By Cat McDonald, Investment Manager, AlbionVC
Covid-19 has driven an unprecedented shift in working practices with huge implications for cybersecurity.
First, employee security compliance has been challenged. Phishing attempts and social engineering-based attacks have increased. Stressed workers are more vulnerable than ever to making mistakes.
Second, traditionally most organisations had cybersecurity architectures only covering their standard operating environment. The scope and complexity of that environment has expanded tremendously, stretching the IT infrastructures.
Organisations and individuals are having to quickly adopt new capabilities better suited to this new way of working.
Where do we need to protect ourselves?
10 to 15 years ago the “firewall” sat at the perimeter, shielding a company’s network from data leakage. With cloud computing, mobile and the rise of IoT, data started to come from outside of internal networks and endpoints became the new perimeter. Now, digital transformation (the intersection of people, devices and applications) has required security based on people. Individuals are the new perimeter.
The rise of human layer security
“Human layer security” is a relatively new addition to the cyber security armoury which pays testament to a growing recognition amongst business leaders that the greatest risk to an organisation is posed by its employees. Research commissioned by human layer cybersecurity firm Egress states that 97% of CISOs are worried about insider breaches.
How are humans compromised?
The biggest driver of sensitive data leakage is phishing attacks, especially business email compromises. Phishing attacks often impersonate executives and instruct remote employees to pass over sensitive information and passwords. This is the most difficult attack vector to detect, as well as the most serious. In the CV-19 environment, employees are experiencing a rise in phishing threats as cybercriminals seek to benefit from an environment of hyper-anxiety. This problem is exacerbated by the fact CV-19 has also made employees less likely to follow safe data practices: employees know they can get away with riskier behaviour in remote environments while they are not under the watch of eagle eyed compliance teams. Many choose not to protect data to avoid the hassle.
This lack of care is supplemented by unconventional environments and unfamiliar devices being conducive to making mistakes. The second and growing vector for data leakage is outbound email error. Humans are not infallible, and we are all vulnerable to making mistakes – accidentally sending the right emails to the wrong recipient or sending the wrong files to the right recipient. This problem is prolific and many of us have been there, but sadly, the problem has been exacerbated by CV-19 as even more sensitive information is traveling digitally. For example, lawyers and NHS staff want to securely send critical and sensitive messages to the right people.
Most of us share confidential and proprietary data via email many times per day and the implications of an error can be huge: valuable company or customer data could be exposed, and a business can face huge reputational and/or financial damage. With everyone working remotely, human risk has increased. It is paramount that businesses prioritise effective secure email.
Modern email solutions are defining human layer security
Firms need to recognise that human-activated breaches are their most significant security risk and email should be front of mind if they want to protect their most valuable assets.
Historically, solutions have impeded productivity and thus been relegated in importance. For example, myriad cyber training solutions focus on educating employees i.e. encouraging them to “stop and learn” – but employees do not want to do this or simply do not have the time. Even sophisticated solutions such as encryption have been inadequate, as they have tended to focus on static rules, for example key word search, or impose repetitive and laborious pro-active behaviour, such as requiring a user to click a box to determine whether an email should or should not be secured. These processes are inherently flawed.
Employees need a frictionless experience that does not hamper their productivity – hence we are seeing a boom in demand for sophisticated human layer solutions. Modern email solutions blend into our workflows. They engage users and add tangible value to day-to-day tasks. Slick, ML driven and automated solutions recognise employees need to be armed with the right tools to make them both better at their jobs as well as more secure. They also pay heed to the fact individuals are not infallible.