Protection must blend human skill and technology, and cyber strategies for both need to be linked
Technology solves and creates problems, both mitigating and creating risks. It can drive productivity or hinder efficiency, defend attacks or lead to vulnerabilities. There is a human element to these issues, as the actions of those using the technology have an impact. ‘PICNIC' - problem in chair, not in computer - is often used to flippantly summarise this impact; however, it suggests that human and technology challenges are distinct. This is not the case.
Humans make mistakes, we are not flawless. Cybercriminals even exploit this humanity through phishing or social engineering attacks. While investing in effective and regular security training for all employees is vital, there needs to be technology in place to minimise the effects of and possibilities for human oversights. Organisations' human and technology cyber security challenges are inextricably linked. Therefore, the cyber security strategies for both need to be linked.
Computing's latest research in this area, conducted in partnership with Intel, reveals how IT leaders are addressing endpoint hardware and remote manageability in the context of their modern cyber security strategies.
Evolving cyber crime
Cyber-attacks are becoming more frequent and more sophisticated. The nature of attacks has changed in the past few years, increasingly aiming at below-the-OS levels by targeting inherent flaws within hardware, the BIOS, and firmware. GCHQ reported a doubling of ransomware attacks on UK institutions last year, while 65 per cent of survey respondents from Computing's research experienced up to 10 cyber security incidents per week.
Attackers often migrate laterally through networks, seeking out and retrieving backups before they are detected. This gives the attackers maximum leverage, exfiltrating data alongside encryption, to then publish or sell data, further reducing the victim's ability to fight back.
64 per cent of respondents say they expect incidents to continue increasing, yet, the entire cohort rate their confidence in their endpoint security an average of 7 out of 10. This reveals weak endpoint security in a time of progressive cyber-attacks.
Computing research from the past two years demonstrates organisations are consistently worried about security outside the work network perimeter. A huge concern reported by IT leaders surrounds newly minted remote workers and what that means for cyber security on both a personal and conglomerate level.
According to Computing's latest research in the area, the greatest enterprise security threats are phishing and malware, the former often being the vehicle for the latter. 59 per cent of respondents said phishing was their greatest cyber security challenge, followed by 55 per cent reporting malware or ransomware.
Phishing weaponises our humanity - tapping into our kindnesses, curiosities, concerns, and fears. Remote working has meant isolated workers are far more vulnerable. Ordinarily, colleagues would turn to each other if they received a questionable email with a dubious link. Alone, in the home, the temptation may be to just ‘click it and see'. Being outside a corporate environment also impacts the probability of phishing success as employees have domestic distractions and, generally, a less guarded mindset within their own homes.
Organisations recognise that this cannot be entirely combatted by IT expertise. Seven per cent rated inadequate cyber security as the greatest cybersecurity challenge for their business, with 13 per cent expressing a lack of cyber security expertise in their IT departments. These low numbers demonstrate that expertise is in place, but not being transferred to employees. So, what can be done?
61 per cent of respondents said they conduct security awareness training between one and three times a year. Three per cent admitted their employees had never received such training and 39 per cent said it occurred annually. However, these findings cannot reveal the extent or nature of the training. Do they offer in-person training with a chance to engage with the experts and ask questions? Is it a fixed question assessment with a minimum pass rate? Barely more than a quarter said they were completely happy with employee security training at their organisation, highlighting widespread ‘people' vulnerabilities.
The importance of capable hardware
No organisation can completely rely on their employees to never make security mistakes. Having below-the-OS cybersecurity capabilities for endpoint devices is crucial considering the sophistication, spread, and ruthlessness of attacks. 83 per cent agreed either somewhat or strongly that "the most effective user device security strategies combine software, hardware, and cyber risk training."
Having built-in, hardware-level security on a reliable, stable platform can blend technology and supplementary training to reduce overall risks. Hardware-enhanced security features, including below-the-OS security, such as BIOS protection through to advanced threat detection, can help protect against and prevent cyber-attacks.
To learn more about Computing's latest research into interconnected human and technology impacts on cyber security, read the full report
This article is sponsored by Intel