With supply chain attacks on the increase, phishing becoming more sophisticated, and the attack surface of any given organisation drastically increasing in the hybrid work era, perhaps it’s little surprise that the phrase, ‘people are the weakest link’, has gained ground and become oft-repeated. But that doesn’t mean it’s a particularly helpful one. 

Presumably, this is borne from the frustration of security teams – that their warnings are unheeded, that they may be siloed from the rest of the organisation, or not taken as seriously as they should be. It’s an understandable frustration; attackers are aware of these points too, and that’s why they often target employees from outside of security teams to gain access into organisations. 

There’s some truth at the root of the phrase, but it’s also emblematic of an image problem in the cybersecurity world. If human folly is indeed the main cause of cyber incidents, then guardrails need to be designed and built around that, rather than making people feel bad for being people. After all, not everyone can be a security expert, nor should anyone expect them to be.

According to a recent Thales study, the Consumer Digital Trust Index, which surveyed 21,000 people worldwide, of those that were victims of a data breach – about a third of respondents – a staggering 82% noted a lasting negative impact on their lives. What’s more, a quarter of consumers completely stopped using a company that suffered a data breach. 

Clearly, awareness around cyber and data security is higher than it may have been in years past, but this does not translate into the workplace. A third of British workers are unaware of any cybersecurity policies created by their employers, and 45% are entirely unbothered by the impact of cybersecurity, according to a March 2022 survey by Superscript. Just what is stopping people from carrying their understanding of data security into the workplace and adjusting their behaviour accordingly?

Cybersecurity leaders need to implement policies and procedures from an IT and security perspective, but equally, those that are handling data in any capacity and have access to company networks also must be made aware of those policies, says Sarah Pearce, a partner at law firm Hunton Andrews Kurth. 

To do this effectively, though, training sessions need to be adapted to the everyday experiences of employees in other departments, Pearce says. A one-size-fits-all approach won’t work and will appear more like lip service or corporate box-ticking than adding any real training value. 

“It comes down to how it’s conveyed, so you’re not just reading a procedure or policy that may seem alien to those in the HR department, for example. What you do is tailor it to that particular team you’re delivering the training to, and providing real, practical examples of how it relates to them,” Pearce says. “Then it brings it down to real-life scenarios they can get on board with.”

But another major part of the issue could be that cybersecurity has an image problem, says Lianne Potter, a ‘cyber anthropologist’ and head of security operations at ASDA.

“I definitely think cybersecurity has a PR problem,” Potter says. “We go into organisations and I hear the same things when I interview people: we’re described as the ‘Pope of Nope’, the people that put the ‘no’ in innovation, the Department of Work Prevention, things like that – time and time again.”

Think of cybersecurity from a business perspective, Potter says: why would anyone engage with a team they feel is going to hinder progress? 

A potential solution lies in security leaders re-framing the concept of cybersecurity and packaging strong internal security culture as a feature, rather than a barrier to be overcome. This allows teams to integrate security into their work and be proud of what it stands for.

Security teams and product owners must not feel like they’re battling one another. Security leaders should try to put themselves in the shoes of developers and understand their concerns, e.g. that they face time constraints and work in high pressure environments, often with agile methodologies. Product teams should be met with an approach that speaks to them, and security should be packaged as part of the overall value and quality that the wider business is trying to deliver. 

“If you take it in a different way and say, ‘I'm not going to write buggy code that ruins the user experience, because people will stop using the app or complain’, security should be framed in the same sort of way,” says Potter. “Good security is part of our quality and value offering, because we really care about the business, and it's not just lip service but actually embedded in all our practices.”

Shifting mindsets in this way – and making data security more palatable to business interests in general – will have the added effect of affording security more time, resources, and perhaps even more widespread buy-in from stakeholders across the business.

Security leaders, adds Carsten Maple, professor of cyber systems engineering at the University of Warwick, may occasionally be suffering from a perceived lack of empathy among the rest of the workforce. They might not understand the issues security teams face, and view them as enforcers rather than colleagues on a level footing. 

People can feel they’re restricted from doing something without good reason

“People can feel they’re restricted from doing something without good reason,” Maple says, adding that it can be all the more galling when their reason for doing it – like taking work home on a USB drive – isn’t for their own enjoyment, but for the good of the business.

“Security shouldn’t be seen as a policing role, but as a supportive role,” Maple says. “The example we use sometimes is seatbelts: they may be a little bit less comfortable, but they enable you to go faster. Cybersecurity should enable you to do more, not less.”

