Over the past year, many business plans have pivoted in one way or another — some long-term initiatives have been placed on hold, some businesses have had to re-imagine their entire business model, and, for some, even regular maintenance activities may have taken a backburner. Regardless of the varying degree of changes that organisations have experienced, many have adopted a shared priority: an increased emphasis on cybersecurity protection.
According to Interpol, there has been an “alarming rate” of cyberattacks this year, which means that businesses have had to contend with more than the usual set of challenges. Yet, history has shown that even in the best of times, enterprise security health checks don’t always happen, let alone during a global pandemic. In fact, last year’s Cyber Security Breaches Survey discovered that less than a third of UK businesses had carried out a cyber risk assessment in the last 12 months.
To successfully navigate 2021 and appropriately manage the lingering effects of the coronavirus pandemic on workplace productivity and growth, organisations must begin to proactively monitor their cybersecurity health. There are three things that every business can do immediately, and fairly easily, to effectively mitigate the threat of future cyberattacks or breaches. This includes an equal focus on policies, products, and people.
Preparing for the unpredictable
Moving forward, it’s recommended that organisations develop their business continuity plan and refine it frequently, setting out measures to keep operations going in the event of a disaster, or in the scenario of future workplace closures. Until now, few would have thought that there would be such an event that would impact all businesses globally to the degree that it has this year. The events of 2020 have forced firms to operate in continuity mode for an extended period, underscoring the critical importance of having such a plan to begin with.
Businesses have had to support an entire remote workforce at such short notice and with home networks and personal devices suddenly part of the corporate IT estate, their attack surfaces have only been broadened. This has placed extra pressure on cybersecurity teams and challenged corporate policies and procedures. While the situation is extreme, the same fundamentals to enterprise cybersecurity stand, even outside of a global pandemic. It’s important that cybersecurity is understood as a business-wide initiative, led from the top – clear policies are a must, but measures can’t end there as poor security behaviour can leave data unsecured, with potential to result in a breach.
For employees to act in a safe way, they must think in a safe way and that mindset comes from an emphasis on security being part of the work culture. Achieving that means weaving security into ways of working by regularly reinforcing the message, building understanding through ongoing training, and having an open-door policy for staff to raise issues or report concerns. Additionally, security is most effective when it’s easy to use, seamless, and doesn’t hinder productivity – otherwise it runs the risk of being rejected by the user.
Choosing the right tools
Too often, people handle security badly by default, for example they choose weak passwords because they are easy to remember, or they fail to install important system updates. Given today’s sophisticated cyberattack tactics, these seemingly small behaviours can have huge security consequences. Social engineering attacks prey on uncertainty and these have been uncertain times for everyone. Many employees will be working in different ways from what they are used to and will be receiving more digital updates and communications from their employer than usual. This is a breeding ground for cyber attackers to try and trick people into clicking on links in phishing emails or giving away personal information – both the UK National Cyber Security Centre and US CISA have highlighted the problem of cyber criminals exploiting the pandemic in a joint advisory. Attackers have focussed on the entertainment, shopping and education services that people have been using much more recently.
Now that employees will be using networks and devices that are likely to be less secure than business networks, strong multi-factor authentication is essential. Employees will be familiar with one-time codes from an SMS text message or even an authenticator app, and while these do add an extra layer of security, they are still vulnerable to modern phishing and man-in-the-middle (MitM) attacks.
Strong authentication methods, such as FIDO security keys, provide a secure option along with user convenience. Employees register their key with the applications or service on the devices they use and are then asked for it each subsequent time they log in. This technology has already been rolled out by the likes of Microsoft and Google to protect not only corporate customers but the public as well in their consumer offerings.
Equipping every user
Security training often gets neglected when companies are in fight or flight mode, but it should be prioritised company-wide to ensure a consistent – and consistently progressive – approach to security. Employees may need assistance with understanding new technologies and processes to work safely and securely outside the office environment. Without IT help immediately at-hand, or even other colleagues to ask questions of, employees may be more vulnerable to cyber threats from phishing and MitM attacks.
Training should consider the situations within which employees work and be tailored accordingly so that all staff understand why it’s relevant to them, what they need to do and how they need to do it. Expanding this education will help to improve general cyber health and awareness and will enable users to work safer and smarter while being aware of potential side attacks via Facebook/WhatsApp links and messages.
Neglecting cybersecurity measures designed to protect company assets can leave enterprises open to damaging cyberattacks. To mitigate the risks, procedures should be reviewed and regularly updated, and staff training should be refreshed as new challenges and risks come to light.
If you would like to join our community and read more articles like this then please click here.