By Sebastien Pavie, VP Data Protection Products, Southern EMEA at THALES
Hardly a day passes without hearing of a new cyberattack. Whilst much of the techniques from malware and ransomware to credential stuffing and phishing have been around for years, hackers are getting much more sophisticated at breaking through defenses. This, coincided with both our personal and professional lives being online more than ever before – the average user globally now spends almost seven hours a day connected to the internet – has presented the perfect opportunity for cybercriminals to take advantage.
In fact, whilst the attacks may have become more sophisticated, it is us, the humans, that hackers often prey upon as the weakest link in a cyber defense. According to Thales’ 2022 Data Threat Report, almost a third (29%) of respondents ranked ‘accidental human error’ as the top threat to their organisation, and whilst four fifths (78%) ranked accidental or human error in their top four threats. What’s more, with the ‘great resignation’, remote workforces, and evolving breach techniques, there’s a lot for business leaders and employees to contend with.
So, what can be done? In this Q&A, Sebastien Pavie, Regional Director for Data Protection at Thales dives into the cyber threat landscape and how employees can better prepare themselves for the onslaught from hackers.
1. What is concerning security professionals most about working in an increasingly remote workforce?
It’s no great surprise, especially after the last two years, that employees across the globe are more distributed than ever before. The advances in technology such as cloud, coupled with a pandemic, has bolstered working from home (or anywhere you want), but this has brought with it many challenges for both security professionals and employees.
For business leaders and IT professionals, the notion of protecting their castle has got even more complicated. They no longer have centralised control of their workforce under one roof, and employees can stray away from their watchful eye. As a result, employees no longer have the same security blanket to fall back on, as being in-house with a dedicated security team at their disposal. Businesses therefore need to provide employees with a sufficient infrastructure to independently safeguard against the cybercriminals looking to infiltrate their home working setup, creating new challenges for security professionals.
Businesses across the globe are also accelerating the shift to the cloud in conjunction with this. Infrastructure now has to be more agile, capable and distributed to support distributed workforces that access data from anywhere. Although this multi-cloud environment has enabled effective and efficient remote work, it simultaneously poses newfound security risks. Attacks targeting cloud resources are on the rise, including data breaches on cloud assets and secure information held in cloud applications. Establishing sufficient cloud protection strategies to safeguard businesses is an ongoing concern on security professionals’ radar, with 51% of IT leaders agreeing that it is more complex to manage privacy and data protection regulations in a cloud environment.
- Why are employees more vulnerable to cybercriminals now than ever before?
Employees, no matter what company or industry, are an attractive target for hackers as they are seen as the weakest link in an organizations’ defense, especially with more remote working. Fortunately, security professionals are acutely aware of the risks being faced by employees, with 79% of which expressing some level of concern about the security risks/threats of employees working remotely.
The correlation between the high staff turnover rate and cyber incidents in the last couple years is also no coincidence. Fatigued or disgruntled workers who have already set their sights on greener pastures, will no doubt have developed a detached mentality when it comes to cybersecurity at their current workplace. Although not malicious, such employees may be lax in following security guidelines if they take their eye off the ball, with workplace dissatisfaction and COVID-19-induced burnout higher than ever.
With a higher employee turnover as a result, new staff will also be unfamiliar with security protocols, heightening the risk of breaches further. The cost to replace an employee therefore goes recruitment and training costs; it must consider the potential cost to the business with cyber incidents.
The nature and complexity of cyberattacks is also constantly evolving, with criminals resorting to new means of attack, making it difficult to continually upskill employees to confidently spot and avert breach attempts.
2. Why is Human Error the biggest risk of all for cybersecurity professionals?
Whilst it may be easy for vendors to discuss the measures businesses need to take to protect themselves at length, it’s the people within businesses that remain at the forefront of a robust cybersecurity strategy.
According to a recent Prosper Insights & Analytics Survey, 27% of adults have not taken any steps to protect their digital or online privacy. This apathy towards data privacy means that many employees may be unaware of what data they are sharing and with who, potentially translating to security breaches if they aren’t taking full precautions.
As such, they may be unable to track who has access to their data and erect barriers to ensure unauthorized users cannot gain access. In an increasingly hybrid working environment, many employees are also using personal devices to access work services and if compromised by hackers, this can present a significant risk to a company’s data security.
Employees failing to protect their data privacy not only creates a new risk point for businesses to manage, but it also highlights a cultural lack of awareness around the importance of maintaining a strong defense against cyber-attacks. The result is that even in a business with effective multi-factor authentication (MFA) software, encryption tools, and key management, this can all be undermined by workforces that are blind to potential threats and take risks with the storage, access, and utilization of their company’s data.
3. What are the main cybersecurity issues and threats organizations should be paying attention to moving forward?
Cyberattacks are now the inevitable price you pay for doing business – with the volume of attempted breaches surging in comparison to pre-pandemic figures. In fact, Thales’ Data Threat Report found that malware (56%), ransomware (53%) and phishing (40%) are the leading source of security attacks – with one in five (21%) having experienced a ransomware attack in the last year. Managing these risks is an ongoing challenge, with almost half (45%) of IT leaders reporting an increase in the volume, severity and/or scope of cyberattacks in the past 12 months.
