Arctic Wolf’s Nick Dyer on the importance of employee empowerment when it comes to cybersecurity.
The cybersecurity landscape is developing and growing all of the time.
Traditional attacks such as phishing and ransomware are evolving thanks to advanced technologies, including artificial intelligence (AI), which makes deepfakes easier to craft and more convincing, and the threat of quantum looms over today’s encryption standards.
Against the backdrop of mass digitalisation and tech innovation, cybersecurity has become a whole-of-organisation concern, with cyber resilience gradually becoming a core responsibility of every employee.
However, in order to ensure that this resilience is up to par, organisations will need to focus on building a security culture to match.
“Organisations of all sizes face a continuously evolving field of cybersecurity threats. And to the C-suite, cyber risk is a business risk,” says Nick Dyer, Arctic Wolf’s sales engineering director for the UK and Ireland. “Therefore, successful cybersecurity leaders work upon fostering a strong security culture – both in the boardroom, as well as in the shop floor – to ensure all employees are engaged, enabled and empowered to be part of protecting the organisation.”
The human factor
But while Dyer emphasises that cyber risk is a business risk, he says that in some organisations cybersecurity is disconnected from the rest of the business. Outside of IT, he says, it is often seen as a technical issue, rather than a business risk.
“For employees, this translates into lack of consistent training and awareness of the threat landscape, a veil of complacency which leads to falling victim to common phishing attacks, a lack of clear communications and procedures should the worst happen, and insufficient capability to respond quickly,” he explains.
Dyer says that employees are often the key to a threat actor landing a cyberattack, and an unprepared workforce could incur significant financial losses for an organisation through data breaches, operational disruptions or ransomware.
“Uneducated employees are the target for social engineering attacks or email phishing scams in which many of these threats commence,” he says. “Threat actors are clever in their approach, and evolving their tactics using Teams-based phishing, or even AI-generated voice note/videocall phishing.
“Without continually educating the user on the evolving threats, it leads to a significantly increased vulnerability in the human firewall of the organisation.”
‘Employees wish to be good custodians of the organisation if empowered in the right way’
Be clear, with no fear
According to Dyer, a vital part of building a strong cybersecurity culture is fostering an environment which “empowers employees to raise concerns without fear of retaliation”.
“Start with defining clear channels of communication and reporting,” he says. “Dedicated email addresses, Teams channels, whistleblower hotlines allow employees to communicate suspicious behaviour.
“These should be confidential, discreet, but also without fear of being reprimanded. These channels should be staffed and circulated with key cyber, IT and business leaders to ensure all areas of the organisation are aware of the potential threat being faced.
“Employees should feel empowered to report anything suspicious, even if they are unsure whether they are legitimate.”
Employees should also be involved continuously. Dyer says security leaders should be present during team meetings and should communicate what risks have been caught, avoided or what has been seen in the organisation’s specific sector.
Another significant component of solidifying this culture lies with regularly communicating the importance of each employee’s role in protecting the business.
“Overcommunicate during all-hands, departmental or team stand-up calls the risk of cybersecurity and what everyone’s roles can be,” advises Dyer. “Employees wish to be good custodians of the organisation if empowered in the right way. This can be done via training and strong responsiveness to issues reported.”
Training is especially vital as the threat landscape continues to evolve, because employees need to be made aware of advanced cyberthreats.
“Employees need to understand that deepfakes exist – and how convincingly they can mimic real people both visually and audibly. They should be taught to scrutinise requests that seem unusual or out of character, especially those that involve sensitive data or urgent requests for action,” stresses Dyer. “Employees should know how to verify the identity of someone making a request. This might involve directly contacting the sender (phone call is always best) and having defined phrases or safe words to verify the request is legitimate.”
And in case the employee is unsure about the legitimacy in a situation like this, Dyer reiterates the importance of an environment that encourages reporting potential threats.
“Regularly reinforcing these practices and keeping employees updated on the latest social engineering tactics will strengthen the organisation’s overall defence against sophisticated attacks.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
