(*) By Bruno Lobo, general director of Commvault for Latin America and author of the book “HumanOS: The key to cybersecurity”
The digital age has brought with it a host of new challenges, especially the unwelcome and relentless onslaught of ransomware and other threats. This has been compounded by the pandemic and the hybrid workplace, which has widened the attack surface for phishing and other social engineering attacks targeting home offices and employee data.
As security and IT professionals, we did our best to defend our environment properly. We have strengthened our perimeter, maintained our endpoint controls, security patches, adopted zero trust guiding principles and introduced more proactive and rigorous data protection strategies. It’s a constantly evolving battlefield of complexities and challenges. We do this at the speed of business, while keeping an eye on our spending to manage risks and offer great service to our customers.
Today, in most cases, you are the security or IT professional in your family. And data (and subsequent threats) go wherever our employees go, which is all the more reason to extend cybersecurity awareness and training programs outside the office to ensure our people are ready to be the first line of defense.
Hackers target human laziness and fallibility for their most effective attacks. Social engineering cannot exist without both being present. To strengthen the human element, you need to prevent laziness and fallibility from being applicable. By systematically eliminating both, you eliminate the chances of social engineering and phishing working in the first place. However, laziness and fallibility present their own threats.
Laziness often stems from a lack of knowledge and a lack of transparency. How can you know what the organization’s stance is if no one tells you? There must be clarity and transparency about what the company’s policies are and why they exist; otherwise, it’s easy to ignore them. Can an employee follow them the first day they’re there? If they can’t, you need a new set of rules or new employees.
Here are my recommendations for that:
- First, if you haven’t already done so, investing in ongoing awareness programs needs to be one of your priorities. Protection is not limited to one person or team. A CISO and his team of security professionals are essential to a security program, but the real strength is in numbers. In other words, by educating and involving the entire organization in online security protocols, companies can be better equipped for cyber threats. This starts by teaching them to recognize phishing emails or malicious links containing malware; identity theft prevention techniques; and use encryption and password best practices.
- Next, you need to encourage them to take proactive steps to secure their home and office networks, which includes physical security surveillance, securing their devices and keeping an eye on their surroundings. Maintaining regular software updates and security patches; securing their home wireless networks; encrypting sensitive data and files to ensure authorized access; setting strong, unique passwords; and using multi-factor authentication as an extra layer of protection. Frankly, it’s good hygiene for work and home.
- Last but certainly not least, as a CISO or IT professional, you also need to be personal by creating an atmosphere in which employees feel comfortable asking questions about data protection. This comfort, trust and open line of communication are essential for engaging with your workplace and for employees to take ownership of their security measures.
It’s not enough to hope that you won’t be affected by an incident or breach. That’s unlikely these days. We know that it’s only a matter of time before you’re attacked. And cyber attacks have become increasingly sophisticated, with malicious attackers using a variety of tactics to gain access to assets and confidential information to disrupt your business or personal life. Phishing emails, ransomware campaigns and malware downloads are just the beginning. So make sure your employees are trained, engaged and ready for any type of incident that might occur.