In the new normal, we need to make the most of every defence we have
“OK, hit me with it,” says Chief Technology Officer Xu Parker to his CISO, Jeff Jones.
Jeff has had ample time to prepare for the Zoom meeting. He’s ready for the question. He purses his lips.
“On the whole, it’s pretty good news.”
“Don’t sugar coat it,” says Parker. “Tell it straight.”
“Well,” Jeff continues, “as we all know, criminals are bombarding our people with phishing emails. It’s nasty stuff. Promises of COVID cures. Contact tracing warnings.
But we’re really weathering the storm. Our anti-phishing tech picks up almost all the emails before they hit inboxes. So there is more risk. But so far, so good.”
Parker – and all others on the call – are impressed. They praise the anti-phishing tech.
Then someone shrewd chimes in.
“You say the tech prevents ‘almost all’ the threats.”
There’s a pause. People lean in.
“I’m just wondering… Well, what happens to the threats the tech doesn’t stop?”
Anti-phishing needs a hand
Since lockdowns began, daily digital crime has increased by as much as 75%. Phishing emails are the primary attack vector. So when Microsoft research asked security teams to “identify their best pre-pandemic security investment”, it’s hardly surprising that anti-phishing technology came out on top. Anti-phishing tech is an essential security layer. But it isn’t foolproof. Anti-phishing tech misses some threats. When it does, another cyber defence keeps us safe. The defence is, of course, our people; our greatest cyber defence.
People stop phishing threats
If there’s any doubt that people are a cyber defence, look at what happened in April 2020. The NCSC called on people to report suspicious emails. Within two months, people had reported 1 million messages. That’s 16,500 reports a day. Post-pandemic, we can’t overlook the power of people to stop breaches. Unfortunately, recent research suggests that’s exactly what’s happening.
Why security education is dead
Why is it that, post-pandemic, security professionals are significantly more likely to invest in security tech than they are security ”education”? We can’t say for sure. But if we had to guess, we’d say it’s because security education has become largely ineffective since so many people began working from home. You can’t force remote people to take security training, or stare at posters, or leave desk-drops on their kitchen tables. So why waste your time and money with security “education”? Still, the fact remains:
Empowered people prevent breaches. We need people to keep networks secure. With security training suddenly unfit for purpose, how can we promote secure behaviours?
A new security awareness model
The solution, we believe, is borderless security awareness. Borderless security awareness is an approach. It’s a mindset. It’s about helping people wherever they are, whenever they need help. It’s not tick-box training. With borderless, people simply get useful, on-demand security help and support. A salesperson in Hong Kong gets a suspicious email. They access the advice they need on how to report it. A team leader in Wales gets a new broadband router. They get the support they need to set it up securely. Borderless security awareness works because it’s useful. It’s behaviour-driven. It’s measurable. It’s value is provable.
Technology, processes, people
Don’t get us wrong. Technology prevents breaches. Sound processes prevent breaches, too. But people are still our last line of defence. They were before the pandemic. And they maintain the position. It’s wise to move away from mandatory, compliance-based security awareness training. People deserve – and need – more support than that. Post-pandemic, cyber crime is rife. In the new normal, we need to make the most of every defence we have.