Werno Gevers, regional manager at Mimecast Middle East, talks about the critical role of employee behaviour with regards to organizational security and puts emphasis on the need for regular, effective and engaging cybersecurity awareness training to help employees avoid some of the common behaviours that could put them and the organizations at risk.
Hybrid work models are here to stay. Thanks to progressive vaccination rollouts, life in countries like UAE and Saudi Arabia have largely returned to normal. But it’s highly unlikely all organisations will ever fully return to pre-pandemic work models where employees were expected to work from an office all the time.
In a recent virtual roundtable discussion with security leaders in the UAE, hosted by Mimecast, participants discussed the impact of hybrid work models on their overall security posture and cyber resilience. According to participants, employees working from home pose security challenges that many organisations are yet to fully understand.
While it is tempting to simply deploy new technologies to keep remote users safe, this can lead to a cluttered security environment that becomes near-impossible to manage effectively. Keeping things simple and working to perfect processes could yield better results in protecting the organisation from the wide array of modern cyber threats.
In the education sector, most places of learning still rely on online learning. Here, the use of virtual private networks (VPNs) with multi-factor authentication helps enable students and teaching staff to connect to online learning securely.
In most cases, however, it is the behaviour of the employees or end-users themselves that pose the greatest risk to an organisation’s overall resilience against cyber threats.
The critical role of employee behaviour
As the last line of organisational defence, employees play an invaluable role in protecting the organisation from attack. The pandemic initiated a stunning rise in the volume and sophistication of cyberattacks, putting employee behaviour front and centre in the fight for greater cyber resilience and security.
In the latest Mimecast State of Email Security report 2021, 39% of organisations in the UAE reported an increase in internal threats or data leaks initiated by compromised, careless or negligent employees.
Half of UAE organisations were also hit by an attack where an infected email attachment spread from one user to other employees, while 43% reported the same for emails infected with malicious URLs. Seventy percent also said they believe there is a risk of an employee making a serious security mistake using their personal email.
Putting the organisation at risk
Organisations in the UAE face particular challenges with employee behaviour. In research conducted in 2020, respondents from the UAE reported the greatest use of company-issued devices for personal activities among all countries surveyed. Nearly nine in 10 (87%) respondents in the UAE said they use their work-issued device for personal activities, against a global average of 73%.
In response, organisations across the region are prioritising cybersecurity awareness training. In fact, all organisations (100%) surveyed for the State of Email Security research conduct some form of cybersecurity training, with nearly half (47%) providing training on at least a monthly basis.
However, organisations should not be lulled into a false sense of security. Awareness training alone cannot protect the organisation from employees engaging in risky behaviour. In the same 2020 study into personal use of work-issued devices, every respondent from the UAE said they were aware that links found in emails, on social media and in websites can infect their devices, and yet 61% said they opened suspicious emails nonetheless.
Organisations need to embark on a continuous process of regular, effective and engaging cybersecurity awareness training to help employees avoid some of the common behaviours that could put them – and the entire organisation – at risk.
Risky behaviour to avoid
Never click on unknown links in emails. Threat actors habitually embed malicious links that could expose the user to malware and other threats. These can easily spread from one user to another and cripple organisational defences.
Never open or share email attachments unless you are 100% sure that you trust the sender, that the sender is not being impersonated and that you are confident that you know the attachment is not malicious.
Don’t use your work device for personal activities. The more a work device is used for non-work activity, the greater the risk that the user unwittingly shares sensitive information, clicks on malicious links, downloads malware or otherwise expose the organisation to cyber threats.
Don’t reuse the same password across multiple accounts. If you log in to your personal email with the same password you use to access work systems, you could inadvertently expose the organisation to a data breach. Use unique passphrases for every service to avoid the risk of having multiple accounts compromised by one successful breach.
Take additional precautions with securing home WiFi networks. Employees are increasingly using their home networks to access work systems, and these networks are often less secure than enterprise networks. Ensure you have adequate security measures in place to protect your personal network.
