Often when we talk about solutions to security threats we think about hardware or software – firewalls, antivirus, SIEMs, IDS/IPS platforms and so on. While these are important, like many aspects of a business, the most fundamental part of cybersecurity is our people.
A multifaceted approach to security is critical to business success. Cybersecurity is an arms race between attackers and defenders. As modern security systems become increasingly capable, “soft targets” such as people or legacy systems with exploitable vulnerabilities are an appealing target for bad actors.
Social Engineering is a term you may have heard, which encompasses a variety of tactics that are used by threat actors to target individuals - both at home and at work.
These attacks can be incredibly effective when used as a vector to gain access to personal information, financial resources, or to distribute malware such as ransomware. Some sources cite 95% of breaches used human error as an attack vector, rather than through technical infrastructure, and commonly the individuals were outside of IT teams.
Personally Identifiable Information (PII)
Information is valuable, and personal information is more accessible than ever. An individual’s online presence through social media and other platforms builds a profile about an individual, which could be used by threat actors to carry out crafted, targeted attacks.
Using information available on the internet, it is easy to identify an individual’s employer, their role, and the company hierarchy. This information can then be used to create specific Social Engineering attacks against an individual - such as:
- “Spear phishing,” where a phishing attack is crafted to an individual
- “Spoofing,” where an attacker impersonates a person of authority, this may be a financial controller or C-suite executive
- “Whaling,” where a targeted attack goes after a high value target such as a C-suite executive
Not if… when
Cybersecurity threats are on the rise, both in New Zealand and around the world. While most of the newsworthy breaches are from large organisations, threat actors are increasingly targeting individuals and small/medium enterprise.
“Security through obscurity” is an approach based on the assumption that business resources are hard to find, or the organisation is small enough to avoid being a target. This is not an effective tactic in the constantly online, remotely connected world we live in.
Automation works for threat actors in similar ways that it benefits legitimate enterprise. Allowing manual tasks to be completed rapidly and without human intervention - scaling up mass vulnerability scanning, enabling ever larger Distributed Denial of Service (DDOS) attacks, automating phishing, information harvesting, ransomware, and so on.
Many companies will have a BCP, but often this consists of threats such as disasters. A response plan for cybersecurity incidents, along with including such possibilities in a BCP are also critical for any organisation. What this looks like will vary, but consider key questions such as: if a breach is detected, how will this be approached? Who will own the investigation, and determine the impact of the breach? How do you continue operations if your systems are made inaccessible due to a Denial of Service (DOS) or ransomware attack?
It is easy to think that an attack is unlikely in our little corner of the world, but New Zealand is being targeted – just look at the catastrophic cyber-attack on the Waikato DHB in 2021 which calls out legacy infrastructure alongside inadequate staffing and training as factors in the breach.
Building a positive security culture
Security can sometimes be seen as a box ticking exercise, or a draconian presence within a business, but building a collaborative and positive culture around security has potential for strong outcomes.
Ongoing staff training can be used to build awareness and promote personal agency, which can in turn improve engagement. Staff can become less susceptible to attacks and could be more likely to report suspicious activity or suspected breaches, leading to faster response times if a breach has occurred.
Multi-Factor Authentication (MFA) / 2-Factor Authentication (2FA)
Many applications allow the use of tools that perform multiple levels of authentication – usually this is a combination of the user’s password with an extra level of verification via SMS, email or an authenticator app. Turning on MFA is a straightforward way to increase access security.
Using MFA for business applications, along with education and encouragement for staff to enable MFA at home can also help improve business security posture by contributing to a security-positive mindset and helping to prevent unauthorised access to accounts or personal information.
Secure Passwords & Password Managers
A survey conducted in early 2020 found the average person maintains 100 individual logins. Consider that number has undoubtedly increased in the last two years, and many businesses have systems that add to this. So, it is unsurprising many use the same password across multiple accounts. If an individual uses the same password for their social media, online banking, and work-related accounts, the potential fallout caused by unrelated data breaches can rapidly escalate.
Encouraging the use of best practice password policies, and a reputable password manager both at work and at home is an effective method for a business to foster good security practices in its staff. A password manager can generate then store strong passwords automatically, and some business grade plans come with included “home” plans for personal use.
Ongoing Training & Awareness
Cybersecurity can be seen as an abstract concept, less ‘real’ than physical security threats, but can be just as, if not more damaging than physical threats. Promoting a security-positive mindset through ongoing education and awareness campaigns – comprising of relevant information on threats, how to spot them, how an individual has personal agency in the business and their own security - are all important aspects of training staff in cyber security.
Recent years have shown that workforces are increasingly logging in from a variety of locations, and as the line between personal and work devices becomes ever more blurred, the security models of the past are being upended.
When making use of cloud resources, keep in mind that a cloud provider is only responsible for securing the cloud infrastructure. Typically, this means that security policies around access to those resources is up to an organisation’s IT team, rather than the cloud provider.
Providing remote access tools such as Zero Trust Network Access (ZTNA/VPN) or Cloud Access Security Brokers (CASB) found in as-a-service products such as the Secure Access Service Edge (SASE) suite can be used to provide staff and customers access to on-prem or cloud business resources in a more secure way than an on-premises perimeter firewall with VPN-concentrator remote access solution.