Companies once thought of their organisation’s security as a castle-and-moat scenario in which no one outside of their organisation was able to access their data. Only those inside the castle (on the network) had access to the information. Now, with the need for remote work, combined with our tech savvy workforce, many more bridges have been built over the moat, transforming the castle into a highly interconnected and accessible city skyscraper – both physically and virtually. Are these new bridges providing unauthorised access to organisational data? It depends on how they are built and if the occupants of the skyscraper are aware of their role of protecting the organisation from cyber threats, as well as the implications of building an insecure bridge.
Centuries ago, your biggest threat would have come from a mob of angry soldiers with fire torches and arrows outside of your castle. Today, the biggest threat to your skyscraper comes through your email. Mimecast found that more than 91% of cyber-attacks infiltrate an organisation via phishing email, with a 400% year on year increase in such attacks according to the FBI.
Zero Trust (ZT) is the armour and visibility your people need to protect the skyscraper. You may think it’s just a popular fad term in the cyber security industry. However, Zero Trust is more than just a buzzword. It is an approach that requires informed trust decisions by providing more context than ever before, especially when relating to one of its pillars: people.
Let’s break down three ways the people of your organisation can impact your exposure when it comes to cyber threats.
Keep in mind, no one is immune. Execs are often the targets of whaling and spear-phishing impersonations. Even IT administrators are vulnerable to attacks, despite their experience.
1. Employees Are The First Line Of Defence
At the end of the day, the people who are operating within the organisation are humans. We aren’t quite there with robots yet, and even they are capable of error. Humans are busy, filtering through countless emails daily, while trying to keep up with their roles. Stress, fatigue, not paying attention, unawareness and the pace at which we work can all leave room for unintended or even intended consequences.
IBM’s Cyber Security Intelligence Index Report reveals that human error was a major contributing cause in 95% of all breaches and over 70% of all breaches are due to social engineering. The Mimecast State of Email Security 2022 report found that more than 8 out of 10 respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees.
Understanding that your employees are your first line of defence is imperative to a strong security strategy. However, the frontline of your cyber security defence is cultural, not technology based. Your employees don’t need to know what ZT is, but they do need to adopt the ZT mindset which involves not trusting everything by default or at face value. Reframe ZT away from not trusting your people but rather empower them to make better trust decisions informed by context.
Empower your knights in shining armour by focusing on preparedness and vigilance. Teach them the red flags that they should look out for. Eg: If an email comes through from their “CEO” but the email address is unrecognised, they should know what action steps to take next, such as not clicking on the email and the appropriate person to alert of the phishing attempt.
Further, you should be providing them as much context as possible using email analytics, such as whether that email was external, if that email contains content such as urgency, large payment requests, if it came from a remarkably similar email address to other internal staff or other scam related behaviour. Remember – you should make that glass window to the outside as clear and as large as possible via providing more context.
2. ‘Tick-the-box’ approach provides a false sense of security
Companies fear reputational damage from breaches and non-compliance. They all expect the data stored within their organisation to be safe and never want to compromise their customers’ personal information. As a result, organisations often focus on compliance and meeting the requirements of legislation and treat this step as the final destination of their cyber security program. This leads to them mistaking being compliant as being secure – which are two completely different things.
Often, organisations prefer to pay the fine and sweep the breach under the rug rather than risk reputational damage. Organisations should be weary of this approach – as sometimes you may have a covert breach you aren’t even aware of. Unfortunately, in that case, customers might find out there’s a breach before you do through examples such as a ticket machine displaying a ransomware notice, on an advertising billboard or a website defacement.
According to the 2022 Mimecast State of Email Security Report, 83% of participants responded that their organisation was the victim of a cyber-attack that spread from one infected employee to others (up from 73% in 2021).
Could employee naivete be an open window?
According to the report, 40% of the respondents said that was one of their biggest security concerns for the coming year. However, employees aren’t always properly prepared to deal with an attack. Only 23% said that their company provides regular cyber awareness training.
