Edel Briody from Vodafone Ireland talks about the importance of cyber resilience and the importance of a strong security strategy.
Working to ensure business resilience has never been more important. In the wake of the HSE cyberattack, which has shown us how much devastation cybercriminals can cause, it is vital that all organizations take cybersecurity seriously and guard against external threats and internal complacency.
Additionally, the Covid-19 pandemic has sparked an accelerated movement toward digital and online services in work, education, healthcare, retail, and more. The more we do online, the more we must prioritize cybersecurity. In fact, PwC Global Digital Trust Insights 2021 Survey, which surveyed more than 3,000 global executives, found that 96% of their organizations had evolved their cybersecurity strategy due to the pandemic.
Businesses of all sizes need to ensure that they not only have the right and up-to-date cybersecurity technology in place, but also that cybersecurity thinking and behavior are part of the DNA of their organizations.
This is no longer an optional add-on or isolated activity. Half of the executives surveyed by PwC for that recent report said that cybersecurity and privacy will be included in every decision or business plan of their company.
While most larger organizations have extensive infrastructure and security controls in place, some smaller companies do not and are leaving themselves open and vulnerable to attack. However, regardless of the size of the organization, it is critical to remember that strong cybersecurity has two fundamental components.
The first of these is security technology, infrastructure and controls, and they need to be robust and up-to-date no matter what. More and more organizations make sure this is the case. Accenture Cybersecurity Status Report 2020 found that 82% of leaders spent more than a fifth of their IT budgets on advanced security, up from 41% three years earlier.
The power of education
Companies can become obsessed with technology solutions without focusing on the most important line of defense. However, the second and possibly the most important element of any cybersecurity strategy is to instill a culture of security in all aspects of the organization and to influence and support the appropriate human behavior necessary to combat threats.
Organizations should stop having security training as a box-ticking exercise or conducting training because they know they should be. A culture of high security should underpin the culture of the company.
This is not a one-time activity, a strong safety culture will change employee attitudes. This means going beyond the tactical and recognizing that effective security requires a long-term approach, focusing more on awareness and communications, bringing policy to life, so to speak. It means understanding the best communication channels to promote a sense of belonging and offer support to employees to raise incidents or security problems that is really important.
It is vital, for example, to emphasize and re-emphasize the importance of even the simplest and most basic behaviors, such as never sharing your password or being careful not to discuss confidential information on open office calls. It is also worth underlining that the information that people share on social media is absolute gold for cybercriminals. There they can get extremely valuable information.
Early detection of major new threats often arises because someone says, “This isn’t right, this doesn’t feel right, maybe we should check before clicking on it.” Encourage everyone in your organization to report anything suspicious remotely to the IT department and be sure to run simulated attacks to understand and analyze the response within the organization. Similarly, limit administrator rights so that employees can only download approved applications and software.
Our analysis, in particular of the FluBot malware scam that has been circulating on Android phones across Europe, shows that hackers have changed tactics of late. As much as organizations and businesses try to beef up their defenses, hackers are trying to exploit any potential loopholes that arise from human behavior.
They study the human perspective, because they are trying to make sure that their messages have the greatest impact possible, which is why they use masking and spoofing behaviors to make their messages appear to come from the Gardaí or the Department of Social Protection.
The most insidious phishing threat is usually not one that involves a high volume of phishing emails. It’s where hackers turn the dial down and try more discreet approaches that could easily catch people.
One threat to warn staff about, for example, is spear phishing. This can happen when a third party’s technology has been compromised. When an employee receives an email from a third party, it seems legitimate and trustworthy, but it is what the employee is being asked of that should raise the alarm. For example, they may be asked to change the bank account to which the payment is made. Everyone in an organization should be aware of these red flags.
To fight cybercrime, we need a holistic approach, encompassing industry, people, and government. Ireland is already at the forefront of this and working with the industry to understand the threats and where security improvements can be made, but it is vital that national and European policies and regulations are clear to all across businesses so that we can have a robust and effective digital workplace. policies.
By Edel briody
Edel Briody is the Head of Corporate Security, Risk and Compliance at Vodafone Ireland.