Current risks
Nick Moore outlined some of the ways that hybrid working had changed cyber-related risks for businesses. For example, by working outside of the office more, whether at home or in other shared working spaces, businesses could no longer rely on traditional ‘perimeter-based’ approaches to security. These assume that workers are using technology which is owned and controlled by the business. However, using home networks or personal devices means that businesses are becoming reliant on this tech being well protected. The increase in travel that comes from moving between locations more also increases the risks of devices being lost and compromised.
While the nature of the risks may have changed a bit, though, the features of most attacks remain familiar, and the NCSC highlighted the particular prevalence of phishing at the moment. In the latest UK cyber breaches survey, over 80% of businesses reported phishing attacks and therefore identifying phishing emails and trying to prevent staff from clicking on the offending links should be a top priority of all businesses. Advice in this context includes making it difficult for attackers to reach users and helping users identify and report phishing emails.
Focusing on people
It is a well-worn mantra in security that people are the weakest link. They create poor passwords, click on links and can give away information unwittingly. Therefore, a lot of effort in cyber security needs to go onto training people and ensuring that they are well equipped to follow good practices.
However, this shouldn’t lead organisations to blame people when they get things wrong, according to Nick. He argued that companies need to take responsibility for helping users and designing systems and processes in a way that make it easy for users to do the right thing. This requires a collaborative approach which encourages good behaviour, and doesn’t simply punish wrong actions.
For example, on the one hand, companies send their staff lots of emails which have links in them to click on and they expect them to do so. At the same time, they expect them not to click on phishing emails which might be very convincing. By thinking about the behavioural aspects and being consistent, businesses can better support staff in this context.
Authentication
Linking to this people element, the webinar emphasised the critical importance of robust authentication, especially when people are working in different locations and on various devices. It is still the main way that people gain access to systems but we continue to see many weak passwords used that make it much easier for hackers to get in.
Rather than make password processes more and more complex, both speakers emphasised the importance of helping users. Changing passwords too often, for example, just encourages people to use weak ones. Having inconsistent rules across different systems makes it more complex for people to develop good practices. Saving passwords in browsers or using password managers was another recommendation. While the audience expressed concern that this could make passwords more vulnerable to compromise, it was felt that the benefits of reducing cognitive load and encouraging users to create strong passwords outweighed any risks.
Other good practices and resources
The webinar touched on a range of other good practices, including the benefits of Virtual Private Networks (VPNs), the importance of encryption and the role of monitoring in a hybrid environment. The NSCS also highlighted a variety of their good practice resources, including the Cyber Aware campaign, guides for remote working and mobile devices, online staff training resources and the Exercise in a Box, which helps to test cyber resilience.