However, deepfake technology is now so sophisticated that we are starting to see cybercriminals move away from tried and tested methods like phishing to carry out far more advanced attacks on enterprises. Such attacks have already started to gain in popularity, with threat actors using AI to impersonate the voices of business leaders in order to steal huge amount of money. By exploiting the attributes and authority of such high-profile individuals, CEOs will therefore be the gateway to infiltrate larger organizations this year.
4. Is the accelerated evolution of quantum computers a threat to data security? If so, what steps should organisations be taking to prepare of their post-quantum security future?
Although there are no current quantum computing threats that can practically affect any classical encryption scheme, quantum technologies certainly have the potential to break current cryptographic approaches, posing an unprecedented threat to our data security. With the race to quantum heating up, business leaders need to take proactive steps to prepare for this evolving risk, rather than taking a reactionary approach when it does become a reality – you don’t want to be playing catch up when the integrity of data is at risk.
Encouragingly, the National Institute of Standards and Technology (NIST) recently announced the first four Quantum-Resistant cryptographic algorithms – that will now undergo a two-year process to become part of NIST’s post-quantum cryptographic standard. For example, the NIST has selected Falcon, a Thales co-development algorithm known for its extremely strong security and high bandwidth efficiency. Such algorithms will set future post-quantum cryptography standards.
Above and beyond the cyber cybersecurity hygiene protocols that businesses should be enforcing as standard, there are three key measures that businesses should be implementing to prepare for a secure post-quantum future. Firstly, for organisations looking to protect their data, they must adopt a strong quantum crypto agility strategy, encouraging their company to assess their crypto inventory and readiness – in order to begin planning a quantum safe architecture. In other words, data security practices need to easily evolve to support multiple algorithms and encryption mechanisms simultaneously. What that means is that to truly understand both potential and risks, tech teams must first analyse their existing applications, to ascertain if an algorithm were changed would the application still work. This must be done across every application, and business critical system, across the whole organisation, enabling them to map out a plan that will allow for business continuity. It is a big job, so by beginning this process early, it will help to ensure a smooth transition when it comes to protecting data against the new threat vector.
Secondly, there is also a pressing need to address the knowledge gap in workforces. Given that quantum computing, and its associated risks, are emerging areas of concern, it’s important to roll out sufficient training to upskill employees to be quantum literate. This would empower teams to competently develop quantum-safe strategies.
Finally, organisations must also adopt the Zero Trust framework as part of rolling out a strong quantum crypto agility strategy. Businesses cannot be risk becoming overconfident in assuming they are resistant to cyber breaches, even after implementing the above. Maintaining a risk-averse agenda will no doubt be a huge part of ensuring quantum resilience.
5. Lastly, what steps can security professionals take to protect their most sensitive data?
Implementing stronger security practices and following good cyber hygiene is the only way to provide robust protection against attacks on data, personal information and infrastructure. Every company should be continually assessing their security capabilities and ensuring they’re protecting their most sensitive data.
First, you must prepare for the threat by developing and exercising both a cyber incident response and communications plan. Create and maintain a cybersecurity awareness training program for your users – making digital asset management a key competency for your organisation. Then, keep systems up to date and use appropriate tools and security teams to regularly test and evaluate your environments. Make sure to add layered defences and threat detection capabilities to further protect those systems from attack.
Implement security and access management controls, such as two-factor authentication, encryption, key management to protect data at its core and restrict access to only to those authorised. Organisations should also consider adopting a Zero Trust security approach, based on the tenet “Never Trust, Always Verify”, to prevent employees from accessing data unless explicitly authorised to do so.
In addition, it is important to help guide employees on the best practices both inside and outside of work. Whilst you can never guarantee compliance, having guidance and advice can go a long way in protecting everyone. So as a gentle cyber hygiene reminder, here are four top tips:
- NEVER REUSE!
Never reuse the same password between different sites. Implement software that generates unique passwords, so each time you register a random password is created for you.
- OPT FOR MULTI-FACTOR AUTHENTICATION:
Where possible, activate the multi-factor authentication services that many sites offer to enable an extra layer of security, ensuring only you can access your accounts. This authentication method will require two or more forms of verification to gain access, thereby minimising the chance for cybercriminals to gain access to your accounts.
- BE MINDFUL:
Remember that your computer or mobile device can contract a virus or malware at any point of you being on a website or app. Practice sensitive caution at all times and use devices and infrastructure that have strong security technologies, like encryption, anti-virus software and two-factor authentication, to protect the integrity of your data.
- ALWAYS USE A VPN:
Where possible, use a trusted Virtual Private Network (VPN) when using publicly-available (and potentially insecure) Wi-Fi networks that don’t have the necessary precautions in place.