Corporate IT infrastructure has become incredibly complex. The intricacy brought about by digitalisation in recent years has now been exacerbated by the pandemic and its impact on society – think of the enormous spike in online services, remote workers, virtual collaboration and connected devices, with all the challenges they create. This is naturally reflected in the cybersecurity threatscape. Even pre-COVID, businesses were battling fiercer attacks on their environments making it increasingly difficult to protect, and the current circumstances certainly haven’t made things easier. Risks, however, don’t simply revolve around devices and security solutions. There’s another important element to keeping hackers out, and it’s ensuring employees are familiar with potential security threats and on board with recommended processes to help thwart them.
Improving security isn’t something companies can compromise on. Not only do cyberattacks disrupt productivity, tarnish brand reputation and damage customer trust, they also have more tangible consequences: the average cost of cybercrime in Europe has risen to €50,000 per incident. At a time when resources are precious and companies are working hard to navigate the financial crisis, such losses can be catastrophic. So, companies need to find ways to integrate people, process and technology in a unified approach to security to protect their networks in today’s climate.
The importance of employee behaviour
While some believe InfoSec teams are the gatekeepers for all things security, it is in fact all employees who must play a crucial role in keeping an organisation safe. Last year, for instance, 90% of security breaches in the UK were due to human error. This explains why a core aspect of cybersecurity is actually represented by company-wide awareness and training: data from our own survey shows 36% of IT leaders in EMEA consider employee security education one of the biggest future IT challenges. Of course, these practices have become fundamental in the age of WFH, where staff are working remotely, outside of office perimeters and far from the protection of their tech-savvy teammates.
As workers strive to maintain productivity and efficiency in the face of new challenges, such as using their own personal devices and home WiFi connections to connect to the corporate network, it’s no wonder security isn’t top of their priorities. Instead they are focusing on the need to deploy whatever tools and applications are needed to ensure they can get the job done. According to 35% of IT decision makers, in fact, insider threats increased this year due to employee disengagement and over half of decision makers in IT agreed that WFH has made their companies more vulnerable due to insecure devices. And there’s more – 44% of companies have seen an increase in phishing attacks this year. It’s no secret that cybercriminals have been exploiting COVID-19 in fraudulent emails and texts to workers, to breach their organisations’ defences, so measures need to be put in place to prevent these incidents.
The value of a Zero Trust approach
While employee education and training are of course important, there are other measures companies can adopt. For example, taking a Zero Trust approach to security – not granting automatic privileges to any users on the network – can reinforce protection.
At a time when implicit trust is no longer safe, Zero Trust can help increase protection; in fact, nearly all of the digital leaders we surveyed said this architecture could help their business deal with the current global situation. Specifically, it has the potential to mitigate threats like human error, as well as employee unawareness and disengagement. Our data shows that 49% of IT decision makers are considering a Zero Trust framework in order to prevent workers from compromising the system. Once again, the technology alone isn’t enough: Zero Trust is not a plug-and-play product, it’s a mindset. In fact, nearly 30% of professionals we surveyed said employee support is fundamental to embark on a Zero Trust journey, while 40% believe the biggest obstacle to achieving it is the need for a culture shift. Employees should keep the ‘trust no one’ mantra in their day to day, to establish how to behave when targeted by a phishing attack, for instance.
In today’s cyber-threatscape, made more complex by fluid working, risks are lurking around every corner. With so many factors that can compromise infrastructure defences and lead to devastating consequences, relying solely on one tactic – be it security technology or employee training – simply isn’t safe. Companies must apply an all-round, comprehensive approach, coupling technology that enables a Zero Trust security strategy, with employee awareness to safeguard their networks in this new world.