Phishing emails from a public email domain or packed with poor spelling and grammar are pretty easy to spot. And while email phishing is still a serious cybersecurity threat, more sophisticated examples are often caught by intelligent email protection tools. Unfortunately, cybercriminals are also well aware of this – which is why they’re constantly devising new ways to catch people out.

“Malware phishes do of course still exist, but the continuing dominance of cloud services makes credential phishing the considerably easier approach, redirecting the victim to a fake login page to capture their login details,” says Mike McGrath, principal penetration tester at cybersecurity consultancy Bridewell.

Email protection tools can scan the destination of a URL before allowing the user access, but they often focus on known malicious landing pages. “If the attacker has customised the target page in great depth or utilises common redirection techniques, the page can often get past URL filters before being flagged as suspicious and rendered useless,” McGrath explains. 

Such attacks are on the rise, along with almost every other kind of phishing. The Anti-Phishing Working Group’s (APWG) latest Phishing Activity Trends Report found that in the first quarter of 2022 there were a total of 1,025,968 phishing attacks — the worst quarter for phishing that the APWG has observed to date.

“Most dangerous of all is 'spear-phishing' – a common technique used by criminals to attack SaaS platforms,” says Mark Stollery, managing consultant in enterprise and cybersecurity, UK & Ireland, at Fujitsu. “This is a highly personalised approach to named individuals, minimising the likelihood of them suspecting malware in a message.”

Most dangerous of all is 'spear-phishing' – a common technique used by criminals to attack SaaS platforms

Victims are often targeted through messenger apps or social media channels, which are also used to glean information on them. “Often these channels are not monitored by organisations,” says Javvad Malik, lead security awareness advocate at KnowBe4, a security platform for security awareness training and simulated phishing attacks. He adds that as messages can be read on both personal and corporate devices, it makes these channels “even more dangerous”.

While multi-factor authentication (MFA) has undoubtedly helped to protect employees’ login details, it has also been coopted by cybercriminals. MFA fatigue attacks see victims bombarded with push notifications to trick them into authenticating their login attempts – an approach that recently caught out an Uber contractor. 

Once the attacker was logged into the contractor’s account, they were able to access several other employee accounts and gain elevated permissions to tools including G-Suite and Slack. “This type of attack has been proven to be very successful, with Microsoft also falling victim to it,” says Hilmi Tin, penetration tester at IT Governance Ltd, a cybersecurity risk management solutions provider.

Voice phishing, or ‘vishing’, is increasingly used to elicit login credentials or other personal information from targets too. “The obvious attacks are the spoof IT help desk… calling the target claiming to be the help desk from the company,” says Rob Floodeen, vice president of consulting at cloud incident response company Mitiga. “The not-so-obvious is an attacker calling a company help desk during an attack in order to elevate privileges or assist in some lateral movement.”

Cybercriminals have also begun using malicious applications that ask users to grant access to the data of other trusted applications – a form of attack known as consent phishing. Fraudulent SMS attacks – known as ‘smishing’ are on the rise as well. And cybercriminals are increasingly exploiting trusted relationships across the supply chain. 

“Attackers are leveraging compromised supplier accounts and using supplier impersonation to send malware, steal credentials, and perpetrate invoicing fraud,” says Adenike Cosgrove, vice president of cybersecurity strategy, EMEA, at enterprise security firm Proofpoint.

Different forms of phishing are often used in conjunction, which can help to make a scam seem more convincing. “In isolation, you might dismiss the scam for what it is,” says Bart van Moorsel, cybersecurity solution design specialist for EMEA at TD Synnex, an IT distributor and solutions aggregator, “but the combination plays on our human desire to trust and the natural instinct to panic or be defensive, thus making it more likely people will be duped, especially if the threat actor adds a sense of urgency to their attack.”

For example, one recent business email compromise (BEC) campaign combined spear-phishing with adversary-in-the-middle (AiTM) tactics to hack corporate executives’ Microsoft 365 accounts. By accessing the accounts of high-ranking executives, the attackers hoped to respond to emails at just the right moment to divert a large business payment to their own bank accounts.

Even when organisations have tech to counteract such attacks, “it can become easy for people to become complacent and believe that the technology will take care of security for them,” says Malik. 

