In March 2020, millions of people around the world were forced to work from home virtually overnight. This posed significant challenges to IT teams. Working under intense time pressure, they not only had to ensure that their employees had a stable workspace, but also that they could work securely. The latter is easier to achieve in a corporate environment that has its own network or data centre than in home offices that lack any form of control. In the best-case scenario, people work at home using a laptop provided by the organisation that is equipped with the latest security software and encryption features. But even then, data security and compliance are not necessarily guaranteed. Security and security awareness must be on the agenda permanently. This involves both technical and organisational aspects.
Cybercrime is becoming more sophisticated
The technical aspect is relatively well secured at most organisations. For example, they might use multi-factor authentication (MFA) via text message, email or authentication apps to provide access to cloud applications. MFA is becoming increasingly common for logging into corporate systems. This also means that cybercriminals are looking for loopholes in this technology.
One example is SIM swapping, where criminals use social engineering to get hold of other people’s SIM cards and intercept text message codes for MFA. This is particularly useful for emptying bitcoin accounts. This type of fraud once again underlines how cybercrime keeps up with the development of security tools. It shows that even a method that is considered safe, like text message verification, is not always watertight. This is one reason why security specialists recommend the use of authentication apps that offer a time- and device-bound code.
The importance of awareness
MFA is only one of the many technical means of securing data and applications, and every organisation and company must keep looking for the best solutions to protect their data. This is as true for a small SME as it is for a multinational.
But technology alone is not enough; security awareness is just as important. Every organisation must work on raising awareness. Random tests by security consultancies repeatedly show that there is a high risk that someone will click on a dubious link or open an infected file.
In addition, the use of strong passwords or the proper management of administrator accounts is far from being the norm everywhere. Just recently, it was reported that a Dutch municipality had secured its entire IT environment with the password ‘Welkom2020’. The result: 89 of the municipality’s 124 servers were wiped and five were encrypted, including a backup server.
Combination of people and technology
The best security is ultimately a combination of people and technology. The ultimate goal of every awareness programme is a change in behaviour when dealing with technology. This is about skills and knowledge.
Skills relate to the simple question of whether an employee is alert enough to recognise a phishing email or a suspicious file. These can be taught well with a solid awareness programme. Knowledge is about employees’ broader understanding that they work with company data and therefore have a responsibility towards the organisation, which they also assume.
After all, a breach can have enormous financial and organisational consequences. Building awareness is not a one-off activity: it requires a continuous investment in time and resources. But it is the only way to keep working safely.