The 24th of September saw us cover the mammoth topic of staying cyber resilient during the pandemic with the help of Cyber Security Expert & Strategist,Haroon Malik. Haroon has 15 years of cyber security strategic experience behind him, having implemented fortress-like security plans to keep some of the world’s largest brands like Deloitte and Fujitsu safe.
The coronavirus outbreak has bought with it many concerns for businesses, cyber security being a major topic of discussion since the adoption of mass home working. Many suggest that cyber threats have become more advanced since lockdown, however CIOs and CISOs across the globe cite that the threat is technically no greater than it was before the coronavirus outbreak.
What has changed is how seriously organisations are taking those threats. Haroon speculates that the uncertainty caused by the pandemic, and subsequent changes to behaviour and hypervigilance is actually what causes the increase in cyber attacks.
During our discussion, it became clear that many of the “evolving threats” are mostly misconceptions that can be avoided or prevented through a change in mindset and overall better understanding of front-line cyber security. Haroon contextualises these perceived threats and looks at ways businesses can protect themselves…
The remote working threat
Remote working has been relied on heavily for business continuity, and with that the risk of being targeted by cyber criminals has increased. While thrust out of the safety nest of closed networks and firewalls, many have fallen foul of cyber attacks since lockdown – from the milder but ever changing phishing scams, to much more severe malware attacks.
Haroon references that it isn’t working from home itself that is the issue, but rather the speed at which that national transformation was made, paired with the fact that many organisations hadn’t embedded a remote working, and therefore more cyber-aware culture yet.
He stresses that this isn’t down to the threat becoming greater per se, it’s actually more likely to be down to a lack of knowledge on a personal risk level. For example, many people have had to get to grips with unfamiliar systems or devices in a matter of days and all without the in-person IT support they’re accustomed to.
Education is key
According to Haroon, one of the most important tactics any organisation can employ is to make their people the first line of defence. Afterall, you could have the best threat detection and security systems in the world, but if your people aren’t cyber-aware – hackers can still get in by playing on our collective vulnerabilities during the pandemic.
Taking a board down approach to cyber awareness is a great way to instil that knowledge across your organisation at whatever size it is. The common cyber-crime tactic of ‘social engineering’, which singles out individuals to extract sensitive information - this can’t be something CIOs and CISOs tackle in isolation, it’s a team effort.
It’s never too late to implement training for your team on how to stay safe while working remotely, including those on the executive board, to keep cyber security at the front of mind rather than being treated as an afterthought. Haroon stresses that often, it takes a breach to occur for businesses to take information security as seriously as they should – by which point you’ve potentially already lost revenue or, even worse, reputation.
So, CIOs and CISOs can invigorate their cyber security operation by “translating” what the protocols in place mean for the wider business and what their impact is. Be it in terms of brand and reputation for your marketing and operations teams, or business risk for your finance and compliance teams – understanding how a breach could affect them is the first step to having a solid strategy in place.
Don’t forget the basics
During a time where organisations are seeking to trim their spending wherever possible, CISOs and CIOs are having to make difficult choices around their systems. While you may be tempted to hang on to those advanced AI systems, Haroon stresses that whatever the case, your basic cyber security building blocks such as patching or identity and access management must be protected at all times.
Those foundations of a really secure business can actually be all you need if they’re done correctly, so take the time to ensure the continuity of those fundamentals of cyber security.
Building cyber resilience
There has been a stark increase in phishing attacks since lockdown, not because they’ve necessarily become more forceful in their approach, but more because the lures being used are cleverly linked to the workforce’s collective psyche. Preying on our concerns about health and safety or curiosity around pandemic threat levels – this is where resilience needs to come into play.
We’re all feeling the stress and worry about how the coronavirus situation is unfolding, and that creates cracks in our resolve. Unfortunately, these gaps are being infiltrated by faux promises of rapid delivery facemasks or updates on government initiatives. If we’re weakened to these messages and cave in each time they are used, all of that budget allocated to cyber security is wasted.
The antidote, according to Haroon, is not to become 100% hackproof overnight but to focus more on resilience as a team to threats. When you’re working in the office, reminders on how to protect yourself and the business are everywhere and it becomes much more of a cultural mindset. While working from home, these good house-keeping cyber security processes can easily be forgotten about.
Haroon references a sobering quote from revered American cryptographer, Bruce Schneier, that reveals how ultimately amateur cyber criminals will attack machines whereas professionals attack people.
If your teams, at all levels, are keenly aware of the risks, their impact and when to flag a suspicious email or call – your security teams will be able to focus on a longer term strategy rather than fighting fires on the perimeter of your organisation.
If you’d like more information on how your business can become more cyber resilient during the pandemic and beyond, get in touch with Haroon directlyor let myself, Rob Taylor, know and I’d be delighted to set up a call.