There’s good reason for appreciating the strides made towards a more security-aware workforce than perhaps any other time in history. Along with the shift to Microsoft’s Modern Workplace by a significant proportion of our customers – and the market at large – we’re seeing folks raising astute security questions and checking out the available options. For security practitioners, this is enormously satisfying, because the largest player in protecting information isn’t technology, or even process. It’s the people, it’s the people, it’s the people: He tāngata, he tāngata, he tāngata.
And those people are demonstrating far greater awareness of and interest in security, including the different attack vectors and methods. There is also a general sense of security being a responsibility for everyone in the business, while organisations are making positive moves by focusing on staff training as a primary method of defence. That’s laudable.
I’d credit the New Zealand Government for at least part of this awareness, with campaigns running over several years helping drive the message home. Of course, there is also the point that if you are on a computer or mobile, security awareness should be a core component of using the device in the first place – but as we know, this isn’t always the case.
But complacency is a killer. That’s because hackers are motivated by money and for many, this is a full-time job working for ‘the man’. And in this case, ‘the man’ has none of the ethics, regulations, or oversight with which legitimate businesses comply.
What this means in practice is not only heightened attacks, using the ‘spray and pray’ approach (hitting as many potential targets as possible in the hope that one or two will come back compromised), or more sophisticated targeted attacks (among which is ‘spear-phishing).
Serverless and mobile
These days, organisations across New Zealand and the world are moving confidently into the serverless environment. Microsoft 365 is at the forefront, providing full range of productivity and collaboration solutions which let you work using any device you like, wherever you are.
What it also provides is built-in security technology. This is incredibly effective because it not only saves cost and effort in securing your data, but it also means there’s no need for third party vendors (especially for the small to medium businesses which characterise the vast bulk of Kiwi companies).
However, in this environment, where personal devices are used to access work files, keep your guard up. Everyone in your organisation must maintain conscious of the possibility of attack at all times.
Powered by people
This is an area we’ve long stressed as crucial. Most attacks focus on people; social engineering is recognised as a far simpler and often more effective method of identity compromise than even relatively simply technological methods. Why brute force a password, in other words, when you can just phone Jim in sales, claim to be IT support, and have him hand over his details?
This is why I’m thrilled at the growing interest in regular staff training. The threat landscape changes constantly, so in addition to appropriate configuration of your Modern Workplace environment, keeping your people up to date is one of the most effective methods for enduring security.
Just a quick word on the training we provide. By including simulated attacks, we’re able to show individual users what they did wrong, what they should have done, and a short video outlining not just the ‘what’ of proper actions, but also the ‘why’. Knowing the ‘why’ is crucial – or it’s just another meaningless rule.
Finally, to reiterate, with information security, your weakest point is always your people. Hackers know it, so when you invest in your people, you’re getting ahead of them. Review your security posture regularly (monthly or quarterly), include security training for employee induction, and remember that training isn’t a once-off, but an ongoing process which makes your people the first and last line of defence.