Special Reports
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Keep the threat message simple for employees

It’s helpful to organise cybersecurity training around a theme that is communicated regularly

Cybersecurity and defence have been of paramount importance to companies for many years now but with the advancement of technology in machine learning and artificial intelligence (AI) and hackers themselves coming up with more clever ways to breach security, it’s even more essential to protect against attacks.

With 95 per cent of cyberattacks traced to human error, and 91 per cent of ransomware attacks beginning with a spear phishing email it’s clear that educating employees about the dangers of cyberattacks is essential.

Other areas of weakness

The way businesses have grown has also compounded the problem with many companies integrating more than just third parties into their operations, leaving the company vulnerable. “One of the most common causes of a breach is through third-party ecosystems. As organisations have become more complex, we rely ever more on our supply chains for day-to-day operations,” says Dani Michaux, EMA cyber leader at KPMG.

READ MORE

“Organisations once concerned with merely managing third parties are now working in a vast new risk-charged world, managing fourth, fifth and even sixth parties. These parties include a mix of cloud and IT providers, partners and affiliates that define today’s modern extended enterprise.”

Types of attack

While there are many attacks to watch out for, some of the most common employee attacks include phishing. Targeted phishing attacks through spear phishing, whaling, and BEC (business email compromise), are the most serious threat that employees should be aware of, says Jaap Meijer, chief cybersecurity and privacy officer at Huawei Western Europe. “These types of phishing attempts could appear more legitimate and provide a false sense of trust by being targeted and seeming in pace with the sorts of emails and requests employees would typically see, or appear from senders that they think of as legitimate.

“Employees need to be aware of the importance of questioning every email they have received, learning about the latest trends of social engineering attempts.”

How can employees protect themselves?

Employees should be generally aware, in their professional and private life, of things to look out for in communications to keep themselves and their employer secure, says Eoghan Daly, director of cybersecurity at BDO Ireland. “Don’t give out personal information over the phone or email, don’t write down passwords on paper or in emails, and be suspicious of any communication that includes a time pressure to take an immediate action.

“Employees should also avoid sharing certain information online, for example, when they are on holiday or travelling, as this information can be exploited in cyberattacks.”

Company support is essential

The ownership or preventing cyberattacks falls with the organisation and their focus on supporting employees to be able to detect and act safely against a cyberattack, says Meijer. “In general terms, an organisation must create an environment which minimises the number of phishing attempts that make it into inboxes via various tools and active monitoring, actively notify employees of a potential phishing campaign to make it easy for employees to do the right thing and act securely by reporting and deleting anything suspicious.”

Daly advises that organisations should ensure the right tools and technologies are in place to maintain security, and then provide clear and easily understood instructions to employees about how they should act to keep the organisation secure. “It is important that employees are offered practical advice that is easy to remember and follow. If employees are asked to do too much, or it is too complex, even the best employees will fail to adhere to everything at all times.”

The most important way to prevent cyberattacks is through employee awareness, says Michaux. “Take advantage of the science behind adult learning technique, use change management to reinforce behaviour, make training more engaging with innovative technology and personalise the experience to make it memorable.

“It’s helpful to organise cyber training around a theme that’s communicated regularly. The aim should ultimately be to move security awareness from being a conscious choice to an ingrained habit.”

Edel Corrigan

Edel Corrigan is a contributor to The Irish Times