'Don't make it a dry, typical security presentation — throw a little humour in there and make it a fun game'
With the pandemic seeing many workers to log into corporate networks from home, employers are seeing a sharp rise in cyber attacks.
Seventy-three per cent of Canadian IT departments reported an increase in the number of employees opening malicious links or attachments in emails over the past year, according to an HP survey of 8,443 adults in seven countries in March and another 1,100 IT decision-makers in the same countries in April.
“What jumped out at me the most was the number of endpoint attacks that are happening now and the fact that that it has increased so dramatically from before the pandemic,” says Michael Howard, head of security and analytics practice at HP in Weld County, Colo.
“I’m not surprised by it but, it certainly jumped out at me and some of the comments that I get from people: ‘I’m behind a firewall, I’m safe and secure,’ those days are over,”
Ninety per cent of all breaches that are happening today — according to the NSA [National Security Agency] — are coming from user or human error, he says.
“It’s curiosity, it’s clicking on links and not educating [employees] enough on not to click on those links.”
And over the last couple years, phishing emails are becoming much more sophisticated, says Howard.
“I think [hackers have] actually hired writers that help them clean it up because it used to be you can send one over to me and I can tell you very quickly if it’s real or not; you can’t do that anymore. Both from a business perspective and a personal life perspective, [cybersecurity is about] making sure that people not only trust but verify. We tend to as humans trust, but we need to verify, verify, verify.”
Howard spoke with Canadian HR Reporter to provide five tips on cyber security.
Assess, extend, educate
Number one, it’s critically important to assess your environment. And with people working from home, employers should do security assessments, making sure to assess each and every endpoint, he says.
“What’s on your network? What’s current as far as firmware? What software’s being run out there? The print devices, how are they being secured and controlled?”
Number two, employers should work with vendors who provide tools that “start extending that capability and bringing that monitoring and management back into view,” says Howard.
Number three involves education.
“Everybody has a responsibility in cybersecurity now; it’s not just the cybersecurity teams. Every organization should be educating every employee and not doing it with a carrot-and-a-stick approach but doing it [by] rewarding for good behaviour and educating for bad behaviour — but not in a negative way,” he says.
“If [they] don’t click on the link, you reward employees; if [they] do click on the link, you don’t penalize them, you just say, ‘Hey, you did this and so now let’s go through and let’s do a little more education on it and help you out.’”
And to be successful, the training should be fun, he says.
“Don’t make it a dry, typical security presentation — you throw a little humour in there and you make it a fun game… I always tell people: ‘My goal is to make security sexy.’ That’s a hard thing to do but that’s what your goal is, to try and get people to get it.”
While cyber crime is rampant these days, nearly four in 10 Canadians say they don't receive any cybersecurity training at work, according to a recent survey.
Focus on home environment
A fourth tip for cyber security is figuring out how to segment networks at home, he says.
“How do you get all those dangerous IoT [internet of things] devices that are sitting in your home segmented away from business devices that you’re bringing into your organization? So [it’s about] really understanding how you educate employees on what they need to be doing around that.”
It’s also important to read the instructions on IoT devices being brought into homes, says Howard. “If it says, ‘Set up security,’ don’t bypass it; get it set up and get it put in place.”
Canadian HR Reporter also spoke with Mark Gaudet of the Canadian Internet Registration Authority (CIRA) in Ottawa about ways to enhance cybersecurity at home.
Lastly, organizations should consider buying enterprise-class devices for home that have the built-in security and depth for cyber resilience, says Howard.
“That’s become critically important. You can’t be putting the cheapest device at a home office anymore.”
Too many organizations aren’t pushing the same security controls to out-of-home offices as they do inside their corporate environment, he says.
“We need to see purchasing change so security for endpoints needs to be the number one buying decision and not cost. You need to be looking at devices that have cyber-resilience built in. We have all the right security, defence layers and depth built in [so] just start buying those for home offices like you would inside an office.”
“Updating firmware becomes much more difficult when you’re home right but firmware is where we fix security vulnerabilities so, putting a good firmware plan together becomes important as well,” says Howard.