Traditionally, cyber security has been seen as an IT department’s problem. They make sure everyone has antivirus on their PCs and take care of the firewall – and as long as they’re doing it right, then everyone else is safe… right? This has lulled users and business owners into a false sense of security of late, believing that cyber security simply isn’t their area or that it’s not in their job description. However, this attitude is now being taken advantage of in a big way by cyber criminals, who have discovered that individual users are much easier to target and deceive. As a result, users often takes actions which inadvertently allows the hackers to bypass the IT security systems. Traditional antivirus is dead, and even more advanced next-generation antivirus simply can’t stop the most deadly attacks. Now, everyone in an organisation has a part to play in keeping it secure, from the bottom all the way up to the CEO.
Hackers are now finding it easier to target regular users, who often lack cyber security training, than to try and bypass complex technical measures put in place by IT
It all comes down to data. Data is often the target of cyber criminals, whether they be looking to encrypt it to hold a company to ransom, or whether they seek to steal that data to use maliciously or even sell on the dark web. Sensitive data is everywhere nowadays, as anything that can identify a person is fiercely protected by law. Now, who in an organisation holds sensitive data? It’s not just the accounting staff, but every single employee. Anyone with a company email could, as a bare minimum, expose the email addresses of many of their colleagues if they were subject to a phishing attack. Even something as simple as a hacker having a list of company email addresses, especially if they know what department or role they have, could lead to identify theft and more targeted phishing attacks at a later date.
Most successful data breaches are initiated using social engineering and phishing, where human error is relied upon by hackers. The average user might not realise they are such a lucrative target within their organisation, and might not have received any formal cyber security training. They didn’t know any better than to click that link that infected their entire company network with malware. This is the crux of the problem, however, as an organisation is only as secure as its weakest part. It is absolutely imperative that staff be trained in good practices in keeping company data secure, and also how to recognise these phishing attacks and social engineering indicators when presented with them – and not only accounting staff, but ALL staff.
Often, cyber security has been described using a castle analogy, where if you put up enough defenses, the company within would be safe. The approach of simply building bigger and stronger walls is no longer appropriate though, as hackers keep developing increasingly sophisticated ways to simply come in through the back door.
According to Joseph Carson, a cyber security strategist at Thycotic, “the method of getting into the castle is different, it’s no longer the front door”. He continued, “the new cyber security perimeter must incorporate an identity firewall built around employees and data using Identity and Access Management technology controls, which emphasise the protection of privileged account credentials and enhancing user passwords across the enterprise with multi-factor authentication”.
In short, as cyber criminals are opting to target humans rather than firewalls, we must focus our security efforts on our staff to create a human firewall. For starters, security awareness training is needed for all. Another crucial piece of the puzzle is privileged account management – users with admin access to their machines or to the network. “Privileged accounts are the keys to the kingdom, whether it’s a business or personal”, says Carson. “We’re talking about key information, the Coca Cola secret sauce”. This is why there is such a need to audit account permission levels within an organisation, to ensure users do not have admin access if they do not need it. Users should also not log into their admin account if a normal user account will suffice for their day-to-day purposes.
“We must increase our cyber-security awareness to help us protect and secure both our personal assets and our company assets. The time for a people-centric cyber-security approach is now, which means that cyber-security is everyone’s responsibility,” according to Carson. “The protection and security of employees’ work and personal lives are no longer separate. They have been intertwined with evolving trends of social networks, the internet of things and unlimited connectivity”.
All in all, a clear picture is being painted here. Organisations may think that they don’t need to change their tactics because “they’ve always worked in the past”, but we’re seeing first hand with the recent spate of mass-ransomware attacks that it is simply not enough to update software alone. Any cyber security framework must adopt a layered approach, from firewall down to the end user. We must update our way of thinking, the way we view cyber security, and the ways we work with our staff to make them part of the solution, not part of the problem.