Cyber safety at work

According to the Digital Trust Report 2020, digital activity underpinned 22% of Australia's economy in 2019–20, indirectly contributing $AUD 1.1 trillion and over 2 million jobs. While technology has propelled businesses forward, it has also come with increased vulnerabilities.

Since COVID-19, an increasing number of businesses have adopted remote work. The growth of cloud services, collaborative software and the embrace of hybrid work has broadened cyber-attack surfaces and decreased visibility of security breaches. 

For many enterprises, the weakest link in their cyber armour isn't technological—it's their workforce. 

Work from home & cyber security

The past few years have seen a monumental shift in how businesses operate:

• Work from home: Remote work has skyrocketed, making it critical for companies to safeguard data across varied networks. As many teams oscillate between home and office environments, maintaining a consistent security protocol is more challenging than ever.
• Cloud-based solutions: The business world's increased reliance on cloud solutions offers flexibility but opens the door to new vulnerabilities. Many third-party tools share a single-sign-on authentication method that can multiply the number of affected services during an exploit. 
• Mobile endpoints: With an uptick in employees using mobile devices and personal computers for work, ensuring security across all endpoints becomes paramount.

Accessing critical business systems remotely and storing sensitive data offsite is now commonplace. Keeping access to these systems secure while also allowing day-to-day business to operate is why there is an ever-increasing investment in cyber-security infrastructure and processes across all sectors.

More often than not, human behaviour contributes to points of weakness in otherwise secure systems. In addition to cyber security awareness training programs and security monitoring tools, it's essential to ensure employees can speak up when they have found an issue or fallen victim to a phishing exploit.

Types of cyber security threats

Understanding the diverse range of cyber threats is vital for businesses to establish effective defensive measures. Here is a breakdown of some of the prominent cyber attack methods:

1. Phishing

Phishing emails aim to extract sensitive information by masquerading as trustworthy entities. Examples include fake communications from banks, credit card providers, delivery firms, and law enforcement. These emails are sent en masse, hoping to target a percentage of recipients who might be users of these services. Phishing attacks often ask users to enter or change their password and employ elaborate brand impersonation and technological tricks to mimic the company's website design.

2. Spear phishing

More targeted than general phishing, spear phishing involves closely studying organisations and employees, often sourcing data from social media or public company information. These emails are directed at specific individuals and often include personalised information, increasing their appearance of legitimacy.

3. Executive impersonation

This sophisticated method typically targets administrators and high-level executives. The goal is typically to divert funds or acquire confidential data. These attacks are characterised by deep personalisation and detailed knowledge about the executive or the business. Such emails may demand urgent payments for third-party services or products, login information or other confidential data.

4. Social engineering

Beyond digital deceit, social engineering involves psychological tricks to get people to reveal confidential data or grant access to resources. Attackers may gather information from social media platforms like LinkedIn or Facebook, which can offer insights about individuals, their professional connections, and even ongoing business activities.

Awareness of these threats, paired with rigorous training and protective measures, is the first step to fortifying a business's cyber defences.

How to reduce cyber security risk

While many technical measures are essential for reducing your attack surface and technical security vulnerabilities, it's equally crucial to consider the human elements. People play a pivotal role in an organisation's defence against cyber threats, and their behaviour, training, and awareness can make the difference between a secure environment and a vulnerable one. We will delve into the human defences against cybersecurity threats, emphasising the importance of regular training, robust policy-making, and anonymous reporting.

Employee training

The most common way hackers gain access to a database is through phishing emails sent to employees. Billions of phishing emails are sent worldwide daily, often containing malicious malware or deceitful requests.

Without proper cybersecurity awareness training, employees might inadvertently expose sensitive data. Training sessions should familiarise staff with the most common types of cybersecurity attacks and how to avoid them. Emphasising the importance of scrutinising email addresses, verifying link destinations, and being cautious with sharing sensitive information—especially to third-party vendors—is critical to maintaining security.

Cyber security policy

An organisation's cyber security strength is rooted in policies that guide behaviour and response. Proper guidelines for data breach prevention, detection, and response are crucial. It's essential to review and adapt policies regularly to ensure they're current and effective. Guidelines for a comprehensive cybersecurity policy should include the following:

Testing: Setting standards for regular cybersecurity evaluations helps to identify vulnerabilities. These assessments can range from vulnerability scanning to penetration testing or ethical hacking.

Recovery: A blueprint for action in the event of a breach, aiming to minimise downtime and resume operations promptly.

Access control/management: Clearly defining who has access to specific data and under what conditions information can be shared is essential to prevent unauthorised or accidental exposure.

Incident response plan: A step-by-step guide for when breaches occur, outlining the roles of key players and procedures to minimise damage and recovery time.

Anonymous reporting channel

Fortifying cybersecurity involves providing employees an anonymous channel to report breaches, mistakes, or suspicious activity. Ensuring anonymity fosters an environment of trust, allowing for quick identification of potential issues without fear of reprisal.

Establishing such a channel through a secure online portal, a hotline, or another means promotes a culture of shared responsibility and cyber security resilience. But it's not just about having the tool; promoting its existence, educating employees on its use, and assuring them of confidentiality are equally crucial.

Protect your business from cyber threats with Elker

Elker is an anonymous reporting platform for employees to report a data breach, security concern or raise the alarm on unethical or illegal practices without fear of retribution. Early visibility into vulnerabilities or mistakes is crucial. Elker facilitates this by offering a whistleblowing channel for early disclosure, helping to prevent minor oversights from escalating into major financial and reputational damages.

Whistleblowing can often be a daunting prospect for many employees due to concerns about repercussions. Elker addresses this by allowing users the option to remain anonymous or keep their reports confidential, thereby reducing barriers to reporting. Adhering to ISO27001 typologies, Elker prioritises user privacy and security, ensuring a safe disclosure process. 

Elker also offers a unique survey tool for businesses. With it, companies can assess cyber security awareness in the workplace culture. This tool helps find out where the risks are and shows where more training is needed. It's a simple way to make sure everyone is up-to-speed on security.

As part of an effective incident response plan, Elker stands as one safeguard companies should implement to mitigate risks and ensure a proactive approach to minimise cyber threats.