Cybersecurity: the human factor. 

There is no doubt that we are living in an era of cyber threats and that, despite the best efforts to mitigate cyber vulnerabilities, breaches still occur.   

When it comes to protecting your workplace from a potential breach, your first thought may be to strengthen your network security to protect from cyber criminals attempting to hack into your organisation.   However, it will often be more efficient to start with your employees.  The shocking fact is that nearly 900,000 phishing attacks took place – a 23% increase over Q3 2021 and over three times that of Q1 2020(1). 

Contrary to popular belief, hackers and cyber criminals do not exclusively target gaps in software equipment and hardware; they also target users.  Unlike a well-designed software package, we humans are fallible: we get stressed, we get distracted, we make assumptions, we click on that link without giving it a second thought.   

Update – or create – your Information Security Awareness Plan. 

At work, many employees are simply unaware of the risks of falling prey to a phishing scam, or they may be unsure of what they should avoid doing, or what action to take if they suspect they have fallen prey to hackers.  Keeping employees updated and informed will go a long way towards keeping an organisation more secure. 

Key to keeping employees cyber-security aware, and your business cyber secure, is to develop an Information Security Awareness Plan.  This plan, which should be appropriate for your company’s size, sector and budget, will detail the formal requirements for training all users of potential cyber security threats and how to avoid common situations and human errors which may put company data at risk. 

The scope of the training requirements will vary across the business.  All employees will gain from general cyber security awareness, regular refreshers of company policies and procedures, and hands-on phishing simulations.  A phishing simulation is an email which appears genuine, but which contains some of the tell-tale signs of a scammer, such as suspect links or spelling mistakes. These simulations are equivalent to the role plays of soft skills training; dreaded but effective.  We learn fastest, and remember longest, by doing rather than listening or reading, and cyber security training is no exception. 

Plan for the worst 

For many businesses cyber-attacks can be categorised as high likelihood, high impact.  This means that even medium-sized organisations need robust plans in place to ensure any cyber breach is quickly contained and business continuity ensured with minimum disruption.   Specific plans are recommended to address different scenarios, each with clear processes alongside the roles and responsibilities of each team member: 

1. Business continuity plan 
   This prioritises the essential functions of your business, which systems must be maintained, and how this can be achieved. 
2. Disaster recovery plan 
   This plan focusses on restoring any lost data from back-up systems. 
    
3. Crisis management plan 
   A detailed approach to communications, both internal and external, depending on the scenario: who needs to be told what, how, when and by whom. 

Such plans need time, people and money, all of which are limited resources so putting a disaster recovery plan in place will involve strategic decisions as to what level of resources to commit.  

The execution of disaster recovery or crisis management plans depends upon the effective leadership and facilitation of the team that owns the plans. In a crisis, senior management needs to demonstrate complete ownership and confidence in the recovery process. This requires preparation and absolute knowledge of the procedures in place, key employees need to participate in cyber crisis war gaming and simulations. 

Implement an Information Security Management System (ISMS) 

An ISMS provides a systematic approach to managing an organisation’s information security.  It contains procedures and controls to meet the three main objectives of information security:  

1. Confidentiality: ensuring data is only accessed by authorised people.  

2. Integrity: ensuring data remains accurate and complete.  

3. Availability: ensuring data can be accessed easily whenever required.  

There is continuous increased pressure on organisations to develop higher information security standards and ISMS are the best way to meet these standards. Companies with complex supply networks are under the most strain, however an ISMS makes sense for all companies, regardless of industry and size. 

(1) https://blog.knowbe4.com/number-of-phishing-attacks-hits-an-all-time-high-in-2021-tripling-that-of-early-2020