Phishing and malicious email attacks are on the rise in Australia as cyber criminals target organisations’ staff as a way to access sensitive data. Vinod Muniyappa, head of Infosys’s security practice, and Berin Lautenbach, Telstra’s Asia Pacific Chief Information Security Officer, offer their advice on how to empower staff to protect your business.
 

In 2014, IBM reported that, “over 95% of all security incidents investigated recognise ‘human error’ as a contributing factor”, and it is still a major concern for organisations grappling with fast-moving security requirements of cloud, collaboration and mobile technologies.

The organisation’s biggest vulnerability

“Cyber criminals target employees with attacks such as phishing and malicious emails as a way for them to gain access to an organisation’s network,” said Berin Lautenbach, Telstra’s Asia Pacific Chief Information Security Officer.

“If a hacker can get the login credentials of an employee by impersonating as a valid user, it becomes easier for the hacker to get access to highly critical systems and confidential data,” according to Vinod Muniyappa head of Infosys’s security practice.

Part of the problem is the coming together of enterprise and personal devices and applications. A 2017 study by Citrix and the Ponemon Institute shows that the greatest risks identified by IT/IT security practitioners are associated with the use of social media in the workplace.

“Businesses are becoming more mobile, cloud-based and technology-driven, meaning that employees use more consumer technologies and social media in the workplace. Hackers are using those channels to find vulnerabilities to exploit,” Berin said.

Making your people your first line of defence

Berin and Vinod have several pieces of advice for addressing the human vulnerability.

1.     Use training to help create a security mindset

“Creating a security mindset is an important defence. Regular education of employees to ensure that security best practice is front-of-mind helps them to do the right thing when confronted with a potential threat,” Berin said. “The greatest danger is when businesses look at it as an insoluble problem and don’t try to train or educate their people. Good training programs, run regularly, get staff to think about what they are clicking on, and why are they clicking on it.”

It is also important to frequently update policies and monitor employees’ awareness levels. “Some businesses and IT departments perform fake phishing attack drills to test their organisation’s readiness and identify areas where more training might be required,” added Berin.
 

2.     Put in basic security measures and keep them up-to-date

“Something as simple as a resilient password rule, user access control, strong authentication mechanisms, and restrictive email and software usage go a long way to avoiding damaging attacks,” Vinod said.

3.     Consider multi-factor authentication

“Implementing multi-factor authentication for specific corporate email and corporate network access could mitigate the potential for an attacker gaining access through stolen credentials, such as a username and password,” Berin said.

4.     Focus on your most important data

“Today’s businesses have vast stores of data,” Berin said. “Understand what is really important to you and ensure you have adequate measures in place to protect it.”

5.     Restrict and monitor user access

One way that businesses can focus security efforts is by minimising access. “Organisations should review their number of privileged users. These are employees who have access to sensitive information and assets. The fewer privileged employees you have, the easier it is to monitor behaviour and protect your data”, Vinod said.

“Cyber criminals are sophisticated and are constantly evolving their tactics to exploit an organisation’s weakness. Your staff can be your greatest asset if they are armed with up-to-date knowledge, the right skills, and supported by technology, to enable them to avoid the majority of phishing and malware,” Berin said.

The Telstra 2018 Cyber Security report has an in-depth view of the latest trends and more recommendations on cyber security best practice. Read more here.