Exactly one month today (May 9, 2018) all EU countries will have to comply with the Directive on Security of Network and Information Systems (NIS Directive).
Post-Brexit, it will still apply and so all UK organisations affected — operators of essential services (OES) and digital service providers (DSP) — must make the appropriate technical and organisational measures to secure their network and information systems or risk hefty fines.
There is no doubt that the network and information systems that support business-critical services must be protected. Cyber incidents affecting these systems could cause significant damage to the UK’s infrastructure and economy or result in substantial financial losses. From ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport, the reliability and security of these network and information system are essential to our daily lives.
NIS Directive explained
Numerous cyber security incidents in recent years show all too painfully that these systems are an attractive target for malicious actors and that they are susceptible to disruption through single points of failure. Because of this, the NIS Directive aims to bolster cybersecurity across sectors that rely heavily on information networks and communications technology (ICT). It will apply to OES organisations in the energy, transport, health, water, and digital infrastructure sectors as well as DSPs such as search engines, cloud computing services and online marketplaces.
The NIS directive states that OES organisations and DSP companies will have to take appropriate and proportionate security measures to manage risks to their network and information systems and they will be required to promptly notify serious incidents to the relevant national authority.
Sounds far reaching, complex and expensive, right?
At Cofense, we would argue that the answer doesn’t necessarily rely on a big investment in hardware and fancy equipment. With 91 percent of security hacks starting from a phishing email, an organisation’s cybersecurity strategy is only as strong as its most blasé or uninformed employee. This calls for a shift in the way cybersecurity processes and policies are handled.
A human-first approach
The majority of cyberattacks don’t rely on sophisticated malware or technical vulnerabilities, but rather the psychology and behaviour of people. For all the billions being invested in the latest firewall and anti-virus technology, the reality is that curiosity, habit, and misplaced trust have turned the simple act of sending a phishing email into a global industry worth a reported £70 billion.
When it comes to phishing, cyber defence traditionally focuses on defending the human at the core of the breach. The accepted challenge is to protect the human, who is often seen as the weakest link. Large amounts are spent on building technological moats around people, but phishing emails still get to email inboxes, increasing the risk of attack. So, is investment in layers of preventative technology to combat phishing really the answer—or is there a way to transform employees’ deeply ingrained behaviours from being a point of vulnerability to an effective line of defence? In a human-first approach, employees are empowered to recognise and report phishing scams, making everyone in an organisation part of the compliance process.
From vulnerability (susceptibility) to capability (resiliency)
The first thing to note about a human-first approach is that it’s not about employee awareness, it’s about changing behaviours. If you have ever undertaken the mandatory completion of a company-wide, computer-based training course, then you know how underwhelming and unengaging they can be. Although such programs are good at making employees aware of the problem, will their instincts and emotions be attuned to pick up any cleverly-masked warning signs when they least expect it?
Training or presentations on what phishing attacks are, and how to prevent them, are simply not enough. According to the latest Cofense Susceptibility and Resiliency report – which analysed phishing and employee behaviours from a varied number of industries globally – energy, manufacturing and public institutions reported the highest susceptibility rate. In the light of the upcoming regulation, users must learn to recognise phishing indicators and report emails right away for a successful security strategy.
Employees are smart and perfectly capable of adapting to new behaviours — think of looking both ways before crossing the street or chewing food with your mouth closed. The ability to learn an automatic, subconscious response permeates and facilitates our lives. Our behaviour towards cyber threats ought to be no different. Phishing is the number one attack vector today because it works by manipulating the trust we place in our emotions, especially curiosity, fear and urgency. Reconditioning thinking to change our behavioural response to our emotional instincts requires a completely immersive and engaging education. Only when users train routinely and remain engaged do anti-phishing programs become proactive and more effective.
Employees will be your insurance policy
Conditioning workers to recognise and report phishing scams with an immersive approached, one embedded in their everyday work, turns employees into a strong line of defence. On average, we have found that after just four simulations the percentage of employees that are repeat victims is close to zero, susceptibility rates decline by over 80 percent and, most importantly, accurate reporting of such emails by employees increases significantly.
This is all great news if you’re responsible for compliance. With the NIS Directive looming, proven anti-phishing measures take on added urgency. Also consider statistics from Mandiant’s 2017 M-Trends report, which found that it takes the average global organization approximately 99 days to realise a breach has occurred. Months later, once the breach has been contained, the average total cost to the business will have risen to $4 million. When employees of essential services act like a robust defence mechanism instead of a vulnerable point of entry, we are all safer.