With these considerations in mind, when you create a policy and meet compliance requirements, don’t just stop there. Take it a step further by implementing measurable phishing awareness training programs. Test your employees through regular interactive quizzes, social engineering and phishing simulation tests. Be sure to track these tests over time to ensure the awareness program is effective and make adjustments to your awareness program based on the results. That’s how you can provide assurance that your policy is being adhered to, and that your employees are armed with knowledge as to how they can flag an “innocent-looking” intruder before they are fooled into letting them over the bridge and into the front door.
3. Security is seen as the enforcer Rather than the protector
According to Security magazine, over 2,200 cyber-attacks are made every day – roughly one every 39 seconds. Cybercrime is constantly evolving, and organisations are struggling to stay ahead of perpetrators. Therefore, a whole-of-organisation approach is needed across all maturity levels. The entire organisation needs to wear the armour and continue to evolve with growing threats. This starts with the company culture.
From a cultural perspective, companies should take an approach whereby the IT/Security Department are seen as the people who help and guide – not people to be feared. They should be the protector rather than the enforcer. This helps to remove the ‘unauthorised bridge building’ into the organisation by ensuring that other departments throughout the business want to work with IT/Security teams and involve them in their processes voluntarily. This way, bridges can still be built to enable the organisation’s agility, but they can be built securely so both parties win. If you’re looking for somewhere to start – uniting with departments such as Legal, Procurement and Project Management in particular will help considerably, as most technology initiatives go through them.
Additionally, don’t forget to make sure your employees know who to talk to on cyber security matters and have an easy way of contacting them for help. There is a considerable amount of organisations whose employees don’t know how to get in touch with their Security teams apart from through a helpdesk ticket, which can be a deterrent. A dedicated information security portal, email address or contact number is a step in the right direction.
Today’s tech savvy younger generation might not recognise the importance of engaging with IT/Security and may take a “do it myself” stance when they have the knowhow from a technology perspective. This is an opportunity to reframe that approach, making IT/Security the ambassador for instilling a culture of cooperation and transparency throughout the business. Secure business enablement and employee experience allow the IT/Security Department and employees to work closely together and bridge gaps.
A company’s IT/Security Department should not be conscripting the troops. Rather, it should be seen as the department that helps to build a cohesive army in which all employees, no matter the department, are working together in unison against cyber threats.
Implementing ZT is not a band aid solution to cyber threats but rather an ongoing, holistic approach. Understanding ZT in the context of the people within your organisation and the actions you can take fosters opportunities such as uniting your people and strengthening your culture as everyone does their part to protect the skyscraper. This approach creates a stronger, resilient, company-wide alliance against cyber-attacks in which everyone will be empowered with the armour and visibility needed to able to look through that window and flag an intruder before they step on to the bridge.
If that sounds like a lot, have no fear. Sekuro are using their experience to help many organisations strategically unite their people against cyber-attacks. Learn about how we can help you take a holistic approach to Zero Trust across your People and 7 other pillars via Sekuro’s Zero Trust Strategy.
Lee Roebig, Customer Ciso of Sekuro
Lee is an experienced Cyber Security professional with 16+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.
How You Can Implement Zero Trust Even with Limited Resources
Whether it is a person, device, object, or connection, Zero Trust is the belief that we should not trust them until they prove they can be trusted.
The Patching Time Sink
Sekuro’s Customer CISO, Lee Roebig expounded on the following aspects of Zero Trust, which are fundamental to the security, and hence, the success of an organisation.
The Sekuro Talkshow with Lee Roebig (Ep.4)
In the fourth episode of the Sekuro Talkshow, Shamane Tan, Sekuro Chief Growth Officer, is joined by Lee Roebig, former Head of Information Security for Fitness and Lifestyle Group, and Sekuro’s current Customer CISO.