Terry Doherty, Founder and CEO at Doherty Associates discusses the latest cybersecurity trends and how European and global businesses can mitigate cybersecurity risks in the modern workplace, without compromising productivity.
Globally, cybercrime continues to wage a war, with an increasing focus on targeting businesses, of all sizes, and across all sectors. In the US, U.S. CEOs ranked cyber security as their primary external concern for 2019.
Cyber-attacks are growing ever more frequent and sophisticated in their delivery. A recent cyber security breaches survey reported that a third of UK businesses identified cyber breaches or attacks within the last 12 months. (GOV.UK Say it is 43% https://www.gov.uk/government/news/new-figures-show-large-numbers-of-businesses-and-charities-suffer-at-least-one-cyber-attack-in-the-past-year)
Globally businesses are responding by upping their game in the security stakes, in part, through necessity. The advent of GDPR forced UK companies to look more deeply at their data and be more compliant, but, as Satya Nadella (CEO, Microsoft) says “cybersecurity is like going to the gym. You can’t get better by watching others, you’ve got to get there every day.”
This is especially true as cyber criminals sense the appetite in the marketplace and change their behaviour and strategies accordingly.
The rise of spearphishing
There’s been a steady shift away from the generic ‘spray and pray’ approach, where standardised, generic phishing and spam emails are sent en masse, as common security tools can easily detect and eliminate these types of emails.
Attackers are now turning to more strategic ‘spearphishing’ techniques, which target individuals within an organisation with an authentic looking email from a trustworthy source, using sophisticated information that confuses the user to trust and either open documents infected with malware, click on links to malicious websites, or initiate some sort of financial fraud.
There has also been a rise in attackers purchasing lookalike domains (for example buying a lookalike company domain with a 0 instead of an O) and using them to carefully craft phishing campaigns or send emails from those domains to make it look even more legitimate. The devil is in the detail, and more often than not, it will be very easily overlooked – just one different letter or number can give the attackers the way in.
Vigilance is key, across the entire global organisation. Training staff to spot detail and to double and triple check emails, in particular around the respondents and company domain names, could save your business from financial and reputational damage.
Next generation malware
Malware has also advanced with the recent trend in ‘big game hunting’ – a term attributed to e crime groups that pro-actively identify, research and target large scale organisations to infect them with ransomware (such as the Norwegian aluminium supplier).
Entire networks are compromised leaving organisations no choice but to pay a huge ransom to decrypt its data and gain access to the network again - a very profitable business for attackers, and, more often than not, organisations are willing to pay.
While it’s true that businesses are more protected and often have the correct security infrastructure in place, there will always be gaps. And this is where the attackers will look and find the weak spots, designing malware that is always advancing and sneaking through defences.
So how do you secure your front door against these attacks, especially when it’s most likely located in the cloud, but still ensure employees have the freedom and flexibility to remain productive?
Your people hold keys to the kingdom
The front door of security used to be considered the firewall, the gateway between your internal trusted users and the internet, which in security is considered untrusted.
Now, the front door is everyone within the organisation that has a user name and password. With the rise and use of cloud services, everything is just a URL away, as the user logs on to gain easy entry to the organisations’ data via cloud storage and service facilities.
While these advancements are highly beneficial for increased business productivity, without the correct security manning your front door, potential hackers are just a username and password away from accessing vital information that can disable the entire organisation.
In cloud environments, the identity of the person is the key to the kingdom. Implementing strong ‘access controls’ – which regulates access to internal resources - is important for minimising risk but ensuring everyone has the information they need to do their job at speed. Continually question though how to lock and secure access in a better way? Consider who really needs entry and restrict to only the data and information they need to achieve their role within the organisation.
Traditionally, authentication was based on a single factor, such as a password, to prove the user’s identity. This is no longer enough. We must now add additional factors like biometric-based authentication such as fingerprint, face or iris. Additionally, supplementing the username and password model with a one-time or time-based code that only a specific user has access to, adds another layer of security.
But this does impact on the user, and their usability as most don’t want to be constantly entering codes. Companies like Microsoft have instead enabled conditional access – when an employee is inside the office, where the environment is deemed safer, access will be easier, with less security prompts, unless it is a high value resource. The approach has to be conditional and balanced with usability versus security. Consider the compromise and where things can be more accessible and less of a burden on the user, but still secure.
Mobile application management is the future of BYOD
Bring Your Own Devices (BYOD) policies globally are also on the rise in modern workplaces but with this comes security challenges.
Technology is available that ensures that the corporate assets remain secure should anything happen to the device, while still allowing user management and control of the device. Programs like Office intune allows the business to secure the mobile application management (MAM) as opposed to the entire device. The sensitive corporate data is controlled and protected. If the user loses their phone temporarily for example, just the corporate data will be removed leaving the user’s personal data intact. MAM rather than Device management is the future of BYOD and should be more widely adopted. It offers a compromise between the user and the business, improving the employee experience, and ensures that security doesn’t affect productivity.
Security by default
To ensure security best practice is consistent, security must be baked into every part of the chain. Security by default is about taking a holistic approach; integrating all the elements available ( physical and technical) to safeguard the organisation and provide continuous protection.
Take a human approach when educating employees on policy and threats and bring real world consumer examples into the mix. Encourage them to look at things from a personal perspective to help them better comprehend the dangers; they have already adopted multifactor authentication practice in the home for example to protect their information, so it’s natural that this behaviour should be also mirrored in the workplace.
Communicating in a human way will help your employees better understand the real and present danger of cybercrime and to be more vigilant, mitigating risk to the global organisation while maintaining business continuity.