It’s therefore crucial that phishing and malware protection solutions and easy-to-use reporting mechanisms go hand-in-hand with regular, comprehensive and engaging employee training. In fact, as Stollery says: “Humans can be your greatest weakness against malware, but – if properly trained – they can also be your strongest defence.”

Data is the fuel that powers the SaaS applications companies rely upon. In fact, if large amounts of customer contact details or transaction records suddenly disappeared from the cloud, these companies wouldn’t be able to operate properly. But despite this, many of them are putting their mission critical data at risk – and they may not even realise it.

According to research commissioned by OwnBackup, 40% of organisations assume it is their cloud provider’s responsibility to back up their data and ensure its recovery. But they’re wrong.

Under the shared responsibility model used by the majority of SaaS vendors, including Salesforce, the SaaS provider secures the cloud infrastructure but the client secures their data. Or to put it another way, the SaaS vendor is responsible for the security of the cloud, but customers are responsible for security in the cloud.

SaaS vendors are upfront about this. Most advise customers that require more comprehensive data security to use a third party data backup and recovery specialist. According to The State of Salesforce 2022 report, 83% of Salesforce customers surveyed work with an external partner to manage their use of Salesforce products in some capacity. So what’s the cause of the confusion when it comes to data protection and security?

According to Vijay Ramakrishnan, director of product marketing at OwnBackup, “As people made the shift [to SaaS] there was relief about the removal of the burden to install, maintain, patch and upgrade software [and hardware]. People got caught up in the idea that everything was taken care of for them, and yet in the sense of security and data protection, it wasn’t. And this is part of the source of the misconception.”

Salesforce has also evolved significantly since its introduction, with different lines of business using it in many different ways. This, in turn, has created more complexity around the security and recoverability of data.

Infosec (information security) and audit teams still believe Salesforce is just a CRM,” says Brian Olearczyk, head of security sales at OwnBackup. “They don't realise it may be their HR system, their loan origination system, or a system used to capture critically sensitive personal health information. This lack of understanding, and the reality that Salesforce captures more and more sensitive data, is a reason it isn't managed like other mission critical systems, but really should be. The pendulum is shifting as their level of understanding increases.”

Indeed, there is a lack of understanding of how security controls really operate in this extended environment. “How are you providing users access to Salesforce? How are you providing users access within Salesforce to certain pieces of information? How are you encrypting data? How are you supporting backing up that data off cloud so you can recover it? This is all the customer’s responsibility. But because infosec and audit haven’t really been focusing on Salesforce, they've not been asking good questions.”

A single SaaS application offers infinite opportunities for mistakes and oversights that could lead to the loss of valuable data. Perhaps unsurprisingly, cyberattacks and human error were the most common causes of data loss reported by respondents to OwnBackup’s recent survey, followed by unanticipated consequences resulting from integrating different applications. The cost to the business tends to multiply the longer this data is awol, and, worryingly, the loss may go unnoticed for days or even weeks.

Even when the missing data is acknowledged, it can take an agonising amount of time to restore. In fact, fewer than 50% of respondents to OwnBackup’s survey were able to recover their data in less than six hours; many took days or even weeks to get the job done.

Most organisations are also unable to fully recover all of their lost or corrupted data after an incident. This can have serious implications for business continuity, customer service and revenue, as well as compliance with GDPR and other regulations. “They know something's missing,” says Olearczyk, “but they don't know exactly what in a lot of cases, and what you don't know is a risk.”

The permanent loss of even just a small percentage of data can be devastating. For example, a financial company experiencing a litigation event could get into serious trouble if it's unable to recover an important email from several years ago.

Nevertheless, many companies only learn what the shared responsibility model means – and the risk this lack of understanding can pose to their data – when they experience an incident. “The bad news is it [data loss] happens,” says Olearczyk. “The good news is they want to make sure it never happens again, and that's where conversations with OwnBackup tend to start.”

Organisations with third-party backup and recovery solutions are highly confident they can recover 100% of lost or corrupted data — and do it in a timeframe that won’t disrupt their business. Furthermore, 92% of respondents from organisations that have implemented third-party backup applications have reported considerable benefits or cost savings from these backup and recovery practices. 

Ultimately, comprehensive data protection “is something that customers need to be proactive about,” says Ramakrishnan, “otherwise they're going to be on the back foot when they’re dealing with an incident.”

