive improvement in your risk you don’t have to outrun the bear – you only have to outrun another target who hasn’t bothered to put the controls in place that you have, and that’s much less daunting.”
Throw a pebble in the pond
There are lots of easy things you can do straight away to create powerful ripples in your organisation. For example, take a look at the NCSC’s cyber aware resources and their free training resources. It’s important to tailor these (and any other training materials you use) to the needs of your own organisation and the first of the ’10 steps’ will help you do that. Jisc also offers phishing awareness training.