07 Apr 2022
As cyber criminals become increasingly sophisticated, professional and resourceful, organisations must extend their lines of defence beyond technical controls and crisis response plans to their people.
Unfortunately, the crucial people component is not always fully considered; security can be seen as simply a technology problem and there is often substantial under investment in educating employees about their role in securing the organisation.
The level of resourcefulness shown by cyber criminal groups needs to be matched by organisations in their response to cyber attacks. Ensuring that employees fully understand and demonstrate the right security behaviours is key to reducing the efficacy of a potential cyber attack.
Cyber attackers consider every possible vulnerability when trying to gain access to an organisation and they often see people as a weak link. Taking human-operated ransomware as an example, there are key points on the typical attack path that can rely on human error or vulnerabilities for the ransomware to deploy successfully. That’s why it’s important that certain security behaviours should be demonstrated by employees to help counter the threat of ransomware and other cyber attacks.
An effective security culture is broader than just tick box activities but existing activities to manage the people component of security are often not effective in supporting this type of cyber risk reduction.
Firstly, the attack is often based on successful reconnaissance by criminals to steal information from open social media profiles or other websites that can be used in social engineering or phishing attacks. Phishing of employees using this information is then carried out to deploy malware to workstations.
Vulnerabilities in internet-facing services are exploited which can often be attributed to use of shadow IT. Privileged accounts are then compromised by exploiting common IT and Active Directory (AD) hygiene issues, including poor password behaviours. Lateral movement, data exfiltration and the deployment of ransomware as widely as possible is then more likely to be successful if employees are not aware of what suspicious behaviour can look like or correct reporting processes.
Help your people to be more secure and not over-post on social media. As well as training and awareness, hold drop-in sessions where staff can get hands-on practical advice and tips.
Ensure you are supporting your people to identify and report phishing. Don't just try to catch them out with simulations and blame them for a high click rate.
We have seen an increase in this with remote working. There are often reasons people use shadow IT - such as a workaround to help them do their job faster - so speak to your people, identify why they are doing this and help them find secure alternatives.
People often have too many passwords to remember. Reduce the number of passwords where possible by encouraging use of passphrases, secure password managers and enabling Multi-Factor Authentication (MFA) on key accounts.
Often people are not sure what to report or how. Help them understand what to look out for, and make it easy for them to consult and report.
Many things influence behaviour and emphasis must be placed on understanding what’s driving current behaviour across your employees. Use this information to design activities and interventions that will make a difference rather than making false assumptions.
Interventions that can improve awareness of cyber threats and encourage the right behaviours will help build an effective security culture and create a stronger, more resilient organisation.
Get in touch with the PwC security culture team to find out how we can help you understand security behaviours and improve security culture at your organisation.
Risk and Resilience Partner, PwC United Kingdom
Tel: +44 (0)7483 422701