When it comes to the risk from cyber threats, your first line of defence isn’t technology, it’s people says our Chief Information Security Officer, Mark Vos.
Global-scale cyberattacks like the Wannacry ransomware attack and the huge malware attack that brought chaos to the Ukraine before spreading internationally, can incur real damage to an organisation, both in its ability to function, and its reputation.
They’re also a big reminder of the risks we all face but the reality is, you’re far more likely to suffer an information security breach from the inside than from an external threat. According to a PWC report, half of the worst cyber security incidents were due to inadvertent human error.
"You're far more likely to suffer an information security breach from the inside than from an external threat."
When it comes to information security, people and process are critical. You can have the best patch management practices in the world but if your employees aren’t being vigilant, you’re wide open to many different types of attack. The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness.
What are you up against?
However good your defences, you need to work on the assumption that malware will get through from time to time. At that point it will be your diligence and awareness that makes the difference. So what sort of nasties are you up against?
- Bots and Zombies
- Trojan horse
These exploit vulnerabilities – either those of a system, or an individual. Every 40 seconds, a company is hit with ransomware (in 2016 it was every two minutes).
"The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness."
The primary delivery vehicle for ransomware is attachments sent directly to users in increasingly believable emails from seemingly trustworthy sources and they're on the rise significantly. A review by IBM Security found that the number of ransomware-infected emails sent in 2016 increased by 6,000% compared with the previous year.
Humans have now moved ahead of machines as the top target for cyber criminals and it's your employees that are more likely to be targeted, rather than your software.
Awareness and breaking bad habits remain the biggest challenges when it comes to fighting phishing. 78% of people say they know about the risk of unknown links in emails, yet they click anyway!
So what can you do?
Don’t leave infosec to the IT department
10 years ago, the job title ‘Information Security Analyst’ didn’t exist. Today, there is a genuine worldwide shortage of qualified and experienced InfoSec specialists. They are in high demand, and with good reason. As the cyber threat grows and evolves, so must your cyber defence resources.
Three years ago, we set up a dedicated global information security team tasked with protecting our environment and those of our clients’. We recruited specialist subject matter experts who could educate others and keep up with ever-evolving cyber threats and techniques. The team was integrated into the business, not set apart as a traffic cop.
It’s their responsibility to perform and communicate information security within the business and make it everyone else’s responsibility too. It quickly became obvious that if we were going to do this successfully, we needed to take a client centric approach to everything we did.
"Infosec teams have to be integrated into the business, not set apart as a traffic cop."
- Define metrics of the effectiveness of information security and get the buy-in of the board on commensurate information security investment.
- Build a team that can influence colleagues and internal stakeholders.
- Communicate information security in a clear and effective manner.
- Focus on the company culture, driving the importance of protecting client data, and other sensitive data.
Make your people your first line of defence
Cyber security is an ongoing battle. Make your people your first line of defence by developing information security awareness and vigilance amongst your employees so that everyone has the right level of knowledge about security and feels responsible for it. A check-box training exercise is no longer enough. There must be a continued and concerted effort to bring about a real change in culture and behaviour.
It’s a big ask for InfoSec teams. Employees are more tech savvy than ever before, often finding it easier to use their own familiar devices, apps and programmes than your authorised solutions. So-called ‘shadow IT’ and BYOD, pose new risks and challenges for IT and InfoSec teams who must not only adapt to accommodate these new ways of working, acknowledging where there is a real business need for greater flexibility and ease of use, but at the same time protect the business.
Have a range of communications tactics up your sleeve
Be prepared to try different approaches to help the message stick. 70% of millennials admit to bringing in outside devices into the work environment, against IT policies. 60% say they aren’t concerned about corporate security when they use personal apps instead of corporate apps.
You have a challenge on your hands to find ever-more creative and impactful ways to communicate information security messages to all of your internal stakeholders. You’ll need a range of tactics up your sleeve.
- Regular internal communications – using all channels.
- Multi-media communications, such as videos and blogs.
- Promote and reward positive behaviour where people demonstrate “doing the right thing” in relation to information security.
- Put into every staff member’s business plans a measure and KPI in relation to information security.
- Have your CEO discuss the importance of information security to the company on a regular basis.
- Educate and build awareness in fun and engaging ways, such as gamification.
Layer your defences
Our information security team has more than quadrupled in size over the past two years and now has 12 people dedicated to information security - a reflection of the increasing importance we place on cybersecurity and also a direct response to the growing threat level the financial services industry faces. In that time, we achieved the ISO/IEC 27001 security certification, the internationally-recognised best practice framework for managing information security. Supporting our dedicated information security team of 12 is our first line of defence; our people - all 1,850+ of them.
"Ultimately, the only thing protecting your business from becoming a cyber crime victim is your people."
Ultimately, the only thing protecting your business from becoming a cybercrime victim is your people so layer your technology defences with a powerful human shield. Remain vigilant and continue to strengthen and evolve your security practices. As Einstein said, ‘We can’t solve problems by using the same kind of thinking we used when we created them.’