Five key employee security behaviours that can reduce cyber risk
As cyber criminals become increasingly sophisticated, professional and resourceful, organisations must extend their lines of defence beyond technical controls and crisis response plans to their people.
Unfortunately, the crucial people component is not always fully considered; security can be seen as simply a technology problem and there is often substantial under investment in educating employees about their role in securing the organisation.
The level of resourcefulness shown by cyber criminal groups needs to be matched by organisations in their response to cyber attacks. Ensuring that employees fully understand and demonstrate the right security behaviours is key to reducing the efficacy of a potential cyber attack.
How cyber attacks can exploit human error or vulnerability
Cyber attackers consider every possible vulnerability when trying to gain access to an organisation and they often see people as a weak link. Taking human-operated ransomware as an example, there are key points on the typical attack path that can rely on human error or vulnerabilities for the ransomware to deploy successfully. That’s why it’s important that certain security behaviours should be demonstrated by employees to help counter the threat of ransomware and other cyber attacks.
An effective security culture is broader than just tick box activities but existing activities to manage the people component of security are often not effective in supporting this type of cyber risk reduction.
How a human-operated ransomware attack can exploit human error or vulnerability
Firstly, the attack is often based on successful reconnaissance by criminals to steal information from open social media profiles or other websites that can be used in social engineering or phishing attacks. Phishing of employees using this information is then carried out to deploy malware to workstations.
Firstly, the attack is often based on successful reconnaissance by criminals to steal information from open social media profiles or other websites that can be used in social engineering or phishing attacks. Phishing of employees using this information is then carried out to deploy malware to workstations.
Five key security behaviours to reduce cyber attack efficacy
Social media
Help your people to be more secure and not over-post on social media. As well as training and awareness, hold drop-in sessions where staff can get hands-on practical advice and tips.
Phishing behaviours
Ensure you are supporting your people to identify and report phishing. Don't just try to catch them out with simulations and blame them for a high click rate.
Use of shadow IT
We have seen an increase in this with remote working. There are often reasons people use shadow IT - such as a workaround to help them do their job faster - so speak to your people, identify why they are doing this and help them find secure alternatives.
Passwords
Firstly, the attack is often based on successful reconnaissance by criminals to steal information from open social media profiles or other websites that can be used in social engineering or phishing attacks. Phishing of employees using this information is then carried out to deploy malware to workstations.
Consult and report
Often people are not sure what to report or how. Help them understand what to look out for, and make it easy for them to consult and report.
Many things influence behaviour and emphasis must be placed on understanding what’s driving current behaviour across your employees. Use this information to design activities and interventions that will make a difference rather than making false assumptions.
Interventions that can improve awareness of cyber threats and encourage the right behaviours will help build an effective security culture and create a stronger, more resilient organisation.
Get in touch with the PwC security culture team to find out how we can help you understand security behaviours and improve security culture at your organisation.
This article was first published in www.pwc.co.uk, where you can also download the full research.