Cyber-smart training with UKFast’s Head of Security

21 October 2020 by Yasmin Duggal

Many of us would like to think that we’re cyber-smart – that we wouldn’t open a spam email, be fooled by a spoof request, or click a malicious link. But consider that, in the last 12 months, only 18% of businesses have implemented additional training or communications since their most disruptive data breach – and only 12% in cases where the breach had material outcomes. Failing to equip staff with basic cybersecurity knowledge can be detrimental to data security, and the risk of employee error is much higher if not treated with importance and severity.  

So, is your business doing enough to combat the risk of human error as part of its cybersecurity strategy?  

In line with European Cybersecurity Month and its #ThinkB4UClick campaign, we caught up with UKFast’s Head of Security and Compliance, Stephen Crow, on why internal employee training is so vital in the fight against cybercriminals. 

From your experience as a cybersecurity professional, how can businesses make employees aware of their individual responsibility as part of a wider cybersecurity strategy? 

Stephen Crow, UKFast Head of Security and Compliance

It’s important employees are educated in the correct way so that they see information security as part of their role, not something they’re forced to do. When it comes to user awareness, a lot of businesses implement annual training which is not overly effective. To ensure everyone is aware of their responsibilities, little and often bitesize training exercises should be delivered as a constant reminder to employees of their role. This can be in the form of bulletins, posters, and shorter 15–minute training slots on specific topics. By constantly reiterating the message, it will become part of day–to–day functionality for employees. 

Only 31% of businesses are aware of the Government’s Cyber Aware campaign according to the Cyber Security Breaches Survey 2020. What do you think could be improved to make businesses more aware of the importance of staying cyber-smart?  

The National Cyber Security Centre (NCSC) has some amazing resources that both businesses and individuals can learn from to improve their understanding of security breaches. Management teams need to be encouraging ongoing learning to keep their employees up to date on the changes in the industry. In this day and age, it’s not acceptable for business owners and IT professionals to have poor awareness of the basic cybersecurity principles, and there‘s no easier way to learn and keep up to date than using the NCSC’s platform. 

What sorts of cybersecurity training do you employ at UKFast? 

The type of training we deliver is ever changing; training needs to be kept exciting and varied from the standard PowerPoint–delivered presentations. Here are some examples of the type of awareness training you can use: 

• Phishing quizzes: Employees must study a selection of emails to identify as genuine or malicious based on their attachments, source address, use of formatting etc. 
• Phishing simulations: Use a platform to send emails to your employees and see who opens them, submits details, downloads attachments and, most importantly, reports them. 
• Monthly updates: Report and feed back on changes in the cyber-threat landscape with some real–world examples for your employees to look out for.

Why is phishing something you focus so heavily on?

There are countless statistics on the dangers of phishing emails and how they’re always at the start of an attack chain. They’re the easiest way for an attacker to introduce malware or harvest user credentials. As email is such a popular and accepted form of professional communication, with users receiving hundreds of emails a day, it’s no wonder that attackers try and exploit this communication path.  

What do people typically fall for and what is your team’s response when people fall victim to phishing scams? 

During testing, employees are most susceptible to emails that: 

• Come from a c-level member of staff and are sent with urgency or high importance  
• Are topical – there has been a massive rise in phishing emails relating to Covid-19  
• Mirror company systems (with some simple open source intelligence, an attacker can target phishing emails to include specific logos, colour schemes and links to company–type domains) 

It’s important for your employees to know that they won’t get in trouble for reporting that they have opened a phishing link or downloaded an attachment. It’s crucial for employees to report the incident immediately; this way accounts can be disabled, and devices can be quarantined and removed from the network to avoid any further compromise. It also helps to have your network configured in a way that doesn’t allow lateral movement from machine to machine, to have DLP tools in place, and use security tools that will alert when login attempts come from unusual places.  

What would you advise as the top three cybersecurity priorities for businesses in Q4?

1. Make sure you are protected before the peak in online sales. With fewer shops open, online sales will be higher this year than ever before. You can’t afford any downtime or loss of sales during this period. Ensure your website and applications are protected from various attack methods such as DDoS attacks.  
2. Documented and detailed incident response plans – and test them! If the worst happens, it’s imperative that you ensure you can respond to incidents instantly and limit any damage. With many businesses now working remotely long term, methods of communication have changed, which could cause some confusion with employees reporting breaches through the incorrect channels. Make sure all your employees know who to tell and how to contact them. 
3. Regular backups and testing. Backups are often overlooked when talking about cybersecurity, but they’re one of the best defensive measure a business can put in place to avoid large amounts of downtime if a data breach occurs. When your infrastructure can be restored quickly you can avoid problems such as ransomware if you can locate the point in time when ransomware was installed on your infrastructure. Testing backups regularly will allow you to document how long it takes to restore your business-critical data. 

With UKFast’s security as a service platform, it’s straightforward to outsource the response and mitigation of cyber-threats to our security specialists and prevent cyber-attacks and data breaches across your infrastructure.