People – your first line of defence in the war on cybercrime
Mobilising human resources is essential in the fight against cybercrime.
Cyber criminals are preying on employees
The UK Government’s Cyber Security Breaches Survey 2020^ found that businesses experiencing a cyber breach or attack due to virus or malware fell from 33% in 2017 to 16% in 2020, but it noted a significant increase in the number of businesses experiencing so called phishing attacks.
These attacks typically involve the cyber-criminal attempting to trick the user into divulging sensitive information (such as passwords) or clicking a bad link, allowing the criminal to access an organisation’s network.
“Phishing is the most common type of attack we see,” says Lee Fitzgerald, Director of Fraud Risk Strategy at Barclays International.
Even if the ultimate target is an organisation, people are the vector that cybercriminals are increasingly using as a way in – and the fact that this is a growing line of attack means that it works.
The success of the attack relies on the targeted individual taking action, so to an extent, it’s the ultimate leveller. No matter how large or sophisticated your business and how up to date your IT security is, if your employees are not part of a holistic approach to cybersecurity, it’s a significant risk.
Disruption increases risk
Over the past year, the pandemic and the steps required to control it have created a rich environment for cybercriminal activity. National lockdowns have seen growing numbers of people working from home – and certainly in the case of the first lockdown in March 2020, with very little notice.
“Businesses had to adapt very quickly,” says Fitzgerald. “Technology was a huge benefit in enabling businesses to do that, but it also increased the risk. Employees had to use home WiFi, which may have been unsecured, many will have been required to use their own devices to access central networks, and processes may have had to change to keep business moving.
On top of that, when people aren’t in their usual work environment, but working from home, they’re more likely to let their guard down or be distracted, nor are there the usual reminders about cybersecurity like office posters, and that can make it more likely that they’ll open an email or click on a link than perhaps would be the case normally.”
In its review of the impact of Covid-19 on cybercrime, Interpol found^ that the increase in businesses deploying new systems and networks to support a switch to working from home presented an opportunity for criminals to take advantage of.
The review suggests that two-thirds of member countries reported cybercriminals using Covid-19 themes to conduct phishing attacks. “Cybercriminals will use any avenue to entice people to open an email or click a link,” says Fitzgerald. “Pre-Covid-19, we often saw emails purporting to be from HMRC or relating to a travel booking. With the heightened sense of awareness around Covid-19, we’re seeing phishing attacks using Covid testing or vaccination as a hook.”
The cost of cybercrime
The growth in attacks has led to a similar increase in the cost of cybercrime. Internet security provider, McAfee^, estimates that the global cost of cybercrime has increased by 50% over the past two years and is now more than $1 trillion. Costs are both direct – in terms of losses paid out in ransomware, or through fraud, regulatory fines or recompense – and indirect, such as loss of income if production or payments are compromised, staff time on dealing with the attack, reputational impact or the opportunity loss of missed sales.
There’s also, says Fitzgerald, a human cost. “In addition to the impact on a business’ ability to trade which may directly affect human resource requirements, for the individual responsible for clicking on that link, the mental health consequences can be huge. With increasing focus on employee wellbeing, that also needs to be considered.”
So what can businesses do to ensure their people are a robust defence against cybercrime rather than a back door into the organisation?
Mobilising the human resource
“Education is key,” says Fitzgerald. “You wouldn’t expect people to drive safely without a driving test, so don’t entrust your company or customer data team to without proper training.” Refreshing that training is also important, to make sure that awareness is front of mind and to keep on top of evolving threats.
In the face of further or ongoing disruption and businesses needing to adapt, it’s important to maintain a focus on cyber-security frameworks to understand which areas might be challenged as circumstances change, and to take the opportunity to shore those up.
If any change to internal protocols is needed, it’s important to go through some form of check and challenge to confirm that processes remain robust,” says Fitzgerald. “In particular, businesses should look at controls around paying out funds – segregating duties and making multi-factor authentication part of the process, for example, can help reduce risk.
Making it clear that cybersecurity is everyone’s responsibility rather than just something devolved to IT is also vital. Strong leadership and an open culture can make it easier for people to speak up, own any mistakes early and understand their role in protecting the business. It can also help businesses spread best practice and the latest information, as well as prepare an attack-response to mitigate the impact of any breach. But the key really is keeping cybersecurity front of mind.
“Closing down the opportunity for cybercriminals to attack your business through your people doesn’t necessarily rely on financial resources – although you can hire external specialists, carry out workshops and set-up tests, of course – what it does need is internal engagement, education awareness and training and constant repetition of the key messages,” says Fitzgerald. “That will equip your business with its strongest defence against opportunistic cybercrime.”
Equipping your employees in the fight against cybercrime
Create a programme of ongoing education and training to ensure staff understand how cybercrime works and what they can and should do to protect themselves and your business.
Keep on top of evolving threats and communicate that throughout the business. Barclays offers regular webinars that can help as part of your awareness programme. Make sure your processes are robust and that any changes have been accounted for and staff informed of new requirements, for example, multi-factor authentication.
Build a culture of openness where people aren’t afraid to speak up (and there are mechanisms to enable that) and where cybersecurity is seen as a collective responsibility.
Regularly update anti-virus software and install any patches immediately when notified.
Review and, if necessary, strengthen policies around use of personal devices, password strength and so on.
Make it clear what steps employees should take if they feel that they may have fallen victim to a cyber-attack – this can help a faster response and potentially reduce exposure.
Consider your overall security systems, for example, using VPN for secure network access, or DMARC to protect against email spoofing.
Read related insights
What is Phishing?
Phishing is an email-based fraud, and is a form of social engineering. Find out how to protect your company from phishing.
Quarterly Fraud Webinar
Listen to our quarterly webinar to discover the latest insights into fraud and how you can protect yourself and your business.
Fraud trends targeting your business in 2021
Fraud is on the rise, but what are the trends that businesses need to look out for and how can they protect themselves? We talk to experts from the Fraud Advisory Panel to find out more.