If there’s one positive from the news stories of cyber attacks targeted at the UK in recent years, it’s that as a nation we’re much more astute when it comes to recognising the dangers. Another is that our businesses, government departments, charities and institutions are finally waking up to the risks posed by cyber criminals.
Britain’s workforce is much more aware of phishing attempts and cyber attacks than they were pre-Covid, partly thanks to the increased media attention from the mainstream press, specialist trade publications, television and radio. Three years post-Covid, the landscape of end user cyber security best practices continues to evolve in response to the persistent trend of remote work. With the widespread adoption of flexible work arrangements, ensuring the security of end user devices and data has become a top priority. Organisations are increasingly implementing and refining strategies to address the unique challenges posed by remote work environments.
One of the key messages that’s been repeated in the news, and by cyber security observers and commentators, is that it’s now not a case of if but when an organisation will be the victim of a cyber attack. Sometimes it will be obvious because the adversary will demand a ransom fee but occasionally the organisation won’t even know they’ve been infiltrated, perhaps because a state-sponsored group has quietly stolen their data.
This important message has been accepted and understood by many company boards and key decision makers. Gradually, more executive teams are taking action. Everyone is vulnerable but everyone can take positive action to protect themselves and to prepare to respond in case they are compromised.
Testing, training and education
Increasingly, companies are training their employees around phishing attacks and regularly testing their abilities to spot malicious messages and raise the alarm. This should be standard practice and ongoing cyber security training for remote employees is essential. This includes awareness programmes on phishing attacks, social engineering tactics, and other cyber threats to enhance the human firewall. According to the latest Microsoft Digital Defense Report, phishing attempts made up 25% of all cyber-attacks between July 2022 and June 2023. Employees can be the first defence against such threats.
While the old style of security involved building a strong, high fence around the organisation’s assets and assuming nothing gets through, this method is now out of date. As the IT estate has become so large, varied and complex, with employees using smartphones, apps, hybrid cloud platforms and more, the best approach today is to monitor all assets regularly and assume that cybercriminals still get through. This may make it seem as though an organisation isn’t trusting its defences, so why bother investing in them in the first place? But as cyber-threats have become increasingly sophisticated and more prevalent, no-one can guarantee their fences are totally effective all of the time – hence the belief in ‘not if but when’.
The zero-trust model, which assumes no implicit trust and verifies everyone, has gained prominence. Continuous verification of user identity, device health, and other contextual factors is crucial when employees are dispersed and working remotely. This is why many organisations are implementing the three principles of zero trust:
- Verify explicitly: always authenticate and authorise everything
- Use least-privileged access: limit user access with just-in-time and just-enough-access to tighten data security
- Assume breach: compartmentalise infrastructure to minimise any damage, verify end-to-end encryption and use analytics to detect any threats and strengthen defences.
Creating a cyber security culture
While these are all solid tactics to help reduce the chances of a successful attack, some organisations are going much further. They are taking a strategic approach by creating a culture of cyber security awareness from the top down. This, of course, can mean different things in different workplaces but it does mean that everyone has a responsibility to protect their employers’ assets including its data, its customers’ data and their own.
Going forward, we can expect more organisations to at least attempt to embed a cyber security culture and embed the principles of zero-trust. Most are already placing greater emphasis on compulsory security training.
However, the recent advances in artificial intelligence (AI) will likely be very disruptive. Generative AI tools now make it easy for almost anyone to craft fake emails, voice messages and videos. This will make it significantly more difficult for employees to tell what’s genuine and what’s fake. This is already a well-known problem, of course, and one that could affect everybody. The good news is that when such a problem exists, tech companies start working on solutions. So we could soon see AI safety tools emerge that companies may use to counter the spread of fake messages. This could be a trend to watch out for in 2024.
A shift in traditional cyber security paradigm
Looking forward, the evolution of end user cyber security best practices will likely involve further advancements in artificial intelligence (AI) and machine learning (ML) for threat detection, increased integration of automation in incident response, and the development of more adaptive and context-aware security solutions. Additionally, a continued emphasis on user-centric security measures and a proactive approach to staying ahead of emerging threats will be crucial in the ever-changing cyber security landscape shaped by the realities of remote work. Regular reassessment of security policies and technologies will remain essential to ensure organisations are well-prepared to address evolving cyber risks.
These overlap with the key aspects being discussed around the concept of ‘identity as the new perimeter’, which reflects a shift in the traditional cyber security paradigm. Traditionally, organisations relied on a strong network perimeter to protect their systems and data. However, with the evolution of technology, the rise of remote work, and the increasing sophistication of cyber threats, the focus has shifted towards securing the identities of users and devices as the primary defence against unauthorised access.
By placing a strong emphasis on identity as the new perimeter, organisations aim to create a more resilient and adaptive security posture that can effectively address the evolving nature of cyber threats in a digital and interconnected world. So, while cyber-attacks are increasingly common, organisations are certainly moving in the right direction when it comes to cyber security. Now’s the time to move faster.
Scott Burman is head of advisory at Quorum Cyber