In many parts of the Western world, October is officially designated as Cybersecurity Awareness Month. On both sides of the Atlantic, organisations are working together to raise the profile of the importance of the issue for both consumers and businesses.
But what does that mean, exactly, and how does it translate on the ground?
In Europe, European Cybersecurity Awareness Month (ECSM) is run by the European Union Agency for Cybersecurity (ENISA) and aims to bring together partners from academia, to public and private sector organisations – acting as a hub for enabling a conversation on the importance of cyber security.
In the US, it is the time when the Department of Homeland Security works with the National Cyber Security Alliance to provide resources to Americans to help them stay safer online.
Both are very worthy initiatives aimed at achieving one very important thing, cybersecurity awareness. A rather broad aim, but at the same time vital in ensuring attackers have a harder time in achieving their ends.
Ultimately, attackers still prey on the opposite of awareness: uncertainty, and a lack of knowledge.
The importance of Cybersecurity Awareness Month
People remain the largest vulnerability in any organisation’s security ecosystem. The very opposite of automated solutions, they are unpredictable, and any ‘fix’ cannot be scaled as it quickly degrades as humans forget what they are taught.
This is why cyber security awareness programs are important. They serve as a crucial reminder to people of the inherent risk of being online in an age where attackers are continually developing ever more creative and nefarious ways of exploiting them.
For employees of large organisations this can be split down into a number of contemporary factors.
First, and the largest change since Cybersecurity Awareness Month became a thing, is the growing threat from the cloud. Cloud applications, such as Office 365, Slack and other collaborative working tools, have become paramount in the age of mass remote working – but also increase risk by removing the perimeter protections of old.
This means an incredible amount of sensitive data now resides not on-premises, but over an internet connection, which makes it more vulnerable to attack.
Awareness is important while using such tools as people tend to assume the rules have not changed since the days of on-premises solutions, making them more liable to errors and susceptible to social engineering attacks.
Second, is increasing the awareness of employees of the perils of the blended work/home environment that many now find themselves in.
Outside the perimeter, and now logging into accounting systems at the same time as having a tab open with their shopping, people need a continual reminder that work data needs to be treated with greater scrutiny.
This informal mind-set can present a raft of problems, from people visiting websites that they shouldn’t while at home and becoming infected with malware, to reusing passwords across enterprise and consumer applications.
Creating awareness around this issue, and reinforcing it as often as possible, can help shift the mind-set back towards giving them ownership of their own security.
Finally, the age-old problem of phishing is very much one which can only be resolved with greater awareness. Without education, people do not question the content of emails which, especially in an age of increasingly sophisticated Business Email Compromise (BEC) attacks, can lead to significant financial damage.
How can technology overcome weakness in cyber security awareness?
Awareness is a big part of solving the cyber security conundrum for organisations, both large and small.
Strategically, it is tied into the one thing which CISOs want to achieve, which is creating a culture of security throughout the estate they govern. This slightly ethereal term essentially means ensuring people are conscious of the role they play, on an ongoing basis, in creating a more secure organisation. Empowering people in this way can seriously reduce the threat from human vulnerability.
Technical countermeasures can also help mitigate the threats highlighted above. The risk from cloud security applications and services is best reduced by deploying a modern CASB solution.
Built specifically to monitor and provide controls around the actions people take inside such platforms, it automates the enforcement of policies, providing protection at scale. Policies can be set on a granular level to allow for tailored controls around who performs certain actions, when and how.
The risk presented by the hybrid work/home environment can be addressed with the deployment of a next generation web gateway.
Ultimately, such solutions will prevent employees from visiting sites deemed to be dangerous, such as those which are hosting inappropriate content or malware. Deployed as an agent or on gateways, they filter out traffic the employees may not be aware is malicious.
Finally, the greatest human awareness failing of all, is the threat posed by email.
While education is a big part of this, a progressive email security solution can help organisations protect themselves from the most common and the most advanced email threats. Specialised email security solutions provide an additional layer of protection from the more advanced threats such as BEC and CEO Fraud.
When these solutions are combined, users can enjoy seamless protection across their environment, and be empowered through the confidence they get from cyber education and technological reassurance.