Report after report tells us hackers are thriving in the emerging hybrid office era. Theo van Wyk, Head of Cybersecurity and Solutions Development at CDW Canada, said the solution is for organizations to focus not just on technology but also on their people.
Smart, battle-hardened hackers, many of them skillful social engineers, are coming up with new ways of penetrating companies through their people daily. This, said van Wyk, is an organization’s most vulnerable point. “The people part is the most difficult part of a company to change,” he said. “And it’s also the most fluid. Things can change quickly.”
Despite all the talk about cybersecurity, bad actors are still succeeding. “It’s time to shift gears,” said van Wyk. “If companies want to advance their cyber strategy, they do well to get back to basics, and that means looking at the people in their organization.”
Van Wyk said it’s natural for an IT group, whose members typically have a background in technology, to focus on the technological aspects of what is a growing cyber problem.
IT, said van Wyk, is facing two distinct cyber problems in 2022.
“With people first going remote (in 2020), and more recently coming back to the office at least some of the time, the traditional corporate boundary has eroded,” he said. “Coming out of that – and this showed up in our 2022 security study – is a point of concern for many organizations around identity and end users.”
The vast majority of cyber-attacks, said van Wyk, will still come via stolen logins and credentials.
“Let’s throw out this romanticized notion of the slick, super-intelligent Hollywood hacker. Although in real life flashy attacks by flashy players do happen, 99.9 per cent of the time attacks will come through simple things – people, credentials, social engineering.”
The endpoint became a major focus cyber-wise for organizations the day organizations around the world told their staff to work from home. “In addition to this sudden shift, which gave hackers a very attractive target, having people work from home also brought the challenge of patching laptops, keeping work devices up to date. People have more passwords to deal with – that and other loads have fallen onto their shoulders. Add it all up and you have what for many companies is a porous attack surface.”
Many organizations have pushed their services into the cloud. “At face, this is not a bad thing,” said van Wyk. “We see a service or offering that’s scale – it’s hyper-available, which is what businesses today need. Unfortunately, hackers also benefit from this because services and data that previously were blocked or locked away are now up for grabs.”
The persistence and ingenuity of bad actors cannot be underestimated and is something you see not only in cybersecurity.
“Early in the pandemic most of us had items delivered to our homes,” said van Wyk. “An attack on this front could come via an email saying your order has been delayed, and could you please provide your credentials or credit card info to ensure your package clears customs.”
The secret to social engineering, said van Wyk, is in giving you just enough data – no more – and having your brain fill in the rest. “The most powerful lie is the one, half-told, that you complete.”
Van Wyk said the problem must be tackled from both sides. “Executive buy-in is a must. Most measures in a company, in fact, from maturity level to attack cycles, will show great improvement when there is firm commitment at the executive level.”
It’s essential, said van Wyk, that cyber threats are put in a context that C-suite executives understand, in terms of business risk.
“They need to grasp what X threat means to them and to the company as a whole. For example, deploying A/V and blocking 5,000 viruses means little to executives on its own. You have to put it into a business context – ‘If we do X, we’ll be able to secure our new ecommerce portal, which will be critical for us going forward as we attempt to gain market share.’ From there, you will be much more likely to see security-mindedness spill down to the various teams.”
The other side of the solution has to do with making security relevant to employees by training them to be digital citizens in all areas of their life. “They have to see the relevance of being security-minded in both their personal and professional lives. You want to train up digital citizens, making the importance of being vigilant more immediate, more ‘everyday.’ It should become as natural as brushing one’s teeth – total routine.”
In training digital citizens, companies should ensure employees know they are vital to safeguarding company assets. “If they can somehow – through gamifying security in training or some other way – see the direct results of their being or not being security-smart, you will be more successful. You will have people who know the importance not just of security in general but of their own special role in it. They will each see themselves as a special link in the overall chain.”
To the question of what companies should be doing to advance their cyber strategies in 2022, van Wyk was clear.
“Prepare, defend, and respond. Have you adequately prepared? Where is your data? Is it secure? How are your users accessing it? Has this changed since 2020? If so, how? And has your approach and technology changed along with it?
“It doesn’t have to be overly complex. You want to defend and respond, so make sure you’re as prepared as possible. Commit to endpoint detection and response. Invest in updated patching technologies. Focus on authentication, and make sure you have the identity access management piece nailed down.”