In the world of cybersecurity, the saying goes: people are your first line of defence. Empowering employees through comprehensive cybersecurity training, companies can prevent cyber attacks caused by human error.
There’s a great deal of FUD (fear, uncertainty and doubt) spread about by the security industry concerning the threats facing the business but the truth is that adopting basic cyber hygiene practices can significantly mitigate the risk of these threats being realised. It’s a point made in the recent NCSC whitepaper on ‘Ransomware, extortion and the cyber crime ecosystem’ which states that most ransomware attacks are not due to sophisticated attack techniques but are usually the result of poor cyber hygiene. It’s for this reason that adopting a baseline security framework such as Cyber Essentials, Cyber Essentials Plus or ISO 27001 is so fundamental. If this level of cyber security were to be adopted across the board by all businesses the majority of these attacks would fail.
From how employees interact with one another and external individuals, to how data is used and protected and systems maintained. Unfortunately there has been a decline in certain cyber hygiene practices over the past three years, notably the use of password policies, network firewalls, restriction of administrative rights and software patching, largely due to the move to a decentralised network and the migration to the cloud which has seen some confusion over who is responsible for securing data (the so-called ‘shared responsibility model’). This marked decline is providing attackers with the window they need to exploit users and systems, make it much easier to get a toe-hold on the network, escalate an attack and access data.
– deploying a firewall
– securely configuring devices/software
– implementing access controls
– deploying anti-virus, and documenting procedures in a security policy.
It’s provides some initial guidance plus it can help assure customers and partners and is now commonly a requirement for cyber insurance. But it’s a foundation stone that should be built upon. In order to boost resilience, the business needs to focus on looking at the wider context of the risks it faces in order move towards becoming cyber mature.
Cyber maturity can be assessed by looking at the way the business manages risk in terms of asset management, the supply chain, identity management and access control, staff security awareness, information protection processes and procedures, security monitoring and detection, as well as the effectiveness of response and recovery planning. It uses a risk framework such as the NIST CSF which has five core areas (identify, protect, detect, respond and recover) and grades the effectiveness of the security in place against each of these on a sliding scale from 1-5. But again, about one in five organisations do not assess their cyber maturity at all, making this a missed opportunity.
If more businesses were to adopt Cyber Essentials, profiled their risks and used cyber maturity assessments to help drive improvements, the potential attack surface would be greatly reduced and the potential for escalation curtailed. There would also be more eyes and ears open to sector-specific attacks, enabling the more immediate sharing of threat intelligence. It’s that wider state of consciousness that will lead to real resilience and it’s the central tenet behind the NIS2 regulations that are coming into force across Europe this year and likely to be adopted in some form or fashion in the UK too.
In terms of making employees more resilient, its key to ensure that training is tailored to the organisation so that it is relevant and meaningful. Previous exploits against the organisation could be used for phishing exercises, for example, with the redacted fallout shared. Devise training that utilises OSINT, showing how email and social media can be combined to craft attacks and how over sharing can be a problem. Arm users by giving top tips on password use and ad blocking tools because employees seldom have a work/home divide in how they use technology. The idea is to foster a culture of disclosure so that incidents aren’t hidden, so encourage drop-in clinics to answer work queries to prevent dangerous workarounds. Ensure training isn’t just a pin in the calendar but is regularly reinforced through communication over different media.