The start of 2020 brought a huge change to businesses as the world found itself faced with a pandemic that would change the way we live, shop, and work. Almost overnight, the office environment went quiet, and the home office was introduced to a sea of employees who did not have the proper equipment or space to accommodate this new way of working. On top of not having a proper office chair at home, employees would be asked to work from a new network with implications for the company they are working for. While some companies were prepared to accommodate remote workers, the rise in cyberattacks in 2020 is a strong indication as to the vulnerabilities that came into existence with the home office.
In a report generated by Interpol at the end of 2020, it was found that due to a dependency of online work and communication, cybercriminals found new opportunities to exploit companies with lower defences through a remote workforce. A majority of the cyberattacks they found at the beginning of 2020 were attributed to phishing, scams and fraud¹. These are attempts to infiltrate a company using an unsuspecting company insider — meaning any single employee that is left unprotected by their company can be a threat to that company. One poor click in a phishing e-mail can mean an open door to a cybercriminal.
This is not to say that there is malintent from employees within an organisation. Quite the opposite. Employees are merely a victim of inescapable human error. In the 2020 Data Breach Investigations Report (DBIR) from Verizon, it was found that while hacking remains the most common action attributed to a breach, it saw a decline last year while there was a steady increase in the frequency of error as the attributed action. According to that same report, “there is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you”².
Categorical issue
While insider risks are understood to be a contributing factor to a breach, it has only recently become accepted as a categorical issue that can be addressed. Slowly, companies are adapting to find new ways to protect their employees both remotely and in the office.
Instead of pushing the blame onto employees who are working within their natural tendencies, companies should consider what changes can be made within an organisation to protect against outside threats that enter through inside means. Many companies maintain a data protection policy as part of their company handbook. The data protection policy is designed to be a guide for employees as they move about their general daily activities and assist when making decisions on behalf of the company. As important as this document is, quite often employees review the handbook only upon entering a company, even though handbooks tend to be updated periodically to keep up with ever-changing regulations and ideas. This dilemma is an inconvenient truth that is often overlooked but can make the difference between a secured company and a breached one.
Teaching and reinforcing positive cyber hygiene among employees is one way in which they can help in defending against cyberattacks. This is the consistent and safe training of employees when they perform a manoeuvre that could compromise important data or open themselves up to a threat. This could be attaching a document with sensitive information to an outside source using a document sharing service or clicking on e-mail without reviewing the source.
With practice and consistent guidance, it is possible to train employees with new programmes that help to curb unwanted behaviours, with notifications being made to the employees when one of these incidents is about to occur. The employee can learn in real-time why they cannot or should not perform this action. It can also be a comfort to the employees who know they are protected within this system of alerts, with additional options to anonymise which employee is connected to each incident – in other words, ensuring full visibility while maintaining privacy. With time, these actions will become habits. Human error is always likely to occur, but with incident-based training, employees and companies can better protect themselves from outside risks.
The future of work has changed, with employees working remotely and some back in an office. To accommodate these changes, employers need to make changes now to better protect their employees to better protect their data. The cost of a breach can soar into the hundreds of thousands of rand, depending on the extent and industry. The educated workforce is a company’s best defence against this threat.
Sources
¹Interpol, Cybercrime: Covid-19 Impact, August 2020
²Verizon, Data Breach Investigation Report 2020, pages 13-14
About Ava
Ava is a global technology company with offices in the UK, Norway and the US. They believe that they can create a better, smarter way to deliver security. Ava injects intelligence into their approach to security and all their solutions. For more, visit www.avasecurity.com. Or find Ava on LinkedIn or YouTube.
- Ava Security solutions are available through regional partner Solid8 Technologies — www.solid8.co.za
- The author, Anne Simpson, is marketing manager for Europe, the Middle East and Africa at Ava Security
- This promoted content was paid for by the party concerned