The concept of “cybersecurity” is daunting for many people and often associated with being the sole responsibility of security teams. According to a recent survey by leading cybersecurity company Proofpoint, only 17% of employees in the UAE and 14% in KSA felt that they shared the responsibility for cybersecurity in their organisation. Attackers don’t respect roles or teams when they strike. They attack people in any department and level with access to sensitive data, often before security teams have time to investigate attacks. For this reason, there needs to be a higher level of cybersecurity awareness in organisations to empower users with tools to identify, resist and report threats, build positive cybersecurity habits and a stronger line of defence.
It is critical to first understand why security awareness is relevant and necessary. Attackers largely target users over infrastructure because it’s easier and faster to trick people than to break into a firewall or hack an account. Inevitably, a threat will pass through the email gateway. Once this happens, users must know how to recognise threats and how to respond to reduce the likelihood of a compromise.
Security awareness trainings should provide examples of real-world threats, educate users on what to do when faced with threats, help build positive cybersecurity habits, and gauge how users apply what they learn to real-world situations. To help navigate cybersecurity threats and ensure cyber safety at an organisation, the following key processes can be implemented:
- Using MFA to protect your accounts
Most accounts require Multi-factor Authentication (MFA) to ensure that only that individual can access an organisation’s information and systems. Some common examples of MFA options are additional passwords, a physical key (via a USB device), biometrics (e.g., fingerprint, voice) or a GPS location on your device.
Attackers know how useful and common MFA has become and have found ways to bypass it using “fatigue attacks” or “MFA bombing” when they have access to a person’s credentials. In this case, bad actors send several “push” notifications or MFA pop-ups via phone or email. Their hope is that the user will tire of entering their credentials and simply “accept” a fake MFA request to stop receiving further messages.
To keep accounts safe, users should watch out for unusual MFA requests on devices and be wary of receiving multiple MFA requests in a short period. MFA requests should only be approved when attempting to log into accounts and set up alerts on devices to be notified of suspicious activity.
While it may seem cumbersome to input various codes, biometric scanners or fingerprint IDs – setting up MFA on all accounts and taking the extra time to verify legitimate MFA prompts can help keep data safe and ensure notification when there’s been an attempt to compromise the account.
- Create strong passwords and regularly update software
It can be challenging to remember different passwords for several accounts —and thus, tempting to use the same password across multiple platforms. However, attackers often use open-source websites designed to input a string of randomised characters into any account, with the hope of “guessing” a password correctly.
Weak passwords make it easier for these sites to eventually guess the right combination. Also, if the same password is used in several locations, it increases the likelihood of bad actors compromising multiple accounts once they guess the password. Creating strong passwords with a mix of various characters, symbols and numbers makes it harder for hackers to break in.
Another component of protecting information is protecting devices through software updates. Security teams work hard to identify bugs that require patches. Sometimes, these bugs can leave software with vulnerabilities if they’re left unchecked. Even though software updates might cause your computer to slow down during the install or require a restart that takes time away from task at hand, it’s important to use the latest software to “lock the door” and keep out attackers attempting to gain entry to devices and accounts.
- Be vigilant for phishes in the workplace and at home
In today’s remote work world, people are distracted by multiple devices and competing priorities, making it easy for attackers to get distracted and click on a phish. Being able to spot and know how to report phishes can help avoid falling for these tactics and prevent breaches.
Phishing emails take on different forms, are constantly evolving, and make use of social engineering tactics to become appealing to users. Having a security awareness training solution that educates users on real-world threats increases the likelihood of users reporting the next phish they receive and doing their part to protect the rest of the organisation.
User awareness and application is critical to reducing cybersecurity risks. Training should take the form of in-person workshops, realistic simulated attacks and general awareness education. Most importantly, this training must be comprehensive, ongoing, and responsive to changes in the threat landscape.
There are no quick fixes in cybersecurity. Building a security-conscious culture takes continued effort and attention. Cybercriminals are focused – forever honing their skills and techniques. If you’re not doing the same, there can only be one winner.