We are to come through cybersecurity paradigm transformation caused by notorious 2020 events. Changing work mode and communication format within corporate environment induced new trends in hacker attacks. What lessons shall we take with us into 2021?
It is time to change
Self-isolation gave security guys plenty of both unpleasant surprises and useful insights. Let's start with the increased risk of human error. When working from home, office employees feel rather relaxed, safe and secure, become less focused and tend to get distracted by not relevant matters. Eventually, more employees end up as victims of phishing attacks, disclose confidential information, and download attachments without checking them properly.
There is more to it, since many employees use personal laptops for work instead of corporate devices protected from hacking. Virtual Data Rooms (VDR) are not very commonly used yet to ensure data security at every single company. Hence, hackers win by accessing sensitive data.
Another disturbing factor to consider is inadequate attention paid to data security. According to PwC's Workforce Pulse Survey, only 22% are very worried about personal financial loss from an attack, and just 15% say they’re very worried about their emails being exposed. Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information. In addition, employees fear retribution if they raise a security risk.
Home office will last indefinitely, so companies either have switched their employees to remote work or have been considering a hybrid model combining both online and offline office hours. All these factors show that it's time to take new cybersecurity approach because traditional strategies become ineffective.
Setting expectations too high: why the protocol didn't work
Now, moving on to exciting insights clearing the way to vigorous action. First, the COVID-19 situation brought a person into the spotlight of analysis and made experts focus on the human nature and its impact on processes. Second, many businesses had to rethink their values, thus arriving at greater commitment to develop better and more efficient strategies for the coming year, given the established trends. All in all, we observe how cybersecurity is taking a new turn on a global scale shifting to a human-centered model, where knowledge of individual and psychological responses is essential to counter cyber attacks. The traditional approach to cybersecurity assumes that a person in a critical situation still has enough knowledge about risks to make decisions and keeps a cool head to tell a phishing attack from a business call.
Sounds good, doesn't work. Critical errors are often caused by poor understanding of cybersecurity protocols, user-unfriendly and hostile interface, and lack of knowledge in information security and relevant reference materials. Even the working environment affects the security: an employee might be exhausted or overloaded with work. Therefore, to establish a proper strategy, you need a thorough understanding of human psychology and behavior patterns influencing employee decisions in a critical situation.
Being a good listener helps you stay aware of employees' morale which is a key factor for successful implementation of any IS strategy, because employees well versed in cybersecurity will be immune to any psychological manipulation of ill nature. Watch and learn your employee behavior, collect data, make surveys, and raise awareness of the information security risks among your employees.
Remember, that we are always here to support you initiatives with our solutions and services. Want to see how will your employees respond to an attack? We can simulate one by Red Teaming and reveal weak spots in security. Want to train your employees? We can provide a consultation. If you are interested in developing your corporate cybersecurity, please feel free to email us at email@example.com or call +973 772 888 86.