Over the past few years, the digital transformation in the country has been remarkable. Through an enabling environment, internet service providers have decreased the coverage gap, ensuring that more South Africans have access to and are able to enjoy the fruits of the internet. Simultaneously, the increase in our digital footprint has also expanded the opportunities for cybercriminals.
By Brian Pinnock
Critical industries and infrastructures have become prime targets of cyberattacks. Attackers can target a nation’s electrical grids, telecommunications, financial services, transportation, healthcare and defence systems in the form of phishing or ransomware attacks.
With the growth of online threats and increased digitalisation of our personal and professional lives, maintaining safe online behaviour is essential for organisations in the defence industry. Cyberattacks have devastating results and can cause significant disruptions to operations, which organisations must do all they can to avoid.
Building a culture of cybersecurity that permeates every layer of the organisation is an important step to push back against cyber threats and ensure companies can work protected.
Cyber threats put security awareness in spotlight
In Mimecast’s State of Email Security 2023 (SOES) report, two-thirds of South African respondents said cyberattacks are growing increasingly sophisticated. Fifty-two percent reported being harmed by a ransomware attack, while 92% said they were targeted by email-based phishing attacks.
In response, organisations are deploying layered security strategies that protect data and communications. Additionally, one of the most important components of any strategy is protecting people and avoiding human risk, which includes offering regular and impactful security awareness training.
Unsurprisingly, 99% of organisations surveyed as part of the SOES report provide some form of cyber awareness training to their employees. By educating employees about different types of cyberattacks and how to avoid them, organisations minimise their human risk profile.
Yet, despite offering training, eight in 10 respondents still believe their company is at risk due to inadvertent leaks by careless or negligent employees.
Why the disparity?
For starters, just because training is being offered, doesn’t mean it’s happening on an ongoing basis. Regular training will constantly remind employees of safety best practices, keep cybersecurity top of mind and acquaint them with the latest cyberattack types and techniques. Regular and impactful training is an important step in fostering a cybersecurity culture.
Measuring for success
One aspect of organisation’s security awareness efforts that is often neglected is measurement. Without measurement, organisations can only hope or assume their awareness training efforts bear fruit.
After all, employees simply going through the motions of the security training programme are unlikely to offer much resistance against cyber threats. What really matters is that the awareness training programme changes behaviour.
And while organisations can certainly augment their human capabilities with security solutions designed to detect and avoid threats – for example, AI-powered security providing contextual warnings to end-users in real-time – nothing can match a cybersecurity culture that permeates the entire organisation. An important step toward establishing an effective security awareness programme is setting top-level goals such as human risk reduction, enhanced workforce behaviour and reputation protection.
When these goals are tied to broader business objectives, security teams are more likely to design and implement security awareness programmes that support business priorities, empower employees and strengthen the organisation’s security fabric.
Building a cybersecurity culture
While every organisation’s needs will be unique, the common qualities of an effective security awareness programme include:
Starting with the basics
Although cyberattacks are growing increasingly sophisticated, it’s important to start with the basics. This includes healthy password hygiene (such as using complex passwords and not relying on single passwords for multiple online accounts), basic device safety (such as never leaving a laptop or computer unlocked and unattended and locking smartphones with passwords) and eliminating physical security mistakes such as leaving passwords stuck to laptops with sticky notes.
Fighting the phish
In the past year, 59% of local organisations that formed part of Mimecast’s SOES study experienced an increase in email-based phishing attacks as the use of email continued to rise. Organisations should train employees to spot and avoid suspicious emails, links and text messages and show examples of emerging threats, such as deepfake audio and videos.
Collaborating carefully
Collaboration tools are indispensable to the hybrid work environments that have become the norm over the past few years. Ninety-three percent of local organisations agree collaboration tools are essential to the well-ordered functioning of the business. However, these tools can also introduce enormous risks. In new research by Mimecast, 93% of South African cybersecurity decision-makers said they have experienced a cyber threat via collaboration tools. And despite 79% saying they had effectively communicated the security vulnerabilities of collaboration tools to employees, 41% of employees claimed they hadn’t received any collaboration tool security training. To close the gap, organisations should provide specific training about the security risks inherent in collaboration tools.
Removing the fear
Companies that utilise emotive topics for the simulated cyberattacks they deploy as part of their training, such as emails about bonuses or salary increases, risk creating barriers to learning among employees. Instead, organisations should remove fear or resistance with simulated phishing tests that are more likely to make them stop and think, prompting positive employee actions. For example, avoiding clicking on risky links and reporting threats to security teams. The focus should be on rewarding safe online behaviour, not tricking or punishing employees.
Brian Pinnock is Vice-President, Sales Engineering at Mimecast
