The notion of constructing a strong security culture within and throughout any one organisation has been advocated for time and again. Calling not simply for cyber security to be at the forefront of the board’s agenda, but also on the minds of every single employee and partner on the supply chain. As the world has begun to transition into a new era of remote working, it is pertinent now, perhaps even more so, as it was then.
Over the course of the last few months, it would appear that the news has been dominated by two central subjects: the pandemic itself, as well as the rise of cyber threats and attacks that have followed suit. It is clear that the commotion of the pandemic and the work arrangement reshuffle has inspired a flurry of bad actors to emerge from the woodwork and amplify their criminal efforts to scam, pilfer and infect people and their devices.
Indeed, the very fact that the majority of cyber criminals are leveraging the familiar, age-old tactic of phishing, rather than devising a brand-new strand of malware is telling of what, or who, the ‘weakest link’ is. As a former CISO of a renowned intelligence agency once told me, “The most dangerous cyber security vulnerability is the carbon-based life-form.” Technologies are constantly evolving and security teams work diligently to efficiently apply security patches. Humans, on the other hand, are a consistent vulnerability and much tougher to ‘patch’. Their actions are certainly unpredictable and cannot be easily controlled with the touch of a button. In this way, attackers are likely to exploit the latter, as opposed to performing a frontal assault.
Fortunately, firms have recognised this and have improved certain processes to ensure the safety of products from human error, including software development. Developers are pivotal in facilitating synergy between man and machine. It is through software and lines of code, that pacemakers, power grids and even national elections run smoothly. Regrettably, it also means that the stakes are exceptionally high should they be compromised by an attacker. As a result, plugins have been made available on Integrated Developer Environments which assist in inspecting the code for any vulnerabilities, prior to going live. Moreover, developers are made to use these opportunities to educate themselves and learn from their mistakes to avoid it reoccurring.
This education should not, however, be limited to developers but extend across the organisation. Employees, regardless of their level of access or role, need to realise that their devices are all potential loopholes through which criminals can penetrate, and eventually navigate through the corporate network. As such, they need to not only be aware of their responsibility, but of existing threats, how they are evolving as well as how to manage them. Any and all data breaches should be regarded with the same gravitas, for it may be that seemingly ‘inconsequential’ piece of data that leads an attacker to the motherload.
In the office, employees may have been regularly reminded of their security responsibilities. Whether through the act of badging into the building or simply through posters on the wall, employees are bombarded with both subconscious and conscious cues. Yet, at home where we typically feel most comfortable, the tendency may be to let our guard down both on security and data protection. Indeed, whilst remote working, the temptation to interchange and merge personal and corporate data as well as devices is heightened. Add to that the stream of new technology employed such as Zoom and Slack, and the risks are ever-growing. As we have seen, Zoom has found itself in the midst of numerous security and privacy controversies, leading to the introduction of the term ‘Zoom Bombing’ into our vocabulary. Consequently, requiring employees to learn how to configure their settings appropriately.
Beyond employees, vendors and partners of the business should not be neglected. Their security strategy is also deeply intertwined with your own. Therefore, it is crucial that every effort is made to understand what has been done on their end to safeguard your data and systems.
All in all, more than the tools and technology, security is rooted in the awareness and accountability of employees and supply chain partners. Alongside this is the need for continuous education when it comes to identifying and managing threats. Cyber criminals are unremitting and only see this new circumstance as an opportunity to ramp up their attacks. As such, organisations need to be proactive and remind every individual that their actions are a crucial piece of the puzzle. Without their cooperation, organisations can never really be cyber safe.
Author: Jim Ivers, VP at Synopsys Software Integrity Group