COVID-19 and the chaos it has caused has led to an unprecedented increase in cyber attacks globally. It is well known that employees represent the weakest link in a company’s cyber security system, with more than a third of data breaches involving company staff. This includes employees falling victim to email scams and unintentionally sharing data, as well more deliberate actions where a disgruntled current or former employee may purposely leak confidential data or compromise a company’s systems.
Today’s reliance on information technology presents a single point of failure and is as much an existential threat to business survival as it is an opportunity for growth. Considering COVID-19 and the ‘new normal,’ businesses and employees are navigating uncharted waters with the sudden shift to remote working, furloughing of staff, and changing work patterns. The complicated process is further agitated as criminals exploit heightened levels of both technical and personal vulnerability.
As workers shift from working within the secure confines of their office’s network to working from home the risk of insider threat – malicious or benign – is now more pronounced than ever. For example, hackers are compromising the hard work of stretched IT teams who have been diligently working, among the chaos of mass migrations to home working, to get employees quickly set up with new software. By inviting workers to follow links to download new tools that are laced with malicious code cyber criminals are attacking computers and potentially infiltrating company network.
Reducing this risk is simple – all it takes is education. Employees that are adequately educated on cyber security practices can reduce the rate of a successful attack by 80 per cent; employee cyber security education needs to be at the top of the agenda for every business.
Building awareness of cyber hygiene principles
More than ever, businesses expect their employees to remain up to date in the face of increasingly sophisticated cyber scams. The first step in the education journey is raising the awareness of the basic principles of cyber hygiene.
Cyber security education will teach employees how to recognise the tell-tale signs of phishing and to how to make safe and sound decisions when clicking on links or clickable media. Following even the most cursory checks will decrease the risk of being a victim of phishing. Some of these quick and easy to do checks include:
- Scanning the appearance of the material and identifying whether anything looks unusual;
- keeping an eye out for poor grammar and language;
- evaluating the legitimacy of the source and domain name; and
- reviewing how the email has been addressed.
Employees should always be aware of suspicious communications. By asking only a few questions before acting can mean the difference between a system breach, near miss or continuation of normal business. Some of these questions include:
- Does a request for sensitive information sound odd?
- Does the email contain a veiled threat or call for urgent action?
- Are you being asked to do something unusual or outside of your remit?
Emails asking for payment or fund transfers to third parties and “click here” requests are clear signs employees must be wary of. Equally, oversharing on social media increases the risk of falling victim to phishing as this provides an easy place for hackers to collect information to tailor their attacks.
Of particular importance at this time is letting employees know that top-of-mind issues are commonly what hackers use, preying on concern about a current topic with a promise to learn more, to attack and compromise networks.
Empowering employees to join the fight
It is not just about equipping employees with knowledge of cyber security. The second step in cyber security education involves empowering employees to take ownership of their – and by virtue the business’ – cyber safety.
The first element of an employee empowerment strategy is creating a culture of vigilance where cyber hygiene principles are baked into every business function and department. This is more than raising awareness and providing training alone; ensuring business leaders show a consistent commitment to cyber security while removing any internal attitudes of apathy is key to comprehensive and effective protection.
It’s also important to ensure employees are ‘engaged’ with their company’s cyber security journey. Often, we see businesses attempting to enforce policies and procedures with little explanation as to why they’ve been put in place. Employees should know why they need to change their passwords, why they need to undertake regular cyber security training, and ultimately, why their cyber vigilance is vital to protecting the business.
Every crisis or period of uncertainty creates new opportunities for hackers and cyber criminals. With the risk increasing on all fronts, the responsibility for cyber security can’t lie solely at the door of the C-suite but every security regime needs sound leadership to be effective. Cyber hygiene must now be considered a mainstream requirement for every business, with leaders setting the tone, employees empowered to take responsibility, and implementation of an effective education programme is a critical requirement in achieving that.