16 July 2020
5 min read
Twitter grappling with the worst security breach in its 14-year history - a suspected coordinated social engineering attack by people who successfully targeted some of its employees with access to internal systems and tools - is a stark reminder of the risks we all face.
Because while global-scale cyberattacks (who can forget the worldwide Wannacry ransomware attack?) bring chaos and can incur real damage to an organisation, both in its ability to function and its reputation, the reality is, you're far more likely to suffer an information security breach from the inside than from an external threat.
You're far more likely to suffer an information security breach from the inside than from an external threat.
When it comes to information security, people and process are critical. You can have the best resources and patch management practices in the world but if your employees aren’t being vigilant, you’re wide open to many different types of attack. The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness.
However good your defences, you need to work on the assumption that malware will get through from time to time. At that point, it will be your diligence and awareness that makes the difference.
Ransomware exploit vulnerabilities – either those of a system, or an individual. Every 14 seconds, a company is hit with ransomware (in 2019 it was every 40 seconds and in 2016 it was every two minutes).
The bottom line is that your company culture is what will ultimately define your security posture and its effectiveness.
The primary delivery vehicle for ransomware is attachments sent directly to users in increasingly believable emails from seemingly trustworthy sources and they're on the rise significantly.
Humans have now moved ahead of machines as the top target for cyber criminals and it's your employees that are more likely to be targeted, rather than your software.
9 out of 10 cyber attacks start with a simple phishing email. Awareness and breaking bad habits remain the biggest challenges when it comes to fighting phishing. 78% of people say they know about the risk of unknown links in emails, yet they click anyway!
So what can you do?
10 years ago, the job title ‘Information Security Analyst’ didn’t exist. Today, there is a genuine worldwide shortage of qualified and experienced InfoSec specialists. They are in high demand, and with good reason. As the cyber threat grows and evolves, so must your cyber defence resources.
Over five years ago we set up a dedicated global information security team tasked with protecting our environment and those of our clients’. We recruited specialist subject matter experts who could educate others and keep up with ever-evolving cyber threats and techniques. The team was integrated into the business, not set apart as a traffic cop.
It’s their responsibility to perform and communicate information security within the business and make it everyone else’s responsibility too. It quickly became obvious that if we were going to do this successfully, we needed to take a client centric approach to everything we did.
Infosec teams have to be integrated into the business, not set apart as a traffic cop.
Cyber security is an ongoing battle. Make your people your first line of defence by developing information security awareness and vigilance amongst your employees so that everyone has the right level of knowledge about security and feels responsible for it. A check-box training exercise is no longer enough. There must be a continued and concerted effort to bring about a real change in culture and behaviour.
It’s a big ask for InfoSec teams. Employees are more tech savvy than ever before, often finding it easier to use their own familiar devices, apps and programmes than your authorised solutions. So-called ‘shadow IT’ and BYOD, pose new risks and challenges for IT and InfoSec teams who must not only adapt to accommodate these new ways of working, acknowledging where there is a real business need for greater flexibility and ease of use, but at the same time protect the business.
Be prepared to try different approaches to help the message stick. 70% of millennials admit to bringing in outside devices into the work environment, against IT policies. 60% say they aren’t concerned about corporate security when they use personal apps instead of corporate apps.
You have a challenge on your hands to find ever-more creative and impactful ways to communicate information security messages to all of your internal stakeholders. You’ll need a range of tactics up your sleeve.
Our information security team has more than quadrupled in size - a reflection of the increasing importance we place on cybersecurity and also a direct response to the growing threat level the financial services industry faces. In that time, we achieved the ISO/IEC 27001 security certification, the internationally-recognised best practice framework for managing information security. Supporting our dedicated information security team is our first line of defence; our people - all 2,000+ of them.
Ultimately, the only thing protecting your business from becoming a cyber crime victim is your people.
Ultimately, the only thing protecting your business from becoming a cybercrime victim is your people so layer your technology defences with a powerful human shield. Remain vigilant and continue to strengthen and evolve your security practices. As Einstein said, ‘We can’t solve problems by using the same kind of thinking we used when we created them.’