By Ireen Birungi, Chief Information Security Officer, Interac Corp.
For too long the cybersecurity world has viewed people as the weakest link and biggest point of vulnerability when it comes to risk. However, post COVID-19 we are starting to see a shift in this mentality – a shift that sees people as the greatest asset or opportunity to provide the first line of defence, supported by enterprises.
At Interac, this has allowed us to build a security program that puts people at the centre, so that we can continue to keep security at the forefront of our thinking within the organization. This can be a very cultural mindset change and sometimes culture can be the hardest thing to influence in an organization.
People-centric security is not just limited to the end user. It extends to people who configure and secure our environments, as misconfiguration continues to be a common way that vulnerabilities online can be exploited. It also includes the individuals and teams that develop our code to ensure security is part of the lifecycle of the systems and applications we implement. This is increasingly important for organizations, given the ever-growing shift to the Cloud and SaaS (Software as a Service) based applications, especially post-COVID-19.
Phishing is still the number one tactic that fraudsters use to target organizations and individuals. High value targets like executives, system administrators, finance, and HR, continue to be targets that, when exploited, yield the highest results. Stolen credentials still rank highest in the financial sector, as cybercriminals are financially motivated.
COVID-19 has created a new environment of haste, unfamiliarity, and vulnerability, with consumers being inundated with new information online. Our latest Interac Corp. Cybersecurity Study revealed that although 84 per cent of Canadians believe it’s more important now than ever before to understand cybersecurity risks, less than half (44%) are confident they can protect themselves.1
It is getting harder and harder to tell the fake from the real online. This raises concerns around consumer behaviour and mindset when it comes to consumers exposing themselves to cybersecurity risks. Our research concluded that “minimal online activity” (24%) and a “lack of time” (29%) are the leading rationales in Canadians’ lack of cybersecurity savviness.2 This tells us that we need to better educate and protect consumers; cybersecurity threats have become more sophisticated, and we cannot leave consumers unarmed against attackers. However, just as hackers are becoming more advanced in their approaches, so too are the methods we can use to guard against these threats, including back-end infrastructure online. At Interac we realize you can’t rely on end users and employees alone. Organizations have a vital role to play in reducing the volume of potential threats that could come into an environment and to help set consumers and employees up for success in avoiding cybersecurity risks.
The analogy between COVID-19 and the steps Canadians are taking to better prepare and protect themselves from the unknown is similar to the steps they can take to guard against cybersecurity threats. What can we take from this shift in real-life consumer behaviour and apply to online activity? Before entering a store, consumers are equipped with extra protection from hand sanitizer to face masks. Similar steps of caution should be taken before venturing online or opening unknown emails; consumers should STOP, SCRUTINIZE and SPEAK UP.
The role of a Chief Information Security Officer (CISO) within an organization has expanded in recent years, and this shift has only been accelerated as a result of COVID-19. Organizations must take a risk-based approach to cybersecurity, determining the best defense mechanisms and how they can introduce these mechanisms while still allowing consumers to keep transacting easily online.
We know we can not completely eliminate cyber threats, but we can control how we prepare. We need to equip employees so that they can act as a vital first line of defence.
A major aspect of preventing a cyber event is recognition that an attack might happen. From here, you can work your way backwards to ensure that if a cyber attack occurs, your company and employees or customers would be equipped to deal with the attack and would be able to spot the warning signs from an early stage.
When it comes to cybersecurity, businesses must take a two-pronged approach. First, they must focus on education to prevent the risk of attacks happening in the first place by best arming consumers before going online. Part of arming or protecting against attacks is understanding how people react to cyber threat, through getting stats from phishing attempts and analyzing those that were successful.
Second, they must recognize and accept the reality of human error. People can and will make mistakes and preparing for those mistakes so they will have minimal impact on the consumer and the business will be critical from both an operational and reputational standpoint. Part of this is shifting people’s thinking about how they perceive security in their day-to-day. While it is generally seen as an IT function, security should be everybody’s responsibility in how they interact with data, rather than being complacent and clicking too quickly on a link, since they haven’t been tripped up before.
As the pandemic continues, now is the time to protect and prepare consumers as they embark further into an accelerated digital economy. Doing so effectively means adopting a people-centred approach that empowers and supports consumers and employees in their important role as the first line of defence against cybersecurity attacks.
1,2 The Cybersecurity Survey is based on a survey of 993 Canadians across the country, conducted September 3 to September 8, 2020