Organizations face a fast-evolving threat landscape... and those in the UAE are no exception. Where cybercriminals once focused their attention on our networks and infrastructure, it is now increasingly our people who are coming under attack.
Over 80 per cent of organizations in the UAE reported at least one cyber attack in 2019, with over half reporting multiple incidents. Credential theft and phishing topped the list of common modus operandi.
Whether via malicious links, account compromise, or social engineering, threat actors are turning their attention to what, for many organizations, is the last line of defence. A last line that is often ill-prepared - its people.
Despite the growing frequency of attacks and increasing board-level awareness of common threats, many are still failing to implement effective cyber defence strategies. Training is often inadequate and end-user awareness often poor.
A new approach is required. One that puts people at the heart of cyber defence – ensuring employees are not just able to spot and deter attacks, but are acutely aware of their role in keeping organizations safe.
Shift to active defence
People-focused cyber attacks call for a people-focused cyber defence. It is not enough to know that cybercriminals are increasingly using compromised credentials to access email accounts, sensitive information, and corporate systems. Or that these credentials are most often phished via email. We must understand why so many attacks see success.
It is your people who hold the answer – from the C-suite to the end-user.
That almost one in four people admit to opening phishing emails should be of grave concern to both CSOs and CEOs. That 10 per cent admit to clicking on malicious links contained within is nothing short of alarming.
A gap in awareness
This people-shaped gap in many cyber defences stems from a lack of awareness and education. Something many organizations are still failing to address.
Despite much evidence to the contrary, only 39 per cent of CSOs and CISOs in the UAE believe their employees make their business vulnerable to successful attack. This, unfortunately, is a sentiment reflected in many cybersecurity training programmes.
In most cases, best practice training takes place just twice a year with only around one-fifth of UAE organizations conducting training more than three times annually. We cannot expect employees to understand the motives and methods of common threats with such little education – let alone expect them to understand their role in detecting and deterring such attacks.
Inadequate training programmes remain commonplace despite just 21 per cent of CSOs strongly believing their organization to be prepared for a cyber attack. This is symptomatic of a larger problem – lack of buy-in at board level.
Still can’t get it
Less than a quarter of CSOs believe that cybersecurity is a board-level concern – with 31 per cent citing a lack of buy-in as a major obstacle to implementing cybersecurity measures.
This mindset has to change... and fast. Cyber defence was traditionally viewed as a concern for security teams alone. And perhaps, when attacks were primarily focused on networks and infrastructure, it once was. But this is certainly no longer the case.
Human error is now seen as the primary gateway into our organizations. Employees at all levels, across all departments, can put your business at risk. To build a robust defence, we must raise awareness of common threats and educate users on how their actions can be the difference between an attempted attack and severe financial consequences.
Keep an eye on loss estimates
The World Economic Forum estimates that between 2019 and 2023, $5.2 trillion in global value will be at risk from malicious actors. FBI estimates, meanwhile, put worldwide losses as a result of BEC alone at $1.7 billion last year. The stakes have never been higher. Our training programmes must reflect that.
Whether facing impostors posing as colleagues or ever more convincing phishing attempts, end-users are increasingly tasked with detecting and deterring cyber attacks. We must, therefore, place these users at the heart of any successful cyber defence.
Technical solutions and controls, while important, are just one aspect of a broad and deep defence. The cornerstone is regular, comprehensive, and adaptive employee training.
This training must go beyond the methods and motivations of a cyber attack. It must instil in all employees a detailed understanding of their role in protecting our organizations. Employees at all levels must understand how simple behaviours – password reuse and mishandling of data – can have significant, far-reaching consequences.
The goal is to create a culture of best practice and accountability. A culture in which cyber defence is everyone’s responsibility – regardless of department or job level.
Cyber criminals attack our people, believing them to be the weakest link. It is up to all of us to ensure this is not the case.
- Emile Abou Saleh is Regional Director at Proofpoint.