Guest blog by Nick Denning, CEO & Founder at Policy Monitor for Tech UK
Report after report, year after year, show that users are at the heart of 80-95%* of cyber security incidents which threaten organisations. Nick Denning, CEO of Policy Monitor, offers advice on how to keep your employees and partners up to date and vigilant to the changing threats.
Your users can help keep you safe… or open the door to cyber criminals
When considering just how secure your organisation is against cyber threats, the worst thing you can do is think you’ve got the problem covered or that your IT team can fix any issues. Cyber security is an ongoing challenge for the whole organisation and in the majority of cases your users including employees, partners and customers are the ones who will be at the heart of cyber incidents such as data breaches and ransomware attacks. It’s important to keep them regularly informed and vigilant to act as gatekeepers against evolving threats.
Research and surveys into cyber security trends consistently cite users as the way most cyber criminals gain access to organisations. A Comcast Report in July 2023 found that between 80 and 95% of cyberattacks begin with phishing, and approximately 67% of all breaches start with someone clicking on a seemingly safe link. This report joins a growing mountain of similar research findings from the likes of the UK Government and the National Cyber Security Centre (NCSC), the latter reporting that 90% of security breaches are due to mistakes by users.
Stay vigilant to phishing attacks… and more
Phishing attacks involve sending fraudulent emails or messages that appear to be from a legitimate source, aiming to trick users into revealing their credentials, personal information, or financial details. The intention is to gain data directly or as a way into the heart of an organisation’s systems to cause mayhem either immediately or at a later date. Attackers may try credential theft using various methods, such as keyloggers, malware, or social engineering, to steal usernames and passwords.
In the case of Password Spraying, cyber criminals attempt to gain entrance by systematically trying common or weak passwords. They target a large number of accounts with a few common passwords with the hope that at least someone will have chosen and kept a weak password. This can be combined by criminals utilising user details bought from the dark web which may have come from a previous data breach, possibly on a different organisation.
Employees, contractors, or partners, past or present are a risk. Those with malicious intent can abuse their access privileges to steal data, introduce malware, or disrupt systems. Carelessness can expose their credentials. Attackers might impersonate legitimate users (Identity Spoofing) or devices to gain unauthorised access or bypass security measures.
Effective off-boarding to disable or remove old accounts and exit interviews reminding people of their ongoing responsibilities are important.
Keep users informed
Keeping your organisation informed about cyber security is crucial to ensure the ongoing safety of sensitive data and systems. Develop a comprehensive cyber security policy that outlines the organisation’s approach to security, including guidelines, best practices, and procedures for safeguarding systems and data. Make this policy easily accessible to all employees and keep it regularly updated.
Provide regular cyber security training sessions for all employees. This should cover cyber hygiene topics such as password management, phishing awareness, safe browsing, and the social engineering techniques which bad actors are using to con their way into organisations.
Tailor training programmes to different roles within the business. For example, IT staff will need more technical training, while the finance team needs to be aware of the ways cyber criminals try to gain financial data and coerce people into making fraudulent payments.
Make it easy for staff to report suspicious incidents without fear of ridicule to gain intelligence of potential attacks on the business.
Use all communication channels
After holding initial training it’s important to keep awareness levels high. Send regular direct message updates regarding the latest cyber security threats, best practices, and any policy changes. Use your intranet or internal portal to hold cyber security resources, news, and updates. Consider utilising internal security awareness campaigns, threat reporting and whistleblower hotlines combined with incentives for reporting and thwarting attacks. Don’t forget paper methods of communication such as posters, newsletters and magazines to keep people updated.
You may want to conduct phishing simulation exercises to test employees’ ability to recognise and report phishing attempts. Use these regularly to maintain awareness. You could send out your own ‘fake phishing emails’ to employees including a link which when clicked takes them to a warning and offers remedial training.
Use tools to monitor policy and compliance
As you can see there are many cyber security threats and a host of actions needed to remain secure. It can be a sizable task to stay as safe as possible by implementing policies and keeping up to date and compliant with the latest threats, standards and legislation. Keep the latest training resources available to staff and record who has completed courses to a satisfactory level.
It is advisable to implement an application to keep track of your cyber policies, resources, training and response plans. This will help your business to plan, manage and deliver cyber security compliance in line with industry standards, such as Cyber Essentials, CE+, IASME Assurance and ISO 27001. Built in workflows can keep track of what security-related activities have been completed, which still need to be done and issue notifications accordingly. This helps provide proof of what has been done which can be important to demonstrate to potential customers, partners and insurers.
Your people are at the heart of effective cyber security—or conversely, could open the door to attacks on your organisation. It’s time to enable your employees to help keep your business safe. To learn more about how to protect your business visit our website for more hints and tips.
Further reading:
*Security Magazine report on Comcast 2023 cyber security research
https://www.securitymagazine.com/articles/99696-between-80-and-95-of-cyberattacks-begin-with-phishing
Comcast 2023 cyber security research report
https://business.comcast.com/community/browse-all/details/2023-comcast-business-cybersecurity-threat-report
UK Government 2023 cyber security breaches survey
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023
NCSC advice on Phishing
https://www.ncsc.gov.uk/section/advice-guidance/all-topics?allTopics=true&topics=phishing&sort=date%2Bdesc