Paul Kelly explores the growing importance of basic cybersecurity training for staff. Given the rising amount of cyberattacks targeting enterprises and new research revealing employees are unable to detect phishing emails, it seems more prominent an issue than ever before.
Offering Hybrid working can liberate employees, help attract top talent and enable teams to do their best work from the location that works best for them. While the benefits for employers and employees are many, cybercriminals are also on the look out for opportunities this presents.
As organisations shifted to hybrid working, the attack surfaces for cybercriminals to exploit have grown exponentially. This evolving threat landscape has taught us all some tough lessons over the past eighteen months, a key takeaway being that security awareness and doing the basics matter.
While there have been a growing number of sophisticated cyberattacks, data shows that many cybercriminals still favour tried and tested methods. In fact, Microsoft research shows that phishing – or email scams – is responsible for almost 70 percent of data breaches.
A primary way criminals get in is through an unlocked door, so leaders need to ensure their employees are equipped with tools and knowledge to recognise and flag potential incidents. And, with Microsoft research revealing that basic security hygiene protects against 98 percent of cybersecurity attacks, nailing the basics is critical.
Attacks against enterprises are increasing, and so is the cost
In the last year alone, 4 in 10 UK businesses (39%) reported some kind of cybersecurity breach and this number has the potential to increase if businesses do not adequately secure their digital transformation efforts. The figure is even worse for small businesses, with one small business in the UK hacked successfully every 19 seconds, according to Hiscox.
The cost of a successful breach can also be extremely damaging, both to finances and reputation. The UK government estimated that cyberattacks cost businesses over £21bn a year, while Forrester revealed that 38 percent of businesses have lost customers due to security issues – with 44 percent of UK consumers claiming they will stop spending with a business temporarily after a data breach.
Certainly, there’s a lot on the line when it comes to ensuring that organisations are properly protected. Leaders need to implement practical security measures and create a strong security culture, so employees have a clear understanding of the dangers posed by poor cybersecurity hygiene.
Basic threat protection and mitigating risk
As organisations connect more and more systems together, security can become more complex, but organisations need to ensure that the diversity of skills, areas of expertise, work and learning style, and background, among other things are respected.
The simple, practical steps any organisation can take to reduce their risk include making sure that they:
- Get the Basics Right – In our personal lives, we’re all well used to a text message code from our Bank, Healthcare provider or Online Store to double check we are who we say we are. In a work context, this is an example of multi-factor authentication, a first key step to protecting against cyber threat. There are many ways this can be achieved – text message, mobile app, phone call etc. Biometric solutions such as facial recognition (e.g. Windows Hello for Business) are great for providing a slick, modern logon experience while also offering enhanced security without having to remember a password.
- Apply least privilege access to prevent attackers spreading across a system. In the same way as you would determine HR access to sensitive information based on role and level, this this method works by setting rules on employee accounts that make sure they can only access the information they need to do their job, rather than the entire system.
- Ensure devices, infrastructure and applications are up-to-date and correctly configured. Attackers look for easy targets, organisations who have not kept their systems up to date with the latest security updates. This potentially presents an open door for them. However, there are a range of tools that can help to keep an organisation up to date, such as Microsoft Endpoint Manager, which can secure each touchpoint in an organisation’s IT infrastructure.
- Utilise cloud-connected anti-malware to protect against the most current attack methods and accurate detection capabilities, as well as implementing basic information protection best practices – such as sensitivity labels – and data loss prevention policies.
- Democratise security awareness – educate your employees on what to look out for, help your leadership team understand the importance of security, and build diverse cyber security teams. The National Cyber Security Centre provide ‘Exercise in a Box’ – a great online tool which helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment Exercise in a Box – NCSC.GOV.UK
Put your people first
Building a people-first security culture is just as important as practical methods to protect your organisation. Training should be ongoing, designed to increase awareness and engagement. User training is not just a compliance activity but an essential part of the early detection and response to an attack.
Security training must also explain the risks in the context of the employees’ area of work, and provide the context and tools they need to recognise attacks, understand the appropriate behaviour and report unusual activity. A culture of enablement, trust, and engagement will significantly improve reporting and provide earlier warning of attacks.
By creating a people-first security culture, organisations will be able to ensure their users and data stays safe in a hybrid environment, while ensuring their employees stay productive and collaborative.
While cyberattacks are increasing and becoming more sophisticated, good cyber hygiene and security awareness is the best way to disrupt, prevent and detect such attacks. Do the basics well and organisations can set themselves up to ensure the businesses and their employees are protected.
Paul Kelly is theDirector of the Security Business Group at Microsoft UK.