Building a cybersecure ethos within your business takes dedication, time and your people. Your staff are and will remain the first line of attack and first line of defence.
In every business there are 3 broad descriptors of employees when it comes to cyber security:-
Just don’t know
Just don’t care
Those that are ‘just amazing’ read the policies, undergo the training and take heed on what they should be doing.
Those that ‘just don’t know’ do read the policies, undergo the training, try and take heed of what is said but find applying the knowledge in the real world difficult.
Those that ‘just don’t care’, say they have read the policies, click through the training, and pay no attention to advice and guidance provided.
Why is this important? Because unfortunately your defences need to be designed to allow for the Don’t Know’s and Don’t Care’s.
To put this into some sort of context.
Nearly half of breaches during the first six months of 2022 involved stolen credentials.
To extract these credentials, the attackers mainly use phishing techniques.
3.4 billion phishing emails are sent daily which means approximately 1 in every 99 emails is a phishing email.
Let us also take another view.
Humans are (generally) lazy and hackers are human. A hacker will (like most people in their workplace) achieve their goals as quickly and easily as possible. In a hacker’s world why would you hack through a firewall when someone’s credentials will give authorised access?
How does this relate to your 3 types of employees and cyber security?
Of your 3 types, “39% said that they were “highly likely” to report a potential cybersecurity incident, 42% said that they would not know if they had caused an incident or be able to recognise one, and 25% simply said that they do not care about cybersecurity and could not be bothered”.
In a 1000 employee business you have approximately 600 of your staff not knowing or not caring about cybersecurity.
That is a statistic that plays well into the hacker’s hands.
Marry that with the 1 in 99 phishing emails sent per day. If we assume the average employee receives 121 emails a day, across our example business we have 600 possible near miss cybersecurity incidents daily.
Let us not forget the other common (and easy method hackers love) which is the credential. Out of your 1000 employees, there is the potential 600 staff reuse passwords across multiple accounts. You guessed it, this reuse crosses between personal and professional accounts. Stolen credentials on sale in the deep/dark web is well established and some of the most recent breaches occurring have been through previously stolen credentials being used.
So, what to do about it?
2tela (and other security practitioners) will say, as a business, you need a multi-layered solution (or defence in-depth) that combines advanced endpoint Detection and Response capability, Data Loss Prevention capability, email security, vulnerability and patch management, Remote Monitoring and Management, and backup capabilities all in place.
This is good for real-time detection against things knocking on your door. But they are not the only tools in your toolbox.
Threat Intelligence or looking beyond the firewall is now playing a critical part in cyber defence. Knowing when login credentials of an employee is part of a 3rd party breached dataset means you are stopping the access before it is too late. Knowing when a domain name almost identical to yours is registered can indicate the start of a Phishing campaign against you.
2tela Threat Intelligence services can help you protect against threats by monitoring what is known about your business, your staff and your data in places where it should not be.
Contact 2tela to find out more.
2tela provide affordable and effective cyber security – ranging from specialised consultancy to market-leading managed services – designed to protect UK businesses from all threats.
References referenced in the creation on this summary:
2tela cannot guarantee the safety or accuracy of any external links to other websites and urges all precautions to be followed.