There has been a focus on different peoples roles this October: Individuals and families who need to ensure they have basic cyber hygiene practices, those considering joining the cyber community who are adding diversity and fresh ideas to the workforce, and those already working in the industry who strive to improve their organisation’s resilience to threats.
Cybersecurity should be of top priority for everyone. As Okey Obudulu, CISO at Skillsoft, highlights, “every second, approximately 18 people are victims of cybercrime. Nobody is safe. Today’s enterprise attack surface means there’s far more information available for threat actors to target than ever before — the need for trained professionals has never been greater.”
CYBERSECURITY – THE SHARK OF THE DEEP WIDE WEB
The rise in remote and hybrid working over the past couple of years has meant employees are working outside of their traditional office environments, increasing the number of endpoints. This can create a security headache for IT teams.
Terry Storrar, Managing Director of Leaseweb UK, summarises, “away from the office, employees are now far more likely to, for example, connect to unsafe networks, transfer corporate data to personal devices, or share unencrypted files. Threat actors are acutely aware of this trend and relentlessly taking advantage of these vulnerabilities.”
Organisations with mobile workers, such as health and social workers, have an even harder job protecting company files as employees are frequently utilising their devices from a range of locations.
Scott Boyle, Head of Information Security at Totalmobile illustrates, “having these employees physically on the move extends the perimeter that the organisation needs to monitor and manage. All of these mobile workers need to be able to access secure files and documents even when out on the road, possibly relying on a variety of unknown WiFi networks as well.”
Yakir Kadkoda, Lead Security Researcher, Team Nautilus at Aqua Security, adds, “one of the biggest insider risks in the development process is code leakage. Any instance of code leakage leaves business logic, vulnerabilities, secrets and internal processes visible to everyone. This can lead to attacks and vulnerabilities for many years to come.”
A LEARNING LIFEBOAT
As concerning as cyber threats are, there are several relatively simple ways to combat them. Leaseweb’s Storrar elaborates, “standard security training for all employees is one of the most basic, yet effective methods an organisation can implement. Yet, too many businesses are failing to safeguard their data in this way.”
This is particularly important for mobile workers, who need to access secure files and documents when out on the road. “Because of these working patterns, mobile workers can become insider threats, even completely inadvertently,” warns Totalmobile’s Boyle. He adds, “given that some of the data that these workers are accessing is customer data, which is some of the most valuable to cybercriminals, it’s crucial that organisations ensure that all of their employees are fully trained in the latest cybersecurity measures so that they can avoid any kind of insider risks.”
“A solid cybersecurity culture thrives when employees are educated and enabled,” Skillsoft’s Obudulu agrees. “Cybersecurity training is vital to defend against phishing attacks and malicious threats. However, it can’t be a half-hearted effort. Too often, cybersecurity training is seen as a one-off quarterly session, bolted on to the employees’ ‘real’ work. Instead, it should be incorporated into day-to-day activities, so there is always a strong engagement with security policies.”
Positively, new research from Skillsoft has observed a 21% increase in the total number of hours spent consuming cybersecurity training across organisations in the last year alone, with a 24% increase in the number of hours spent by each learner on average.
MANAGING DATA SHOULDN’T BE SINK OR SWIM
Current estimates show that 2.5 quintillion bytes of data are created every single day, meaning that it has never been more crucial to protect this data. Ciaran Rafferty, Managing Director, Managed Detection & Response at Helpsystems, notes: “when every single person in an organisation is observing best practices – enabling multi-factor identification, using strong passwords that are never shared, identifying and reporting phishing promptly, keeping software up to date – they contribute to a strong security posture.”
“Businesses can implement a trusted SaaS solution that not only protects the data the business creates, collects, and stores, rendering it recoverable should an attack succeed, but that also puts up defences against cyberattacks that can prevent an attacker from succeeding in the first place,” suggests Marco Fanizzi, SVP and GM at Commvault International.
“In years gone by, effective security solutions would often come with a hefty price tag; thanks to the rapid evolution of SaaS, defending and protecting what you have – nothing more, nothing less – is a piece of cake.”
However, if mistakes do happen organisations need to ensure that it’s not repeated and an experience that employees can learn from. Tyler Reguly, Sr. Manager, Security R&D at HelpSystems, advocates that if “we treat these incidents like a source of shame, we deny others the opportunity to learn from our experiences. The easiest way to ‘See Yourself in Cyber’ is to see how others are impacted. It is time to remove the stigma around being a victim of cybercrime and open the door so that every one of us can ‘See Yourself in Cyber’.”
REGULATIONS TO STAY CURRENT – FROM HOME AND ACROSS THE POND
In the upcoming weeks, we should expect the latest EU rules around improving cybersecurity posture and cyber resilience within the EU’s Digital Operational Resilience Act (DORA) and Brussels’ Cyber Resilience Act.
Jakub Lewandowski, Global Data Governance Officer at Commvault, highlights: “Both legislative developments act as perfect reminders of the need to assure the ability to withstand, respond to and recover from all types of ICT-related disruptions and threats. Any business that has connections to the EU market will have to comply, so I predict that the UK may soon follow suit with similar regulations.”
Andy Bates, Practice Director of Security at Node4, adds, “there is also the matter of Cyber Essentials – a UK government scheme to get every business to a good level of cyber security. One of the main criteria for the Cyber Essentials certification is up-to-date software. When working with the UK government it is essential to meet these criteria, but it is good pragmatic security advice for all organisations and people to follow – not just those with government contracts!”
2023 – THE YEAR THAT ORGANISATIONS START TO FIGHT BACK.
“You’ve seen the headlines,” remarks Liad Bokovsky, VP of Solution Consulting at Axway. “The speed and frequency of cyberattacks are rising and they can strike anywhere, at any time, in any digital ecosystem. The upside? With the right knowledge and tools, organisations can be in a good position to defeat them before they happen.”
Commvault’s Lewandowski agrees: “2022 has been a tumultuous year for the cyber world. The outbreak of war in Ukraine at the start of the year paved the way for an onslaught of state-sponsored cyber attacks that saw businesses across the globe heighten their defences. This has taught many new lessons about cybersecurity. For one, it is not a one-off task, but an ongoing process. Businesses should routinely monitor their IT environments for any abnormalities and test their backup solutions to ensure all defences are operating at maximum efficiency.”
He concludes: “Nothing happens overnight but, looking ahead, 2023 could be the year that organisations fight back.”
