Security training and tech: Empowering staff in a hybrid work environment
Remote working is not a new phenomenon but if there was an award for the forced widespread adoption of a trend, 2020 claimed the gold medal and turned the working world upside down. Kitchen tables transformed into makeshift desks, spare rooms turned into home offices, meetings went virtual, personal devices became work devices, and home networks suddenly handled sensitive connections to business applications.
Some are returning to the office and balancing remote working arrangements in a hybrid working model. But as employees travel back and forth, are they walking through their office doors with cyber threats sitting on their devices?
Human error is inevitable, especially with people now working with distractions like kids, pets, partners and important news bulletins. It is important that solutions support employees so that together, they can prevent threats from getting onto their devices – and their businesses.
A recent Mimecast study, called 100 Days of Coronavirus, analysed some of the most pervasive threats as detected by its threat intelligence team.
Unsurprisingly there was a huge surge in coronavirus-themed phishing and other malicious activity as attackers took advantage of people’s shift to remote working and the need for timely information about the pandemic.
Attackers have even spoofed websites belonging to cybersecurity vendors - it's enough to send a cold shiver down CISOs' & IT managers' spines.
Between January and the end of March, spam/opportunistic detections increased by 26.3%, malware detections increased 35%, impersonation detections increased by 30%, and URL click blocking increased by a significant 56%. These statistics provide a telling look at the rise in attacks- and unsafe clicks.
With fewer safeguards in place at home than on corporate networks, malicious content is more likely to reach employees, which can do serious damage.
Threat actors will continue to use the pandemic as a means of conducting more attacks.
“These actors are often opportunistic and inventive, and will seek to exploit the public’s, governments’, and organisations’ fears, in order to perpetrate malicious activity,” the report notes.
For example, there is a high likelihood that malicious campaigns will try to exploit the ongoing support that governments are providing to businesses and citizens.
So, the question then becomes, how do organisations enable people to keep a hybrid working model without compromising security?
The answer lies in ‘the two Ts’ – training and technology. These reflect the fundamental truth that human error is in our nature.
They can also be the core pillars of a best practice cybersecurity approach during the pandemic - and into the future - by empowering employees with the knowledge and support to become ‘human firewalls’.
A Forrester & Mimecast study found that security awareness and training (SA&T) is a popular way of influencing how employees understand cybersecurity and safety. However traditional methods use cumbersome techniques that are hardly engaging because they don't take people into account.
The survey found that 75% of decision makers in Asia Pacific say their training programs are just there to satisfy compliance requirements. It's a startling discovery and could explain why many businesses still end up in trouble.
Businesses need to explore different ways of rolling out SA&T programs and delivery - and the first step is to talk to employees.
According to the survey, 59% of decision makers think that their leadership teams are doing a great job leading by example. But half (53%) of employees think the opposite, and 51% believe their managers don't stress security enough.
“Whether it is following a link, not patching hardware/software or not creating a robust framework, humans are involved. It is assessed that human error and social engineering account for 90% of all breaches. By implementing a robust training process, the presence of the ‘human firewall’ will greatly add to a layered security strategy," says Mimecast principal technology consultant Garrett O'Hara.
SA&T programs must cut through the noise of employees' busy lives and they must tailor programs to their audience. There is little point in telling employees what to do and how to do it. Instead, programs should focus on people, behaviour change, and providing the right tools to help that behaviour change to succeed.
To find out about how your organisation can combine training, education and technology to create a safer workforce, click here.