To find out more, visit ownbackup.com

Very little in society can function without some degree of trust. In most walks of life, it’s unequivocally a good thing; a foundational glue to all of our relationships. But it’s also the most exploited human quality out there. No one’s more aware of this than cyber attackers, and so in cybersecurity, ‘zero trust’ is slowly becoming the default approach.

Zero trust is a set of cybersecurity principles that does what it says on the tin. Rather than the traditional perimeter defence kind of cybersecurity, which assumes an ‘edge’ to the network like an office building for a workplace, zero trust asserts that no one technology or person should be granted access to anything without being continuously authenticated and verified. Organisations are gradually realising the necessity of this approach, with 72% of respondents to Salesforce's Top Data Security Trends for 2022 report saying identity access management is a best practice.

As the business world embraced everything ‘as-a-service’ over the years, the zero trust model is more important than ever. While many software-as-a-service (SaaS) platforms do have security built into them, if an attacker gains access to them, there’s a treasure trove of data that can be stolen or repurposed. And security features in these platforms often aren’t designed to be the sole protection of an organisation’s data.

“Many modern, remote IT estates represent a diverse mix of SaaS products with little default visibility to the organisations using them,” warns Jeff Watkins, CPTO of web developer, xDesign. “Until recently, SaaS was often commissioned with blind faith in its security, but without integration into a wider zero trust architecture, it’s another set of authentication – but one that’s actually outside of your control.”

That means that SaaS services can be more susceptible to outsider and insider threats, and because they’re centralised, they can be a tempting target for attackers: if a provider is compromised, customers can be too. Additionally, says Watkins, these products often have their logging and security information and event management out of reach by default, unless purposefully integrated with its APIs – meaning insider threats, whether intentional or not, could go undetected for longer. 

Many modern, remote IT estates represent a diverse mix of SaaS products with little default visibility to the organisations using them

This lack of monitoring can be a real issue. As both consumers and businesses are becoming less forgiving in the instance of enormous data breaches, sometimes putting organisations out of business, inaction is untenable.

John Linford, director at The Open Group, says that SaaS companies can sometimes focus too much on mitigating against external malicious actors, leaving a blind spot regarding internal threats. Linford suggests that the first order of business is for organisations to demand transparency and accountability from SaaS providers to help them better identify insider threats. The other important step is implementing zero trust architecture themselves. 

“It’s no longer feasible for an organisation to consider all elements of its service topology as trusted, especially when delivered by a third party,” Linford says. “Zero trust provides a solution, enforcing security policies regardless of location or application, thereby reducing the risk of insider threats and loss of sensitive data by focusing on securing the data itself.”

Organisations are paying attention to the need for zero trust, with adoption rising by over 500% in 2022 compared to 2019, according to a recent Okta study. But adoption is slow-moving, with only 36% of organisations currently having zero trust strategies in place. 

Businesses that are struggling to implement these policies could start, according to Watkins, with due diligence – by only choosing vendors that can seamlessly integrate into a zero trust architecture, with single sign on and multi-factor authentication enabled by default. Roles, access rights and authentication methods should be defined upfront – and although this may take some effort, by enforcing them, organisations will gain a better understanding of their whole estate and the data that they’re trying to protect. 

Meanwhile, organisations should make use of SaaS security posture management tools, which automate risk identification in SaaS applications. They should also put stringent data loss prevention programs in place and ensure that their security information and event management (SIEM) systems work with their whole stack, including SaaS. 

Even well-managed SIEM systems can struggle to provide an overview of what’s occurring at any given time, though, notes IEEE senior member and professor of cybersecurity at Ulster University, Kevin Curran. He suggests taking the approach one step further into SASE – short for secure access service edge, which is similar to zero trust in its focus on identity access management, but encompasses every element of the technology stack including cloud tools.

“SASE, with its foundation in the cloud, offers a holistic solution to provide a secure environment for these difficult times,” Curran says. “There are challenges when embedding SASE. It’s reliant on strong governance processes to secure an enterprise IT environment, and therein lies the challenge, as it requires enterprises to enforce new processes across the organisation, which is never easy. Employees also may not take kindly to the added burdens of accessing machines and the reduced access levels enforced by least privilege.”

It’s critical, then, to combine these approaches with a battle to change mindsets, especially among experienced staff who may be resistant to change. Security teams should do their best to ensure there’s no interruption in the day-to-day environment, says Curran, and CISOs, CIOs and senior management will need to be on board from the start to guide the organisation and ultimately ensure success.